POLICY FOR ASSEST MANAGEMENT

DOCUMENT 8.1
VERSION 1.0

Contact Details
Phone No. :0124-4201824
Website: www.thinktalent.co

POLICY FOR ASSEST MANAGEMENT

DOCUMENT 8.1 VERSION 1.0 1
 Author Reviewer Version Last updated Comments
(DD/MM/YYYY)

Ritika Balagan Anjul Pratyush Version1.0 12-12-2018

POLICY FOR ASSEST MANAGEMENT

DOCUMENT 8.1 VERSION 1.0 2
 Table of Contents
1. Introduction & Scope ...................................................................................................................... 4
2. Purpose of this Document .............................................................................................................. 4
3. What is Asset? ................................................................................................................................. 4
4. IT Asset? .......................................................................................................................................... 5
5. Information Asset?.......................................................................................................................... 5
6. Information Resources .................................................................................................................... 5
7. What is the difference between an information asset and an information system? ..................... 5
8. Roles and Responsibilities ............................................................................................................... 5
9. Instructions for Use of The Information/IT Asset Register (IAR) .................................................... 6
10. Acceptable Use of Assets ............................................................................................................ 8
11. Security and Proprietary Information ......................................................................................... 8
12. Prohibited Activities .................................................................................................................... 9
13. Clear Desk and Clear Screen Policy ........................................................................................... 11
14. Taking Assets Off-Site ............................................................................................................... 11
15. Return of Assets Upon Termination of Contract ...................................................................... 12
16. Exception................................................................................................................................... 12

POLICY FOR ASSEST MANAGEMENT

DOCUMENT 8.1 VERSION 1.0 3
1. Introduction & Scope
This policy document applies to anyone accessing the Think Talent Services’ assets and/or
entire Information Security Management System (ISMS) scope. All Individual users are
responsible for exercising good judgment regarding appropriate use of company’s
information and computer systems in accordance with company’s policies and standards, and
local laws and regulation.
This policy document applies to all directors, officers, employees (direct-hire or temp-help),
Partners, interns of the Think Talent Services’, as well as third-party contractors and agents
of the Think Talent Services’, that have access to Think Talent Services’ information or
computer systems owned or leased by company.

2. Purpose of this Document

The purpose of this document is to describe the procedures and processes to manage assets
of Think Talent Services. It also describes acceptable use of computer system at Think Talent
Services. These rules are in place to protect Think Talent Services’ information against loss
or theft, unauthorized access, disclosure, copying, use, modifications or destruction (each an
“Information Security Incident”). Information Security Incidents can result in a broad range
of negative consequences, including embarrassment, financial loss, non-compliance with
standards and legislation and liability to third parties.

3. What is Asset?
An asset is anything that has value to the organization. Assets typically consist of the
following categories, but will differ dependent on the organization:
• Data – In its raw form, the information we want to protect. This includes both
paper-based and digital information. i.e. not only in electronic media (databases,
files in PDF, Word, Excel, and other formats), but also in paper and other form. and
is the core of our whole information security management system. When
developing the inventory of assets, you would not want to go down to database,
file or field level as this would result in a huge inventory.
• Hardware – End user devices, firewalls, switches, routers, servers are all hardware
items that our system would want to protect. Although some of these network
devices do not store data directly, compromise or loss of them would have an
impact on the confidentiality, integrity and availability of our data.
• Software – Should include commercial software products as well as bespoke
applications, and any internally developed applications or source code. It is likely
that the focus will be on the backend database supporting the application, but as
above loss or compromise of the application server may indirectly affect the CIA
(Confidentiality, integrity, and availability) of the asses.

POLICY FOR ASSEST MANAGEMENT

DOCUMENT 8.1 VERSION 1.0 4
 • Infrastructure – offices, electricity, air conditioning – because those assets can
cause lack of availability of information.
• People – are also considered assets because they also have lots of information in
their heads, which is very often not available in other forms.
• Outsourced services – Legal services or cleaning services, but also online services
like Bitrix24, Gmail. it is true that these are not assets in the pure sense of the
word, but such services need to be controlled very similarly to assets, so they are
very often included in the asset management.
• People – As always, the weakest link in the security chain is people. These should
be listed within the asset register as loss of staff would result in an impact to
securing information in the organization. People should include management, staff
and any other personnel of importance to the organization.

4. IT Asset?
IT asset is the asset that related to the processing of digital information. Types of IT asset include
hardware, software, digital storage media, IT services, etc.

5. Information Asset?
Information asset can be IT asset and non-IT asset. Information assets are knowledge and data that
are of value to the Think Talent Services regardless of form or format.

