Contents
Document Control
S. No. | Type of Information | Document Data |
1 | Document Title | Asset Management Procedure |
2 | Document Code | ISMS-010 |
3 | Date of Release | 10/10/2024 |
4 | Document Version No | 2.0 |
5 | Language | English |
6 | Document Approver |
|
7 | Document Author |
|
Document Change Approvals
Version No. | Revision Date | Change Description | Data Approved |
NA | NA | NA | NA |
Introduction
Asset can be defined as “anything of value to LEGISTIFY SERVICES PRIVATE LIMITED Services limited” (hereinafter referred as ‘LEGISTIFY SERVICES PRIVATE LIMITED’). In the realm of information, asset can range from physical assets like removable media, servers and desktops, software assets like online visa application website, site assets like Visa Application Centre or corporate office, services like power, air-conditioning, people assets like VAC employees, branch manager and paper assets like visa application forms, passports. Asset Management process is necessary to define ownership, to maintain inventory of assets, to classify information and accountability for the information.
Objective
Protecting assets is extremely important to protect the information stored/ processed via these assets and therefore, it becomes essential to understand and follow “Asset Management Procedure” and to ensure that LEGISTIFY SERVICES PRIVATE LIMITED assets are provided adequate level of protection at all levels. This procedure has been prepared to provide a step by step course of action for the following:
Asset acquisition/ procurement;
Identifying and classifying LEGISTIFY SERVICES PRIVATE LIMITED assets;
Compiling and maintaining asset register in an appropriate format (Refer Annexure A);
Identifying the asset owners, asset user and custodians;
Determining the confidentiality (C), integrity (I), and availability (A) ratings of assets;
Labelling the asset as per asset labelling guidelines;
Understanding the responsibilities of Asset Owner, Asset Custodian and Asset User;
Periodic review for asset register and updating the same, as and when required; and
If required dispose the asset as per the asset disposal procedure or as per the terms specified by the respective Diplomatic Mission/ Immigration Authority.
Applicability
This procedure is applicable for all information assets, employees and third parties of LEGISTIFY SERVICES PRIVATE LIMITED. This procedure is also applicable across all geographies where information assets of LEGISTIFY SERVICES PRIVATE LIMITED are located and processed.
Responsibility
The Management Representative (IS-MR) at LEGISTIFY SERVICES PRIVATE LIMITED has the responsibility for following the Asset Management Procedure. The accountability for monitoring the management/ execution of Asset Management Procedure at LEGISTIFY SERVICES PRIVATE LIMITED is with the Chief Information Security Officer (hereinafter referred as ‘CISO’).
RACI for Risk Assessment Procedure:
Procedure Name | Responsible (R) | Accountable (A) | Consulted (C) | Informed (I) |
Asset Management Procedure | Information Security Management Representative | CISO | Steering Committee | All employees |
Asset Acquisition/ Procurement
Asset Change Request/ New Asset Request
A purchase requisition for hardware/ software (software along with the software license) is raised;
The request raised is received by the IT Head (LEGISTIFY SERVICES PRIVATE LIMITED) for approval;
Once the request is approved by the IT Head, the requester contacts several vendors and takes inputs of the price quotes and configurations offered by each vendor. The CAPEX Form is populated with the pricing and configuration details obtained from the vendors and sent for approval to IT Head again; and
The IT Head selects the appropriate vendor from the available options documented in the CAPEX form and approves the asset acquisition, post approval the purchase order is placed from the selected vendor.
Asset Purchase Order
After the approval for the CAPEX form is obtained, the Branch Manager will place the purchase order from the approved vendor as per the required specification of the asset;
The asset is acquired and the asset management procedure documented in Section 6 is followed; and
If the asset has to be acquired on lease, the contract is reviewed by the respective Branch Manager in consultation with the legal team. Post an approval from the legal team, the asset is acquired on lease.
