Asset Management Policy
Breakout Learning Inc.
Purpose
The purpose of this policy is to define requirements for managing and properly tracking assets owned, managed, and under the control of Breakout Learning Inc. throughout their lifecycle, from acquisition to disposal.
Roles and Responsibilities
Chief of Staff: Jake Shepherd
Policy
Physical and Virtual Asset Standard
Breakout Learning Inc. will ensure proper management of assets to maximize information security. The following procedures will be enforced for Breakout Learning Inc. assets to ensure proper maintenance, tracking, monitoring, and handling:
- A detailed asset inventory will be maintained.
- All significant assets will be included unless they carry low purchase/replacement costs and pose no risk to business operations or compliance.
- Each asset will have a unique identifier, description, classification (when applicable), and technical specifications.
- Media assets containing sensitive information will be clearly marked for the authorized recipient.
- Access to each asset will be restricted based on its classification, and records of authorized recipients will be maintained.
- Disposal or replacement of assets will be tracked due to depreciation, expiring leases, obsolescence, loss, etc.
- A reporting function will support auditing and IT compliance monitoring.
Asset Inventory Standard
The asset inventory process is critical for managing assets in line with legal and regulatory requirements. This includes:
- Inventory of physical and virtual assets, including end-user devices, servers, and IoT devices.
- Records to include asset name, classification, description, purpose, and owner.
- Use of hosted asset tracking solutions (e.g., RFID, GPS, BLE technologies).
- Cloud-stored assets will include information on cloud services used and associated data.
Asset Ownership
An owner will be assigned to each asset upon creation or transfer to Breakout Learning Inc. The owner is responsible for:
- Ensuring assets are inventoried and classified.
- Reviewing access restrictions and classification regularly.
- Proper disposal when no longer needed.
Physical and Digital Asset Inventories
Physical Asset Inventory
Breakout Learning Inc. uses Drata’s asset management system to track physical computing equipment, including:
- Servers, workstations, laptops, printers, and networking equipment.
- Company-owned devices are subject to data wipes if necessary (e.g., device infection).
Digital Asset Inventory
Drata’s system also queries cloud-based infrastructure to track digital assets, including:
- Virtual machines, servers, repositories, security agents, source code, and user accounts.
- Records are tagged with owner, project, and classification.
Asset Retirement Standard
Before retiring or replacing any asset, Breakout Learning Inc. ensures compliance with data retention requirements and confirms that any replacement assets meet legal/regulatory requirements. Data on retiring assets must be migrated and tested before deletion.
System Hardening Standards
System hardening follows CIS benchmarks and includes:
- Changing vendor defaults and disabling insecure protocols.
- Installing patches and enabling malware protection.
- Enforcing two-factor authentication and logging.
- Using location-aware technologies to verify connection authentication.
Virtualization Security
VM lifecycle control includes:
- Tagging VMs based on sensitivity.
- Restricting LVM images and implementing backup systems.
- Consistent security policies for physical and virtual networks.
Infrastructure Configuration and Maintenance
Patching Standards
Operating system and infrastructure patches/upgrades are evaluated, approved, and installed based on their criticality during off-peak hours to minimize disruption. Redundant systems are patched one device at a time to ensure minimal impact.
Infrastructure Documentation
Up-to-date network diagrams and configuration standards are maintained, and antivirus/anti-malware tools are deployed on endpoint devices.
Capacity Management
Capacity management includes system tuning, monitoring, and proactive identification of future requirements. Steps to mitigate bottlenecks include:
- Deleting obsolete data, decommissioning systems, and optimizing batch processes.
- Restricting bandwidth for non-critical services and provisioning new server instances as needed.
Management of Media
Removable Media
Authorization is required to remove media from Breakout Learning Inc. facilities. Secure disposal and encryption are used to maintain data integrity and confidentiality.
Physical Media Transfer
Transport of media follows secure practices, including reliable couriers, verification procedures, and proper logging of transfers.
Disposal of Media
Media containing confidential information is disposed of securely through incineration, shredding, or secure data erasure. Each disposal is logged for auditing purposes.
Media Sanitization
Sanitization ensures data is unrecoverable prior to asset disposal, release, or reuse. Techniques include clearing, purging, cryptographic erase, and destruction.
Return of Assets Upon Termination
The termination process requires the return of all assets. Unauthorized copying of information is monitored and controlled during the termination period. Relevant data is securely erased from personal devices if used for business purposes.
Revision History
Version |
Date |
Editor |
Approver |
Description of Changes |
1.1 |
2024/10/01 |
Nikita Rogatnev |
Joshua Oster-Morris |
Standardized role titles across all relevant policies, replacing previous variations |
1.0 |
2024/01/01 |
Joshua Oster-Morris |
Jake Shepherd |
Initial version |