6. Information Resources
All data and information, as well as the hardware, software, personnel and procedures on collecting,
storing, processing and generating of such data and information. This includes data networks,
servers, PC’s, storage media, printers, photo copiers, fax machines, supporting equipment, and back-
up media.

7. What is the difference between an information asset and an information

system?
An information asset is the document (whether paper, electronic, video tape or any other format)
that contains information that constitutes a record. An information system is the physical system
used to store the information asset. The IAR has been created to assist with the management of
information assets but a by-product of this is that some details of the information system are also
recorded.

8. Roles and Responsibilities

• IAO Information/IT Assets Owner: Maintenance of Information/IT Asset Registers.
• Information/IT Asset Register (IAR)

POLICY FOR ASSEST MANAGEMENT

DOCUMENT 8.1 VERSION 1.0 5
 • Information Assets must be documented in assets register; without this list it would
be impossible to implement the required controls across the Think Talent Services.
• Information Asset Management process
• This spreadsheet Information/IT Asset Register (IAR) is to be filled by Information/IT
Assets Owner (IAO), in for new and existing systems.
• Annual Audit of Asset Registers
• To ensure the Asset Register remains current, accurate and complete it will be
subject to an annual audit (if asset considered critical to the Think Talent Services
then a 3 monthly risk assessment will be undertaken) and spot checks.
IAO’s (Information/IT Assets Owner) should undertake regular reviews (an annual
review or earlier if an incident occurs with the system) to manage the information
risks associated with their relevant assets.

9. Instructions for Use of The Information/IT Asset Register (IAR)

• Purpose
The Information/IT Asset Register (IAR) is designed to enable Think Talent Services staff to
manage their records effectively. This is achieved by facilitating the classification and
organization of records; recording the location of Think Talent Services records and who is
responsible for them; tracking disposal decisions whether by destruction or transfer;
improving the accessibility of records and providing a critical analysis tool to measure and
report on specific Think Talent Services record keeping habits.
• Information/IT Asset Register (IAR) stored/ located:
The excel spread sheet will be located in a Share Folder. Access will be managed by the
Chief Operating Officer.
• Adding an Asset to Information/IT Asset Register (IAR)
Think Talent Services prepare and maintain an Information/IT Asset Register (IAR). The
register includes Information Assets, Software Assets, Physical Assets and Service Assets.
Think Talent Services also assign employee(s) to establish, maintain and safeguard the
assets, review the Information/IT Asset Register yearly and arrange re-assess of asset
classifications, if necessary, and update the asset inventory with newly purchased assets and
the classification levels.
When necessary, the Think Talent Services may create separated Asset Registers for
“RESTRICTED” and/or “CONFIDENTIAL” assets, if the knowledge of presences of such assets
is sensitive and shall only be known by limited group of authorized employees.
The following attributes should be recorded for each information asset in the IT Asset
Register (IAR):
o Department: Department of Think Talent Services’ to whom asset belongs to.
o Tittle: Full tittle of the asset
o Asset Class: select corporate or other.

POLICY FOR ASSEST MANAGEMENT

DOCUMENT 8.1 VERSION 1.0 6
 o Asset Name: This is a collective name which represents a group of assets with
similar natures and functions sharing the same “Description”, “Classification”
and “Value”. For instance, a single entry “Office Desktop Computers” could
be used to represent all desktop computers for staff members of a unit.
o Asset Quantity: Quantitative amount of asset should require.
o Asset Make By: A asset’s brand/company name.
o Asset Category: “Information”, “Physical”, “Software”, and “Service” assets
shall be included in the Information/IT Asset Register (IAR); optionally
“People” and “Intangible” assets may also be included. For instance, asset
category of “Office Desktop Computers” is “Physical”.
o Asset Description: A short statement which describes the type or purpose of
use of the asset, e.g. “Desktop computers used by employee in Office” could
be a description for “Office Desktop Computers”.
o Asset Owner: An owner is an employee or a unit who has final responsibility
for the security of the asset. In particular, the owner will be responsible for
granting, revoking and reviewing the access to the asset.

o Asset Delegated to: Roles or employees designed by the Owner to access

information for implementing and/or maintaining safeguards and controls.
The accountability rest with the Asset Owner.
o Classification: To ensure the proper protection of asset, the owner shall
classify assets into one of the following classifications: “RESTRICTED”,
“CONFIDENTIAL”, “INTERNAL”, and “PUBLIC”.
o Asset Value: A qualitative value of the asset:
High This asset is critical to business operations. The loss of confidentiality, integrity
or availability of the asset will cause serious or significant consequences to
business operations and legal position.