Asset Management Flow
The lifecycle of an asset commences with the procurement of assets as per the need of the business operation. An asset inventory list shall be maintained for all the assets procured/ owned by the organization. The management needs to identify the owners, custodians and the end users for the assets and also the acceptable usage for these assets. The assets once identified for use, would be classified and labelled on the basis of the confidentiality and sensitivity of the information contained in them. In order to prevent unauthorized disclosure/ modification or disposal of the assets, procedures are made by management for the removal of these information assets. The disposal of media is done using process as agreed by the management in accordance with the classification of the asset and the information stored in the asset. In case of physical transfer of the information asset, protection needs to be taken to protect unauthorized disclosure/ misuse or corruption of information. These assets might be returned, in the event of completion of contract or agreement or termination of employment.
Asset Management Procedure
Asset Identification
All the tangible assets are recognised in the Information Asset Register (hereinafter referred to as ‘IAR’) when certain criteria as illustrated below are met:
Modifications or upgrade of any physical asset owned by LEGISTIFY SERVICES PRIVATE LIMITED;
Disposal of an asset by LEGISTIFY SERVICES PRIVATE LIMITED;
Modifications or upgrades of an internal tool used by LEGISTIFY SERVICES PRIVATE LIMITED;
Acquisition of a new asset, Immigration/ Applicant Information, Third Party Application or Software;
Movement of an asset to another location; and
Additionally, movement of assets shall comply with the Legal, Immigration/ Mission and Compliance requirements applicable to the VAC/ Corporate office of LEGISTIFY SERVICES PRIVATE LIMITED.
Information Asset Register Compilation Process
Following steps shall be followed for information classification and IAR preparation:
Activities to be performed by Branch Manager/ Working Group member;
Identify the process name and the related process activity in the identified process;
Identify the asset associated with these process activities and populate it under ‘Asset Name’ header (Refer Annexure A);
Identify the ‘Asset Owner’, ‘Asset Custodian’ and ‘Asset User’;
Use the Asset Register template given in Annexure A and fill-up the template with necessary information about asset, i.e. Asset Type, Asset Location, Asset Custodian and Asset User;
Perform the asset classification as per the asset and information classification guidelines;
Define asset tag for all the identified physical assets and paste it on the respective identified asset as per asset labelling guidelines; and
Assign CIA Rating to each asset as per the asset valuation guidelines.
Periodic review and update of Information Asset Registers
IARs are key input to the risk management process and provides information to understand the details of owners and location at which the asset is stored. Depending upon the complexity of information entered, it becomes important that the IARs are reviewed for appropriateness periodically thus Function Heads and Branch Managers at the VAC shall be responsible for:
Reviewing the IAR on at least annual basis, with the respective asset owners for completeness and accuracy of asset registers;
Reviewing and updating (if necessary) IAR when:
A new process/ functionality/ service is added to the business operations;
An existing process/ functionality/ service is commissioned out from the business operations; and
New assets are acquired for the performing business operations.
Reviewing the Asset Type, Asset Ratings (Confidentiality, Integrity, Availability ratings) and Asset Classification assigned by asset owner for assets relevant to their business operation, and update the same post discussions with Functional Head/ IS-MR.
Responsibilities – Asset Requestor, Asset Owner, Asset Custodian and Asset User
LEGISTIFY SERVICES PRIVATE LIMITED employees who have been identified as asset owner, custodian and user shall adhere to the following guidelines, to ensure that each asset identified has defined roles and responsibilities:
Asset Owner
The asset owner is a person or group of people who have been identified by management and are responsible for the maintenance of the Confidentiality (C), Integrity (I), and Availability (A) of that asset. The asset owner may change during the lifecycle of the asset. In case of information assets, the information asset owner is responsible for determining the information’s classification and how and by whom the information will be used. Where a function creates assets or uses an asset to support their business processes, an individual who heads the function is considered to be an Asset Owner. An Asset Owner shall do the following:
Identify the assets that are being used/ managed in his/ her process;
Classify the assets as per the asset/ information classification guidelines;
Ensure that assets are labelled as per Asset labelling Guidelines;
Determine the Confidentiality (C), Integrity (I) and Availability (A) rating of the assets; and
Ensure that appropriate controls are implemented by Asset Custodian for the protection of asset.
