How to write an effective IT ASSET POLICY?
July 8th, 2010
Bally Chohan of Bally Chohan Technology Dubai often comes accross IT Managers with queries on how to write an effective IT asset policy. In the below mentioned article Bally Chohan writes an effective IT Asset Policy.
The DIRECTOR-IT is responsible to ensure compliance with this policy.
All Indian and foreign laws and regulations will be complied with.
IT Equipment will be provided to users on need to use basis. Request for provision of IT equipment must follow the specified process, and must have the necessary business approvals. Procurement / scrapping of IT equipment will be as per defined business processes and with appropriate approvals.
IT Asset Owners will be identified for all IT assets. These owners will classify the IT assets under their control and ensure that the protection provided corresponds to the business value of the asset. Asset owners will authorize access to the assets under their control. Access to IT assets will be reviewed at least annually to verify that personnel have a business need for the access provided.
The IT Asset Owners will be responsible for all IT equipment in their ownership. A formal ownership form will be available for all IT equipment assigned to users – this form will list equipment and software installed. The user is also responsible for ensuring that all software installed are licensed and approved by BALLY CHOHAN TECHNOLOGY DUBAI . “Central” equipment like Servers, LAN and WAN equipment, network printers etc will be the responsibility of the DIRECTOR-IT, who will maintain a list of such equipment and approve any movement of these. This responsibility may be delegated.
Ownership forms will be signed by the owner once every year, in the month of January. Physical verification of the IT asset list will also happen through this process.
IT assets will only be used for authorized business purposes. However, incidental and infrequent personal use is acceptable. BALLY CHOHAN TECHNOLOGY DUBAI has the right to monitor the use of IT assets. Files that are not related to BALLY CHOHAN TECHNOLOGY DUBAI standard software or which are not justified by the needs of the business unit shall not be stored on BALLY CHOHAN TECHNOLOGY DUBAI computer systems. When exceptions are found, and deemed noncompliant, they must be removed. Any action must be taken with an understanding of the standard and locally accepted software. This action must be coordinated with the local business unit management.
The DIRECTOR-IT is responsible for maintaining an up-to-date inventory of all IT assets. This responsibility may be delegated.
The DIRECTOR-IT is responsible for ensuring that warranty / Service is available for all IT equipment. Service could be under warranty, through an Annual Maintenance Contract, or through a process for “do and charge” repair in case of breakdown.
Only licensed copies of software, approved by BALLY CHOHAN TECHNOLOGY DUBAI management, may be used on any platform (mainframes, servers, desktops, laptops, portable personal IT devices, etc.). Duplicating, selling, or copying software outside the terms of any purchase agreement and/or license is prohibited. BALLY CHOHAN TECHNOLOGY DUBAI standard (approved) and BALLY CHOHAN TECHNOLOGY DUBAI India software is identified in the appropriate section in this manual.
A user authentication scheme (user IDs, passwords, certificates, biometrics, smart cards, etc.) will be established on all computer systems and networks. These ID’s will be issued based on a documented request approved by an IT asset owner or authorized alternate. A copy of the approved request will be retained on file for a minimum of one year, or longer if subject to contractual requirements.
The identity of all users will be verified before providing and/or resetting passwords.
Temporary passwords will be set to expire at next logon whenever an administrator issues a new id or resets a password. Systems that are able to should be configured to “lockout” after five (maximum) wrong password entries and shall not automatically unlock for at least one hour.
Passwords must be a minimum of six characters and must be changed at least every 90 days.
The last 5 passwords will not be allowed to be reused on systems that permit such configuration.
Passwords must not be displayed on any screen and must not be stored in the clear in any file.
Passwords must be kept confidential. Exceptions to this requirement will be authorized only for operating system support activities where the system architecture prevents the use of personal ID’s to perform required system support functions. In these cases, the passwords will only be shared with personnel with a valid support requirement. These passwords must be changed whenever a person who knows the password terminates employment or has a change of status such that the password is no longer required to perform job functions. A list of individuals who have been given these passwords will be maintained. All other password controls listed above must be followed.
The default access permission for IT assets will be set to “NO ACCESS”.
User ID’s that have not been used in 3 months will be disabled. After 1 year of inactivity, user ID’s will be deleted.
IT security education and awareness programs will be conducted for all new personnel and periodically repeated for all employees and non-employees. Program content will be updated to reflect changes in technology and security threats.
Access to IT assets will be adjusted whenever a change of status occurs, i.e. terminations, transfers, leave of absences, etc. This must be completed in a timeframe commensurate with the business value of the IT asset that the individual has access to. Business Unit management must establish procedures to manage this process. A copy of the request will be permanently filed.
The HR Process for resigned / separation must ensure that clearance is obtained from appropriate IT personnel that all IT equipment is handed back.
Unauthorized attempts to gain access to IT assets will be monitored and reported to the DIRECTOR-IT or other IT persons.
All workstations and PC’s must have a password-protected screensaver activated. The screensaver must be initiated no longer than after 30 minutes of inactivity. Password policies listed above must be followed.
Failure to comply with this policy may result in the following actions:
BALLY CHOHAN TECHNOLOGY DUBAI employee: disciplinary action up to and including discharge
Non-employee: termination of access to BALLY CHOHAN TECHNOLOGY DUBAI IT assets, severance of relationship with BALLY CHOHAN TECHNOLOGY DUBAI and appropriate legal action
Categories: Tutorials