7. Asset Management

Control objective: to achieve and maintain appropriate protection of organizational assets.

PDF 7.1.Responsibility for Asset

    7.1.1 Inventory of assets

    All information assets are clearly identified, and an inventory of all important assets has been drawn up and is maintained in line with the requirements of DOC 7.1

    7.1.2 Ownership of assets

    All assets associated with the information systems or services are ‘owned’ by a designated individual or part of the Organisation, and details of the Owner are identified on the asset inventory in line with DOC 7.1.

    7.1.3 Acceptable use of assets

    Rules for the acceptable use of information and assets associated with information processing facilities have been identified, documented and implemented.

      7.1.3.1 The Civil Service Bureau, that ultimately reported to the Director General of IT, is responsible for ensuring that all users sign User Agreements (see sub section 11.2), which set out requirements for acceptable use of information assets and in which they also explicitly accept the Organisation’s Internet Acceptable Use Policy (DOC 7.2).

      7.1.3.2These User Agreements (see sub section 11.2) also explicitly accept the Organisation’s Rules for Use of E-mail (DOC 7.3).

      7.1.3.3The Information Security Manager is responsible for monitoring compliance, as set out in Work Instruction DOC 7.4, with the AUP as set out in 5.1.1 of this manual

      7.1.3.4Guidelines for the use of mobile devices are included in the ‘mobile on the road’ annex to the User Agreement (see sub sections 11.2 11.7) for users issued with such devices.


7.2 Information Classification

Control objective: to ensure that information receives an appropriate level of protection

    7.2.1 Classification guidelines

    Information has been classified in terms of value, legal requirements, sensitivity and criticality to the Organisation

      7.2.1.1 The Organisation has developed guidelines for information classification, which are suited to business needs (including legality, value, sensitivity and criticality) to both restrict and share information, and to the business impacts associated with those needs, and these are contained in DOC 7.6

    7.2.2 Information labelling and handling
    An appropriate set of procedures for information labelling and handling has been developed in accordance with the classification scheme adopted by the Organisation and this is set out in DOC 7.6

    Adlin Hisyamuddin
    Information Security Manager

    ____________________________

    On:

    08 November, 2007
    ____________________________

    Change history

    Issue 1 08 November, 2007 Initial issue