Asset Custodian
Asset custodians are group of people responsible for implementing the authorized controls for information assets based on the classification level. Based on the asset owner’s requirements and LEGISTIFY SERVICES PRIVATE LIMITED policies, the custodian is able to take the necessary actions to secure the information, applying safeguards appropriate to the information’s classification level. Asset custodians are expected to have a general knowledge of information security in order to skilfully deploy appropriate controls, which have been agreed upon.
Asset custodian is responsible for day-to-day operations and maintenance of assets. An asset custodian shall do the following:
Ensure that appropriate level of physical security is provided to the assets;
Monitor functionality of the asset; and
Ensure that the information and software assets have their version upgraded, latest anti-virus signature updated and latest security patches applied in accordance with business requirement and risk mitigation controls.
Asset User
Asset users are the end users of the asset. Asset users are the people who use the asset to complete and accomplish their day to day activities, as part of the tasks they are required to work upon. Asset users may use the asset as a tool, raw information, an information guide, or an enabler depending on the purpose.
Asset user has formal authority to use the assets. Asset user creates, transmits, stores, or disposes the information assets as per the authorization level assigned to him/ her by the asset owner. Asset user shall ensure that:
He/ She accesses the LEGISTIFY SERVICES PRIVATE LIMITED asset after receiving appropriate level of authorization from his/ her reporting manager;
Protection measures of the assets are always maintained by him/ her;
The Confidentiality (C), Integrity (I) and Availability (A) of the assets that he/ she uses are maintained at all times; and
Security weaknesses relating to the asset are brought to the notice of asset owner or the IS-MR.
Acceptable Use of Assets
Rules with respect to acceptable use of assets related to information and information processing facilities shall be identified and implemented. The management shall ensure that the organization assets, irrespective of their classification are not used of any unofficial purpose. In case of a situation in which an organization asset is to be used for outside office location or for personal use, a requisite permission shall be taken for the same. Disciplinary action shall be taken for all employees/ third party vendors, in case they don’t abide by the procedures under the acceptable use of assets. In case anyone is observed not following the acceptable use guidelines, a security incident shall be reported in that situation.
Return of Assets
All asset users including the employees and the external user/ third party contractors shall return all assets possessed by them at upon the termination of their employment, contract or agreement.
Asset Classification
All assets that have been identified and shall be classified as per the asset classification guidelines mentioned below. Types of asset classifications are as defined below:
Information Asset - This asset classification covers but not limited to databases & data files (including critical data in local desktops/ laptops), system documentation, user documentation, training materials, operational/ support procedures, continuity plans, archived information;
Software Asset - This asset classification covers but not limited to application software, system software, development tools & utilities used and owned by LEGISTIFY SERVICES PRIVATE LIMITED;
Physical Asset - This includes but not limited to computer equipment (processors, monitors, laptops, modems, printers), communication equipment (Call Centre Phone, Fax machines), magnetic media (Tapes, Disks, CDs);
Services - This includes but not limited to general utility services such as power, lighting, and air conditioning, third party security services and courier services;
People - This includes personnel (LEGISTIFY SERVICES PRIVATE LIMITED and third party employees) required to support and operate other assets at LEGISTIFY SERVICES PRIVATE LIMITED;
Paper - Information in physical hard copy form, which is used/ required/ generated during the course of operations, and is used to manage business processes will come under this categorization. E.g. confirmation receipts, applicants information supporting documents; and
Site - This would include the name of the site, VAC.
Information Classification Guidelines
Please refer Section 7.2 Risk Assessment Procedure for details.
Refer Information Handling Matrix in the Annexure C.
Asset Valuation
Asset Owner shall be responsible for assigning the Confidentiality (C), Integrity (I), and Availability (A) rating to assets identified for their respective business function. Guidelines below shall be followed for rating the assets.
Please refer Section 7.2 Risk Assessment Procedure for details.
Asset Labelling Guidelines
All the respective asset owners shall ensure that all important physical assets be labelled as per the following label template. Physical assets may include, but are not limited to desktop, laptop, printer, scanner, and fax. All asset owners shall ensure that the critical physical assets are labelled and are easily identifiable.
