3.3.1 Manage Assets
| No: 43028139 | Date(g): 4/11/2021 | Date(h): 29/3/1443 |
Effective from 2021-11-04 - Nov 03 2021
To view other versions open the versions tab on the right
Principle
Asset Management process should be established to provide visibility of the Member Organization's information assets by maintaining an accurate and up-to-date inventory.
Control Requirements
| 1. | The asset management process should be defined, approved, implemented and communicated. | |
| 2. | The effectiveness of the asset management process should be monitored, measured and periodically evaluated. | |
| 3. | The asset management process should include but not limited to: | |
| a. | asset onboarding; | |
| b. | asset identification, classification, labeling and handling; | |
| c. | asset disposal; and | |
| d. | asset decommissioning. | |
| 4. | Asset register should provide with the level of details, including (but not limited): | |
| a. | asset name; | |
| b. | asset owner; | |
| c. | asset custodian; asset criticality; | |
| d. | asset physical location; | |
| e. | asset logical location (network zone); | |
| f. | asset identified as direct in-scope of PCI; | |
| g. | asset identified as indirect in-scope of PCI; | |
| h. | availability or backup information; | |
| i. | service contract or license information; | |
| j. | technical contacts (OS, Application, Database and Network); | |
| k. | primary and secondary processes supported by the asset; | |
| l. | acceptable downtime aligned with BCM - Business Impact Analysis where applicable; | |
| m. | financial impact per hour in the event of downtime; | |
| n. | vendor engagement contract number; | |
| o. | vendor point of contact details; | |
| p. | vendor SLA details; and | |
| q. | vendor classification details. | |
| 5. | Asset register should be maintained and updated on yearly basis, or whenever any asset introduced or removed from inventory. | |
| 6. | Member organizations should: | |
| a. | define criteria for the identification of critical assets; | |
| b. | identify, maintain and periodically update comprehensive list of critical assets; | |
| c. | proactively monitor performance of critical assets; and | |
| d. | ensure adequate resilience measures in place for critical assets to maintain availability of the required critical services. | |
| 7. | Asset owner should be responsible for, but not limited to: | |
| a. | classification and labeling of asset; | |
| b. | defining and reviewing access rights, restrictions, and taking into account applicable access control policies of the Member Organizations; | |
| c. | authorizing changes related to assets; and | |
| d. | ensure alignment with cyber security controls. | |
| 8. | Assets should be disposed of in a controlled and secure manner upon completion of its useful life and when other relevant obligations are met. | |