Overview
Effective asset management is foundational to information security and operational effectiveness. An organization cannot protect what it does not know it has. This policy establishes the requirements for identifying, classifying, managing, and disposing of all information technology assets throughout their lifecycle. By maintaining a complete and accurate inventory of assets, InContext Solutions ensures that appropriate security controls are applied, operational risks are managed, and regulatory obligations are met.
Scope
This policy applies to all assets owned, leased, or managed by InContext Solutions, including:
- Hardware assets -- servers, workstations, laptops, mobile devices, tablets, network equipment (routers, switches, firewalls, access points), peripherals, and removable storage media
- Software assets -- commercially licensed applications, internally developed applications, open-source software, SaaS subscriptions, and cloud service accounts
- Data assets -- databases, file repositories, backups, archives, and information stored in any format
- Information systems -- production environments, development and staging environments, disaster recovery systems, and supporting infrastructure
This policy applies to all employees, contractors, consultants, and third parties who procure, use, manage, or dispose of InContext Solutions assets.
Asset Inventory
Centralized Asset Register
InContext Solutions maintains a centralized asset register (Configuration Management Database, or CMDB) that serves as the authoritative source of record for all IT assets. Every asset must be recorded in the register before being placed into service.
Required Inventory Fields
Each asset record must include, at a minimum, the following attributes:
| Field | Description |
|---|---|
| Asset ID | Unique identifier assigned to the asset |
| Asset Type | Category (hardware, software, cloud service, data) |
| Owner | Designated individual responsible for the asset |
| Department | Business unit or team associated with the asset |
| Location | Physical location or cloud provider/region |
| Classification | Security classification level (Critical, High, Medium, Low) |
| Status | Current lifecycle state (Deployed, In Storage, Retired, Disposed) |
| Acquisition Date | Date the asset was procured or provisioned |
| End-of-Life Date | Vendor end-of-support or planned retirement date |
| Configuration Details | Hardware specifications, software version, or service tier |
Automated Discovery
Automated discovery tools are deployed to identify and catalog network-connected assets. These tools run continuously to detect new, modified, or removed assets and reconcile findings against the asset register. Unregistered assets discovered on the network are flagged for investigation and must be registered or removed within five business days.
Inventory Accuracy Verification
Inventory accuracy is verified on a quarterly basis through a reconciliation process that compares the asset register against automated discovery results, procurement records, and physical spot checks. Discrepancies are investigated, documented, and resolved within 30 days.
Asset Classification
Assets are classified according to the sensitivity of the data they process, store, or transmit. Classification levels align with the organization's data classification scheme and drive the security controls required for each asset.
Asset Classification Levels:
| Level | Description | Examples |
|---|---|---|
| Critical | Production systems that process, store, or transmit Restricted data. Failure or compromise would have severe business impact. | Production database servers, payment processing systems, authentication infrastructure |
| High | Systems that process Confidential data. Compromise could result in significant business harm or regulatory exposure. | Internal application servers, HR systems, financial reporting platforms |
| Medium | Internal business systems that support day-to-day operations and process Internal data. | Corporate email, project management tools, development environments |
| Low | General-purpose equipment and systems that do not process sensitive data. | Conference room displays, shared printers, guest Wi-Fi infrastructure |
Classification is assigned at the time of registration and reviewed whenever the asset's function, data handling, or environment changes. The classification level determines the minimum security controls that must be applied, including encryption requirements, access restrictions, monitoring intensity, and backup frequency.
Asset Ownership
Designated Owners
Every asset must have a designated owner. Ownership is assigned to a department head or their delegate who has the authority and accountability to manage the asset throughout its lifecycle.
Owner Responsibilities
Asset owners are responsible for:
- Maintaining the accuracy of inventory records for their assigned assets
- Ensuring that security controls appropriate to the asset's classification are implemented and maintained
- Approving and reviewing access to the asset
- Participating in quarterly inventory reviews and annual comprehensive audits
- Initiating retirement and disposal procedures when the asset reaches end of life
- Ensuring compliance with this policy and related standards
Ownership Transfer
When an asset owner changes roles, departs the organization, or when an asset is reassigned to a different department, ownership must be formally transferred. The outgoing owner (or their manager) coordinates with the incoming owner to update the asset register, review current access permissions, and confirm that all security controls remain in place. Ownership transfers must be completed within ten business days.
