Skip to content

Asset Management Policy

Breakout Learning Inc.


Purpose

The purpose of this policy is to define requirements for managing and properly tracking assets owned, managed, and under the control of Breakout Learning Inc. throughout their lifecycle, from acquisition to disposal.


Roles and Responsibilities

Chief of Staff: Jake Shepherd


Policy

Physical and Virtual Asset Standard

Breakout Learning Inc. will ensure proper management of assets to maximize information security. The following procedures will be enforced for Breakout Learning Inc. assets to ensure proper maintenance, tracking, monitoring, and handling:

  • A detailed asset inventory will be maintained.
  • All significant assets will be included unless they carry low purchase/replacement costs and pose no risk to business operations or compliance.
  • Each asset will have a unique identifier, description, classification (when applicable), and technical specifications.
  • Media assets containing sensitive information will be clearly marked for the authorized recipient.
  • Access to each asset will be restricted based on its classification, and records of authorized recipients will be maintained.
  • Disposal or replacement of assets will be tracked due to depreciation, expiring leases, obsolescence, loss, etc.
  • A reporting function will support auditing and IT compliance monitoring.

Asset Inventory Standard

The asset inventory process is critical for managing assets in line with legal and regulatory requirements. This includes:

  • Inventory of physical and virtual assets, including end-user devices, servers, and IoT devices.
  • Records to include asset name, classification, description, purpose, and owner.
  • Use of hosted asset tracking solutions (e.g., RFID, GPS, BLE technologies).
  • Cloud-stored assets will include information on cloud services used and associated data.

Asset Ownership

An owner will be assigned to each asset upon creation or transfer to Breakout Learning Inc. The owner is responsible for:

  • Ensuring assets are inventoried and classified.
  • Reviewing access restrictions and classification regularly.
  • Proper disposal when no longer needed.

Physical and Digital Asset Inventories

Physical Asset Inventory

Breakout Learning Inc. uses Drata’s asset management system to track physical computing equipment, including:

  • Servers, workstations, laptops, printers, and networking equipment.
  • Company-owned devices are subject to data wipes if necessary (e.g., device infection).

Digital Asset Inventory

Drata’s system also queries cloud-based infrastructure to track digital assets, including:

  • Virtual machines, servers, repositories, security agents, source code, and user accounts.
  • Records are tagged with owner, project, and classification.

Asset Retirement Standard

Before retiring or replacing any asset, Breakout Learning Inc. ensures compliance with data retention requirements and confirms that any replacement assets meet legal/regulatory requirements. Data on retiring assets must be migrated and tested before deletion.


System Hardening Standards

System hardening follows CIS benchmarks and includes:

  • Changing vendor defaults and disabling insecure protocols.
  • Installing patches and enabling malware protection.
  • Enforcing two-factor authentication and logging.
  • Using location-aware technologies to verify connection authentication.

Virtualization Security

VM lifecycle control includes:

  • Tagging VMs based on sensitivity.
  • Restricting LVM images and implementing backup systems.
  • Consistent security policies for physical and virtual networks.

Infrastructure Configuration and Maintenance

Patching Standards

Operating system and infrastructure patches/upgrades are evaluated, approved, and installed based on their criticality during off-peak hours to minimize disruption. Redundant systems are patched one device at a time to ensure minimal impact.

Infrastructure Documentation

Up-to-date network diagrams and configuration standards are maintained, and antivirus/anti-malware tools are deployed on endpoint devices.


Capacity Management

Capacity management includes system tuning, monitoring, and proactive identification of future requirements. Steps to mitigate bottlenecks include:

  • Deleting obsolete data, decommissioning systems, and optimizing batch processes.
  • Restricting bandwidth for non-critical services and provisioning new server instances as needed.

Management of Media

Removable Media

Authorization is required to remove media from Breakout Learning Inc. facilities. Secure disposal and encryption are used to maintain data integrity and confidentiality.

Physical Media Transfer

Transport of media follows secure practices, including reliable couriers, verification procedures, and proper logging of transfers.

Disposal of Media

Media containing confidential information is disposed of securely through incineration, shredding, or secure data erasure. Each disposal is logged for auditing purposes.

Media Sanitization

Sanitization ensures data is unrecoverable prior to asset disposal, release, or reuse. Techniques include clearing, purging, cryptographic erase, and destruction.


Return of Assets Upon Termination

The termination process requires the return of all assets. Unauthorized copying of information is monitored and controlled during the termination period. Relevant data is securely erased from personal devices if used for business purposes.


Revision History

Version

Date

Editor

Approver

Description of Changes

1.1

2024/10/01

Nikita Rogatnev

Joshua Oster-Morris

Standardized role titles across all relevant policies, replacing previous variations

1.0

2024/01/01

Joshua Oster-Morris

Jake Shepherd

Initial version