Asset Management Policy
Brask Inc
Purpose
The purpose of this policy is to define requirements for managing and properly tracking assets owned, managed, and under the control of Rask AI through their lifecycle from initial acquisition to final disposal.
Roles and Responsibilities
The Rask AI Chief of Staff is responsible for maintaining and updating this policy. The CEO and legal department are responsible for approving this policy and will approve any changes made.
Policy
Asset Inventory Standard
An asset inventory process must be in place to support the management of critical business processes and meet legal and regulatory requirements. This process will also facilitate the discovery, management, replacement, and disposal of all assets, as well as the identification and removal of any illegal or unauthorized software, assets, or processes. All physical and virtual assets under Rask AI management or control will be listed in an inventory including:
- Unique identifier or name of the asset
- Description of the asset
- Purpose of the asset in supporting critical business processes and meeting legal or regulatory requirements, if applicable
- Entity responsible for the asset
- Classification of the asset, if applicable
Asset Ownership
Each asset will be assigned an owner when created or transferred to Rask AI. The asset owner can be an individual or an entity with approved management responsibility; ownership does not imply property rights.
The asset owner is responsible for:
- Ensuring assets are inventoried
- Ensuring assets are appropriately classified and protected
- Defining and periodically reviewing access restrictions and classifications, considering applicable access control policies
- Ensuring proper handling when the asset is deleted or destroyed
System Hardening Standards
Device Best Practices and Hardening Standards
- Employ manufacturer-provided hardening and best practice guides to guard device installations from vulnerabilities and unauthorized access.some text
- Utilize Center for Internet Security (CIS) benchmarks for system hardening guidance where possible.
- Change vendor-supplied defaults, including usernames, passwords, and common settings, to prevent unauthorized access.
- Disable insecure and unnecessary communication protocols.
- Randomly generate and securely store local passwords in the approved password management system.
- Install current patches.
- Implement malware protection.
- Enable logging.
Infrastructure Configuration and Maintenance
Internal Workstation and Server Patching
- Periodically evaluate and install operating system patches/upgrades based on their criticality.
- Install patches/upgrades during off-peak hours to minimize business disruption.
Internal Infrastructure Patching
- Evaluate and install infrastructure patches/upgrades (routers, switches, virtual hosts, etc.) based on their criticality.
- Review and approve patches/upgrades via a lab environment when possible.
- Install patches/upgrades during off-peak hours to minimize disruption.
- Patch/upgrade redundant systems one device at a time to ensure no impact on shared services.
- Follow regular change management procedures for networking hardware/software updates.
Infrastructure Support Documentation
- Maintain a current network diagram accessible to appropriate service personnel.
- Document configuration standards for the setup of all infrastructure devices.
Endpoint Security/Threat Detection
- Restrict the use of removable media to authorized personnel.
- Deploy antivirus and anti-malware tools on endpoint devices (e.g., workstations, laptops, mobile devices).
- Configure antivirus and anti-malware tools to automatically receive updates, run scans, and alert appropriate personnel of threats.
Capacity Management
Capacity requirements of systems will be identified based on the business criticality of the system.
- System Tuning and Monitoring: Applied to ensure and improve the availability and efficiency of systems.
- Detective Controls: Implemented to identify problems as they occur.
- Future Capacity Projections: Consider new business and system requirements, as well as current and projected trends in the company’s information processing capabilities.
- Mitigating Bottlenecks and Dependencies: Managers must monitor key system resources, identify usage trends, and account for resources with long procurement lead times or high costs.
Providing sufficient capacity will be achieved by increasing capacity or reducing demand. This includes:
- Deleting obsolete data (disk space)
- Decommissioning applications, systems, databases, or environments
- Optimizing batch processes and schedules
- Optimizing application logic or database queries
- Denying or restricting bandwidth for non-business-critical resource-hungry services (e.g., video streaming)
- Managing capacity demand
- Provisioning new server instances when capacity thresholds are met
Management of Media
Removable Media
We currently do not authorise removable media for business purposes.
Physical Media Transfer
We currently do not authorise physical media transfer for business purposes.
Return of Assets Upon Termination
- The termination process includes the return of all previously issued physical and electronic assets owned by or entrusted to Rask AI, as outlined in the Employment Terms and Conditions and Asset Management Policy.
- If Rask AI equipment was purchased by an employee or third-party user, or personal equipment was used, all relevant information must be transferred to Rask AI and securely erased from the equipment.
- Unauthorized copying of information by employees and contractors will be monitored and controlled during the termination period.
Disposal of Media
The steps for the secure disposal of media containing confidential information will be proportional to the sensitivity of that information. The following guidelines will be applied accordingly:
- Identification of items that require disposal.
- Use of appropriate third-party collection and disposal services.
- Secure disposal by incineration or shredding, or erasure of data for reuse within the company.
- Risk assessment of damaged media to determine disposal or repair.
- Whole-disk encryption to mitigate the risk of disclosure of confidential information, in line with Rask AI's Encryption Policy.
- Logging each disposal to maintain an audit trail.