Medium This asset is important to business operations. Detrimental, legal breach and
damage/embarrassment which could be resulted if the asset is damaged or its
confidentiality, integrity or availability is/are lost.

Low This asset is useful to business operations. The loss of confidentiality, integrity
or availability of the asset will have minimal or little business, legal damage or
embarrassment.

o Asset Location: location of asset, where it is going to be store or used.

o Creation Date: The date that the record was created, not the date that the
entry in the IAR was created.
o Date Disposed: The date that the record was actually disposed of not the
date when it is scheduled to be disposed of.
o Remark: A statement that provides additional details about the asset.

POLICY FOR ASSEST MANAGEMENT

DOCUMENT 8.1 VERSION 1.0 7
10.Acceptable Use of Assets
Information and IT assets may be used only for business needs with the purpose of executing
organization-related tasks. Any Company proprietary information that is stored on electronic and
computing devices, whether owned or leased by Company, the employee or a third party, remains
the sole property of Company. Each employee must ensure through legal or technical means that
Company proprietary information is protected in accordance with this Policy and required to
promptly report the theft, loss or unauthorized disclosure of Company proprietary information, or
any other Information Security Incident.
• Each employee may access, use or disclose Company proprietary information only to
the extent it is authorized and necessary to full fill their assigned job duties.
• Each employee responsible for exercising good judgment regarding the
reasonableness of personal use of Computer Systems. Individual departments are
responsible for creating guidelines concerning personal use of Computer Systems.
In the absence of such policies, Individual employee should be guided by departmental
policies on personal use, and if there is any uncertainty, Individual employee should consult
their supervisor or manager.
• For security and network maintenance purposes, authorized Company personnel
may monitor equipment, systems and network traffic per Information security Audit
Policy.
• Company may audit Individual Users’ use of Computer Systems as permitted by
applicable law on a periodic basis to ensure compliance with this Policy.

11.Security and Proprietary Information

• All mobile and computing devices that connect to Company’s internal network must
comply with the Minimum Access Policy.
• System-level and user-level passwords must comply with the Password Policy.
Providing access to your passwords to another individual, either deliberately or
through failure to secure its access, is prohibited.
• All mobile and computing devices must be secured with a password-protected
screensaver that is automatically activated after 10 minutes of inactivity or less. You
must lock the device’s screen or log off when the device is unattended.
• If you use a Company email address to post to a newsgroup, forum or other group of
third-party recipients, you should include a disclaimer stating that the opinions
expressed are strictly your own and not necessarily those of Company, unless the
posting is made in the course of business duties.
• You must use extreme caution when opening e-mail attachments received from
unknown senders or which are otherwise not expected and suspicious, since such
attachments may contain viruses and other malicious code.

POLICY FOR ASSEST MANAGEMENT

DOCUMENT 8.1 VERSION 1.0 8
12.Prohibited Activities
The activities listed below are generally prohibited. Each employee may be exempt from these
restrictions during the course of their legitimate job responsibilities only with information security’s
written approval.
Under no circumstances is an Individual User permitted to engage in any activity that is illegal under
local, state, provincial, federal or international law while using Company-owned resources or
Computer Systems.
It is prohibited to use information assets in a manner that unnecessarily takes up capacity, weakens
the performance of the information system or poses a security threat.
It is also prohibited:
• to download image or video files which do not have a business purpose, send e-mail
chain letters, play games, etc.
• to install software on a local computer without explicit permission by COO.
• to download program code from external media
• to install or use peripheral devices such as modems, memory cards or other
• devices for storing and reading data (e.g. USB flash drives) without explicit
permission by COO.
• System and Network Activities
The following activities are strictly prohibited without exception:
o Violating the rights of any person or company under copyright, trade secret,
patent or other intellectual property laws, such as by installing or distributing
“pirated” or other software products that are not appropriately licensed for use
by Company.
o Accessing Company information, Computer Systems or a user account for any
purpose other than conducting Company business or as otherwise expressly
permitted by Company policy or information security system.
o Introducing malicious programs (e.g., viruses, worms, Trojan horses, e-mail
bombs, etc.) to the Company network or server, or any other Computer System.
o Revealing your account password to, or allowing use of your account by third
parties. For example, you may not share your account password with family or
other household members when conducting work outside of the office.
o Using any Computer System to actively download or transmit material that
violates sexual harassment or hostile workplace laws in the Individual User’s local
jurisdiction, or otherwise violates applicable laws or regulations.
o Making fraudulent or deceptive offers of products or services originating from
any Company account.
o Making statements on Company’s behalf about Company’s representations,
warranties, conditions or undertakings other than those pre-approved by the
Company, unless the Legal Department’s approval has been obtained.
o Causing or attempting to cause any security breaches, disruptions of network
communications or Information Security Incidents. “Disruption” includes, but is