Asset owners shall use a consistent label template for their physical assets throughout the operations of the function. Consistency shall be maintained for operations out of multiple locations as well;
Labelling template shall follow the following tagging template:
Organization – LEGISTIFY SERVICES PRIVATE LIMITED;
VAC Location/ Corporate Office – NO;
Refer Annexure A, Attachment # 3 Tab “Asset Management Codes” for the branch codes;
Asset Name – Physical Asset Name (Desktop, Scanner, Printer, Phone);
Refer Annexure A, Attachment # 3 Tab “Asset Management Codes” for the asset codes; and
Asset Quantity Number - 001, 002.
Example: A Laptop in Gurgaon VAC will have the following asset tag placed on it
LEGISTIFY SERVICES PRIVATE LIMITED/GUR /LPC/001 Asset Owners shall ensure that all the asset labels are clearly visible on the asset.
List of Classification Codes for locations:
S.no | Location | Code |
1 | Gurgaon | GUR |
Handling of Assets
Procedures regarding the handling of assets/ information shall be developed and implemented as per the asset classification methodology adopted by LEGISTIFY SERVICES PRIVATE LIMITED.
Usage | Confidential/ Restricted | Internal | Public |
Labeling |
|
|
|
Duplication |
|
|
|
Mailing of Information |
|
|
|
Disposal |
|
|
|
Storage |
|
|
|
Distribution/ Read Access |
|
|
|
Reclassification Review |
|
|
|
Special Handling Requirements for Information in Electronic Formats:
Usage | Confidential/ Restricted | Internal | Public |
Storage on fixed media |
|
|
|
Storage on removable media |
|
|
|
Read/ update/ delete access to information |
|
|
|
Disposal of electronic media (diskettes, tapes, hard disks.) |
|
|
|
Transmission of Electronic Data:
Usage | Restricted | Confidential | Public | Internal |
Internet |
|
|
|
|
LAN/VAN |
|
|
|
|
Cell Phone/ Normal Phone |
|
|
|
|
Management of Removable Media
All storage media from equipment must be removed on approval/ certification by the management (responsible to approve disposal of media) prior to destruction. All media, prior to being sent for disposal, shall be reviewed by the asset owner and the management responsible. Only once the approval for the disposal has been given the disposal/ destruction shall be commenced and records shall be maintained for the same.
Disposal of Media/ Assets
Procedure shall be developed for disposal of assets/ information which are no longer required. The disposal of the assets/ information shall be on the basis of the classification of assets. E.g.: All paper documents, which are marked as confidential shall be shredded by the asset owner or the asset custodian, when they are no longer required. All extra paper assets irrespective of their classification shall be shredded after they become redundant and records shall be maintained for the same.
Information/ Paper Disposal
Disposing of sensitive information (PII Information/ Visa application supporting documents) requires more than just deleting files or formatting a hard disk. Sensitive information that has outlived its purpose still poses a risk. This information shall be destroyed or disposed-off. It is also important to know the legal, contractual and immigration requirements to retain records and dispose- off the sensitive information.
Once the decision to destroy or dispose information has been taken, based on agreed upon retention periods with the respective Mission/ Immigration body, the information shall be disposed. All hard copy and paper documents shall be sent for shredding or compaction, for disposal. If the Immigration body/ Mission contract/ agreement allows for an alternate form of disposal (third party vendor association) that disposal method shall be followed. All the information present in soft format shall be erased/ removed from the storage disk (tools/ applications may be used for erasing the information) as per the agreed timelines with the respective Immigration body/ Mission. In case if Immigration body/ Mission requires the related information to be back up in a CD/ DVD before disposal, the IT Head, shall be responsible for taking the required back up and sending the backed up CD/ DVD to the respective Immigration body/ Mission. IT Head shall seek approval from the related individual from the respective Immigration body/ Mission confirming the receipt of the backed up CD/ DVD. Once the approval is obtained the information shall be erased/ removed from the storage disk (tools/ applications may be used for erasing the information). The approval of the disposal for the information from the respective immigration body/ mission shall be maintained (if applicable)