Hardware Asset Lifecycle
Procurement
All hardware acquisitions must include a review of security requirements prior to purchase. Procurement requests for hardware that will process Confidential or Restricted data require Information Security review. Minimum security specifications -- including support for full-disk encryption, TPM modules, and firmware integrity verification -- are defined in the Hardware Procurement Standards and must be met by all new acquisitions.
Deployment
Before deployment into a production or corporate environment, hardware assets must be configured according to InContext Solutions hardening standards. A pre-deployment checklist is completed for each asset, covering:
- Operating system installation from approved images
- Full-disk encryption enablement
- Endpoint protection agent installation
- Configuration of centralized logging and monitoring
- Application of current security patches
- Registration in the asset register with all required fields
- Assignment of an asset owner
Operation
During active use, hardware assets are subject to:
- Regular maintenance windows for firmware and driver updates
- Timely application of security patches in accordance with the Change and Patch Management Policy
- Continuous endpoint monitoring and alerting
- Periodic physical condition assessments
Retirement
All storage media -- including hard drives, solid-state drives, and removable media -- must be sanitized in accordance with NIST SP 800-88 Rev. 1 guidelines before an asset is retired, repurposed, or transferred outside InContext Solutions. A certificate of destruction is required for all storage media disposed of through physical destruction.
When a hardware asset reaches end of life, the owner initiates the retirement process, which includes:
- Removing the asset from active service and revoking associated credentials
- Performing data sanitization appropriate to the asset's classification level
- Updating the asset register to reflect the retired status
- Generating and retaining disposal documentation, including method of sanitization, date, and responsible party
Software Asset Management
License Tracking
All software licenses are tracked in the asset register, including license type (perpetual, subscription, per-seat, enterprise), entitlement counts, renewal dates, and associated costs. License compliance is reviewed quarterly to prevent over-deployment or under-utilization.
Approved Software
InContext Solutions maintains an approved software list. Only software that has been reviewed and approved by IT and Information Security may be installed on corporate systems. Requests for new software are submitted through the standard change request process and evaluated for security, compatibility, and licensing compliance.
Unauthorized Software Detection
Endpoint management tools monitor corporate devices for unauthorized software installations. Unauthorized software detected on any corporate device is flagged for review and must be removed within five business days. Repeated violations are escalated to the employee's manager and the Information Security team.
SaaS and Cloud Service Inventory
All SaaS and cloud service subscriptions are recorded in the asset register, including the service name, provider, data classification of information stored in the service, contract owner, renewal date, and user count. Shadow IT discovery processes are conducted periodically to identify unregistered cloud services in use across the organization.
Version Management and End-of-Life Planning
Software versions are tracked to ensure timely upgrades before vendor end-of-life dates. An end-of-life tracking report is produced monthly, identifying software approaching end of support within the next 12 months. Upgrade or replacement plans must be documented and approved at least 90 days before end-of-support dates.
Cloud and Virtual Assets
Cloud Resource Tagging
All cloud resources provisioned in IaaS and PaaS environments must be tagged using the organization's standard tagging taxonomy. Required tags include:
- Owner -- individual or team responsible
- Environment -- production, staging, development, or sandbox
- Classification -- data sensitivity level
- Cost Center -- department or project for cost allocation
- Expiration -- expected decommissioning date, if applicable
Untagged resources are flagged by automated policy enforcement tools and must be remediated within five business days.
Cloud Service Inventory
Cloud services are categorized and tracked by delivery model:
- IaaS -- virtual machines, storage accounts, networking resources
- PaaS -- managed databases, application hosting platforms, container services
- SaaS -- third-party applications accessed via subscription
Each cloud service entry in the asset register includes the provider, account or subscription identifier, region, data classification, and designated owner.
Cost Allocation and Optimization
Cloud resource costs are allocated to the responsible department or project through tagging. Monthly cost reviews identify underutilized or orphaned resources for rightsizing or decommissioning.
Decommissioning Cloud Resources
When cloud resources are no longer needed, the owner initiates a decommissioning process that includes:
- Verifying that no active workloads or data dependencies remain
- Exporting or archiving data in accordance with retention requirements
- Deleting the resource and confirming removal from the cloud provider console
- Updating the asset register to reflect the decommissioned status
BYOD and Personal Devices
Registration Requirements
Personal devices used to access InContext Solutions corporate data or systems must be registered with the IT department before use. Registration includes recording the device type, operating system, owner, and intended use.
