4.4 Configuration and Asset Management Policy
Purpose and Scope
This Configuration and Asset Management Policy provides procedures supporting effective organizational asset management, specifically focused on electronic devices within the organization and baseline configurations for Sord assets and systems.
From time to time, Sord may update this policy and implement different levels of security controls for different information assets, based on risk and other considerations. This policy is guided by security requirements specific to Sord including applicable laws and regulations.
This policy applies to all Sord assets utilized by personnel acting on behalf of Sord or accessing its applications, infrastructure, systems or data. All personnel are required to read, accept and follow all Sord policies and plans.
Configuration Standards
Production systems handling confidential data should have documented baseline configurations, when available. Sord management is responsible for creating and implementing documented standard configurations for all applicable assets including third-party cloud products and employee devices.
Each applicable asset and system in the Sord environment should be hardened to the minimum standards defined by Sord management.
Hardening standards should be in line with industry standards and provide sufficient logical and physical security for the asset(s) being configured.
Minimum Device Configuration Settings
Sord settings:
Enable hard disk encryption such as FileVault (mac) or Bitlocker (windows)
Require OS updates to be installed
Require automatic software updates
Require Anti-Virus / Anti-Malware such as XProtect (Mac), Defender (Windows), or ClamAV (Linux)
Start screensaver / lock screen on after: maximum of 15 minutes
Password must align with Sord password policy requirements:
Require alphanumeric / complex password
Minimum password length: 8 characters
Non-Standard Configuration
If an asset must use a non-standardized configuration, approval of the use must be provided by Sord management and such approval and request must be documented.
Asset Management
Sord inventories and tracks all assets that are used to view or store confidential information. The asset inventory will include all systems connected to the network and network devices themselves. Examples of items to be inventoried could be laptops, desktops, and servers.
Assets such as smaller peripheral devices, video cards, keyboards, or mice may not be tracked. Assets that store data must be tracked either as part of a computing device or as a part of network-attached storage.
Lost Asset
If an asset is known to be lost or stolen, please report it immediately to [email protected].
Acquisition of New Assets
Prior to the acquisition of any unapproved hardware, software, or other equipment and during transitions to new systems or following a failure or disaster, information security, capacity planning, and other relevant business considerations must be addressed. Sord management must approve any new assets that may be used to access Sord data, systems, network, or applications.
Data as an Asset
Confidential data is also considered an asset and should be tracked accordingly. Confidential data should be stored in accordance with all security policies and the location of all covered data regardless of classification or encryption status must be maintained.
Asset Management Procedures
Sord must maintain an inventory of servers, desktops, laptops, and other devices used to store, create, modify, delete, or transmit confidential information.
All assets should be mapped to the device’s serial number or another identifier.
Any asset no longer in use or deemed no longer usable will be removed from the inventory.
Sord must perform periodic asset management system checks for various classes of asset records.
Any Sord devices issued to team members must be returned upon termination or resignation of such team member.
Asset Inventory Audit
Jonathan Gautsch or a designee will be held accountable for the accuracy of the inventory and must audit the asset list at least annually. Such audit must be documented.
Physical Media Transfer
Any media or device containing sensitive data must be shipped by a tracked carrier with a recipient signature required. For encrypted data, the encryption key should only be released after the package has arrived and been signed for. Media containing data will be protected against unauthorized access, misuse or corruption during transportation.
Legal advice should be sought to ensure compliance before media containing encrypted information or cryptographic controls are moved across jurisdictional borders.
Asset Disposal
When disposing of any asset, sensitive data must be removed prior to disposal. For media storing confidential or personally identifiable information that is not being repurposed, disks should be physically destroyed prior to disposal. Sanitization should occur in accordance with the Nist Guidelines for Media Sanitization (NIST S.P. 800-88 Rev. 1).
Exceptions
Sord business needs, local situations, laws and regulations may occasionally call for an exception to this policy or any other Sord policy. If an exception is needed, Sord management will determine an acceptable alternative approach.
Enforcement
Any violation of this policy or any other Sord policy or procedure may result in disciplinary action, up to and including termination of employment. Sord reserves the right to notify the appropriate law enforcement authorities of any unlawful activity and to cooperate in any investigation of such activity. Sord does not consider conduct in violation of this policy to be within an employee’s or contractor’s course and scope of work.
Any employee or contractor who is requested to undertake an activity that he or she believes is in violation of this policy must provide a written or verbal complaint to his or her manager or any other manager of Sord as soon as possible.
The disciplinary process should also be used as a deterrent to prevent employees and contractors in violating organizational security policies and procedures, and any other security breaches.
Responsibility, Review, and Audit
Sord reviews and updates its security policies and plans to maintain organizational security objectives and meet regulatory requirements at least annually. The results are shared with appropriate parties internally and findings are tracked to resolution. Any changes are communicated across the organization.
This document is maintained by Jonathan Gautsch.
This document was last updated on 03/27/2024.
Last updated