3.3.1 Manage Assets
| No: 43028139 | Date(g): 4/11/2021 | Date(h): 29/3/1443 | Status: In-Force |
Principle
Asset Management process should be established to provide visibility of the Member Organization's information assets by maintaining an accurate and up-to-date inventory.
Control Requirements
| 1. | The asset management process should be defined, approved, implemented and communicated. | |
| 2. | The effectiveness of the asset management process should be monitored, measured and periodically evaluated. | |
| 3. | The asset management process should include but not limited to: | |
| a. | asset onboarding; | |
| b. | asset identification, classification, labeling and handling; | |
| c. | asset disposal; and | |
| d. | asset decommissioning. | |
| 4. | Asset register should provide with the level of details, including (but not limited): | |
| a. | asset name; | |
| b. | asset owner; | |
| c. | asset custodian; asset criticality; | |
| d. | asset physical location; | |
| e. | asset logical location (network zone); | |
| f. | asset identified as direct in-scope of PCI; | |
| g. | asset identified as indirect in-scope of PCI; | |
| h. | availability or backup information; | |
| i. | service contract or license information; | |
| j. | technical contacts (OS, Application, Database and Network); | |
| k. | primary and secondary processes supported by the asset; | |
| l. | acceptable downtime aligned with BCM - Business Impact Analysis where applicable; | |
| m. | financial impact per hour in the event of downtime; | |
| n. | vendor engagement contract number; | |
| o. | vendor point of contact details; | |
| p. | vendor SLA details; and | |
| q. | vendor classification details. | |
| 5. | Asset register should be maintained and updated on yearly basis, or whenever any asset introduced or removed from inventory. | |
| 6. | Member organizations should: | |
| a. | define criteria for the identification of critical assets; | |
| b. | identify, maintain and periodically update comprehensive list of critical assets; | |
| c. | proactively monitor performance of critical assets; and | |
| d. | ensure adequate resilience measures in place for critical assets to maintain availability of the required critical services. | |
| 7. | Asset owner should be responsible for, but not limited to: | |
| a. | classification and labeling of asset; | |
| b. | defining and reviewing access rights, restrictions, and taking into account applicable access control policies of the Member Organizations; | |
| c. | authorizing changes related to assets; and | |
| d. | ensure alignment with cyber security controls. | |
| 8. | Assets should be disposed of in a controlled and secure manner upon completion of its useful life and when other relevant obligations are met. | |