Minimum Security Requirements
Personal devices accessing corporate data must meet the following minimum security requirements:
- Current, vendor-supported operating system with automatic updates enabled
- Screen lock with a minimum six-digit PIN, password, or biometric authentication
- Full-device encryption enabled
- No jailbroken or rooted devices
Mobile Device Management
Registered personal devices must be enrolled in the organization's Mobile Device Management (MDM) solution. MDM enrollment enables enforcement of security policies, remote configuration, and remote wipe capability. See the Mobile Device Security Policy for detailed device standards and configuration requirements.
Separation of Data
Corporate data on personal devices must be isolated within managed applications or containers that prevent data leakage to unmanaged personal applications. Users may not copy, download, or transfer corporate data to personal storage or unapproved applications.
Corporate Data Wipe
InContext Solutions reserves the right to remotely wipe corporate data from any registered personal device at any time, including upon termination of employment, loss or theft of the device, or policy violation. Employees acknowledge this capability as a condition of BYOD registration.
Asset Disposal
Improper disposal of IT assets can result in data breaches, regulatory penalties, and reputational harm. All assets must be disposed of in accordance with the procedures outlined in this section, and no asset may be discarded, donated, resold, or recycled without completing the required sanitization and documentation steps.
Secure Disposal Procedures by Asset Type
- Servers and workstations -- Data sanitization followed by physical destruction of storage media or certified data wiping
- Laptops and mobile devices -- Factory reset with cryptographic erase, followed by verification
- Network equipment -- Configuration reset to factory defaults, removal of all credentials and certificates
- Removable media (USB drives, optical discs, tapes) -- Physical destruction (shredding or degaussing)
- Paper records -- Cross-cut shredding
Data Sanitization Methods
Data sanitization follows NIST SP 800-88 Rev. 1 guidelines:
| Method | Description | Use Case |
|---|---|---|
| Clear | Overwriting with non-sensitive data using standard tools | Assets being repurposed internally |
| Purge | Cryptographic erase, block erase, or degaussing rendering data infeasible to recover | Assets leaving organizational control |
| Destroy | Physical destruction (shredding, disintegration, incineration) | Storage media from Critical or High classification assets |
The sanitization method applied must be appropriate to the asset's classification level. Critical and High classification assets require Purge or Destroy methods.
Disposal Documentation and Chain of Custody
A disposal record is created for each asset, documenting:
- Asset ID and description
- Classification level
- Sanitization method applied
- Date of sanitization
- Name of the individual or vendor who performed the sanitization
- Chain of custody from removal through final disposition
- Certificate of destruction (for physically destroyed media)
Disposal records are retained for a minimum of seven years.
Environmental Compliance
Electronic waste is disposed of through certified e-waste recyclers who comply with applicable environmental regulations. InContext Solutions does not dispose of electronic assets in general waste streams.
Certificate of Destruction
A certificate of destruction is required for all storage media that undergo physical destruction. Certificates must include the asset identifier, serial number, destruction method, date, and the name and certification of the destruction vendor. Certificates are filed with the corresponding disposal record.
Compliance and Auditing
Quarterly Inventory Audits
The IT department conducts quarterly audits of the asset register to verify accuracy and completeness. Audits include reconciliation of the register against automated discovery data, procurement records, and financial systems.
Reconciliation with Financial Records
Asset inventory records are reconciled with financial and accounting records at least quarterly to ensure alignment between the CMDB and the fixed asset ledger. Discrepancies are investigated and resolved within the audit cycle.
Annual Comprehensive Review
An annual comprehensive review of the asset management program is conducted by the Information Security team. This review evaluates:
- Overall inventory accuracy and completeness
- Effectiveness of classification and ownership assignments
- Compliance with lifecycle management procedures
- Disposal record completeness and sanitization verification
- Alignment with changes in business operations, technology, and regulatory requirements
Findings from the annual review are reported to leadership, and corrective actions are tracked to completion.
Non-Compliance
Failure to comply with this policy may result in disciplinary action up to and including termination of employment or contract. Non-compliance that results in a data breach or regulatory violation may also result in legal liability. Employees who become aware of asset management policy violations are required to report them to the Information Security team.
Related Policies
- Data Management Policy -- for data classification alignment and data handling requirements
- Mobile Device Security Policy -- for detailed device security standards and MDM configuration
Revision History
| Date of Change | Responsible | Summary of Change |
|---|---|---|
| 2025-04-01 | InfoSec Team | Initial publication |
| March 2026 | ICS InfoSec Team | Published to Trust Center |