POLICY FOR ASSEST MANAGEMENT

DOCUMENT 8.1 VERSION 1.0 9
 not limited to, network sniffing, pinged floods, packet spoofing, denial of service,
and using forged routing information for malicious purposes.
o Executing any form of network monitoring which will intercept data not intended
for the Individual employee’s host except in accordance with Company policy.
o Circumventing user authentication protocols or the security of any host,
network, account or other Company or third-party system.
o Interfering with or disabling a user’s terminal session, via any means, locally or
via the Internet/ Intranet/Extranet.
o Providing information about, or lists of, Company employees to parties outside
Company.
• Email and Communication Activities
Whenever Individual employee state or imply that they are affiliated with Company when
emailing or communicating with third parties and such communications are not made in
connection with Company business, they must clearly indicate that “the opinions expressed
are my own and not necessarily those of the company”.
In addition, the following activities are prohibited:
o Sending unsolicited email or other electronic messages, including the sending
of “junk mail” or other advertising material to individuals who did not
specifically request such material.
o Engaging in any form of harassment via email, telephone or text messaging,
whether through the content, frequency, or size of the messages.
o Forging email header information or otherwise including any
misrepresentations or misleading information in email header information.
Using unsolicited electronic messages originating from within Company’s networks of other
Internet/ Intranet/Extranet service providers to advertise any service hosted by Company or
connected via Company’s network, unless specifically authorized in writing by the Legal
Department.
• Blogging and Social Media
Limited and occasional use of Company’s Computer Systems to engage in blogging and social
media activities (“blogging”) is acceptable, provided that it is undertaken in a professional
and responsible manner, complies with the Company’s Social Media Policy, is not
detrimental to Company’s interests, and does not interfere with an Individual User’s regular
work duties. Blogging from Company’s Computer Systems may be subject to monitoring.
In addition, the following activities are prohibited:
o Revealing any Company confidential or proprietary information, trade secrets or
any other material covered by Company’s Confidential Information Policy when
blogging.
o Engaging in any blogging that may harm or tarnish the image, reputation and/or
goodwill of Company and/or any of its employees.
o Making any discriminatory, defamatory or harassing comments when blogging or
otherwise engaging in any conduct prohibited by Company.

POLICY FOR ASSEST MANAGEMENT

DOCUMENT 8.1 VERSION 1.0 10
 o Attributing personal statements, opinions or beliefs to Company, or using
Company’s trademarks, logos or any other Company intellectual property
without specific authorization from the Legal Department.
o Individual Users assume any and all risks and responsibilities associated with
using Company’s Computer Systems to engage in blogging in a personal capacity.

13.Clear Desk and Clear Screen Policy

The following security measures must be followed:
• Whenever unattended or not in use, all computing devices must be left logged off or
protected with a screen (the display portion of any computing device) or keyboard
locking mechanism controlled by a password or similar user authentication
mechanism (this includes laptops, tablets, smartphones and desktops).
• When viewing sensitive information on a screen, users should be aware of their
surroundings and should ensure that third parties are not permitted to view the
sensitive information.
• Sensitive or critical business information, e.g. on paper or on electronic storage
media, must be secured when not required, especially when the office is vacated at
the end of the work day.
• Sensitive information on paper or electronic storage media that is to be shredded
must not be left in unattended boxes or bins to be handled at a later time, and must
be secured until the time that they can be shredded.
• All work areas should be further secured by clearing those spaces of all papers and
removable devices containing sensitive information. These papers and devices
should be stored in appropriately secured locations.
• PROTECTION OF SHARED FACILITIES AND EQUIPMENT
o Paper containing sensitive or classified information must be removed from
printers and faxes immediately.
o Printers used to print sensitive information should not be in public areas. Any
time a document containing sensitive information is being printed the
employees must make sure they know the proper printer is chosen and also
go directly to the printer to retrieve the document.

14.Taking Assets Off-Site

Equipment, information or software, regardless of their form or storage medium, may not
be taken off-site without prior written permission by COO.

As long as the said assets are outside the organization, they have to be controlled by the person who
was granted permission for their removal.

POLICY FOR ASSEST MANAGEMENT

DOCUMENT 8.1 VERSION 1.0 11
15.Return of Assets Upon Termination of Contract
Upon termination of an employment contract or other contract on the basis of which various
equipment, software or information in electronic or paper form is used, the user must return all such
information assets to authorized person.

16.Exception
Any exception to this Policy must be approved by information Security Management System in
advance.

POLICY FOR ASSEST MANAGEMENT

DOCUMENT 8.1 VERSION 1.0 12