INSPIRING BUSINESS INNOVATION

ASSET MANAGEMENT POLICY

Version 1.1
Policy Number:
 ASSET MANAGEMENT POLICY

1. Table of Contents
1. Table of Contents ........................................................................................................................ 2
2. Property Information .................................................................................................................. 3
3. Document Control ...................................................................................................................... 4
3.1. Information............................................................................................................ 4
3.2. Revision History ................................................................................................... 4
3.3. Review, Verification and Approval ...................................................................... 4
3.4. Distribution List .................................................................................................... 4
4. Policy Overview ........................................................................................................................... 5
4.1. Purpose ................................................................................................................. 5
4.2. Scope..................................................................................................................... 5
4.3. Terms and Definitions .......................................................................................... 5
4.4. Change, Review and Update ............................................................................... 6
4.5. Enforcement / Compliance .................................................................................. 7
4.6. Waiver.................................................................................................................... 7
4.7. Roles and Responsibilities (RACI Matrix) .......................................................... 7
4.8. Relevant Documents ............................................................................................ 8
4.9. Ownership ............................................................................................................. 9
5. Policy Statements ...................................................................................................................... 10
5.1. Inventory of Assets ............................................................................................ 10
5.2. Ownership of Assets .......................................................................................... 10
5.3. Acceptable Use of Assets .................................................................................. 12
5.4. Return of Assets ................................................................................................. 13
5.5. Classification of Information ............................................................................. 14
5.6. Labelling of Information..................................................................................... 16
5.7. Handling of Assets ............................................................................................. 16
5.8. Management of Removable Media .................................................................... 19
5.9. Disposal of Media ............................................................................................... 19
5.10. Physical Media Transfer .................................................................................. 20

Page 2/20
 ASSET MANAGEMENT POLICY

2. Property Information
This document is the property information of Imam Abdulrahman bin Faisal University - ICT Deanship. The
content of this document is Confidential and intended only for the valid recipients. This document is not
to be distributed, disclosed, published or copied without ICT Deanship written permission.

Page 3/20
 ASSET MANAGEMENT POLICY

3. Document Control

3.1. Information

Title Classification Version Status

ASSET MANAGEMENT POLICY Confidential 1.1 validated

3.2. Revision History

Version Author(s) Issue Date Changes

0.1 Alaa Alaiwah - Devoteam November 17, 2014 Creation

0.2 Nabeel Albahbooh - Devoteam November 30, 2014 Review

0.3 Osama Al Omari – Devoteam December 23, 2014 QA

1.0 Nabeel Albahbooh - Devoteam December 31, 2014 Update

1.1 Muneeb Ahmad – ICT, IAU 21 April 2017 Update

3.3. Review, Verification and Approval

Name Title Date

Lamia Abdullah Aljafari Quality Director

Dr. Saad Al-Amri Dean of ICT

3.4. Distribution List

Copy # Recipients Location

Page 4/20
 ASSET MANAGEMENT POLICY

4. Policy Overview
This section describes and details the purpose, scope, terms and definitions, change, review and update,
enforcement / compliance, wavier, roles and responsibilities, relevant documents and ownership.

4.1. Purpose
The main purpose of Asset Management Policy is to:

Identify IAU’s organizational assets and define appropriate protection responsibilities, ensure that information
receives an appropriate level of protection in accordance with its importance to IAU, and prevent
unauthorized disclosure, modification, removal or destruction of information stored on media.

4.2. Scope
The policy statements written in this document are applicable to all IAU’s resources at all levels of sensitivity;
including:

 All full-time, part-time and temporary staff employed by, or working for or on behalf of IAU.

 Students studying at IAU.

 Contractors and consultants working for or on behalf of IAU.

 All other individuals and groups who have been granted access to IAU’s ICT systems and
information.

This policy covers all information assets defined in Risk Assessment Scope Document and will be used as
foundation for information security management.

4.3. Terms and Definitions

Table 1 provides definitions of the common terms used in this document.
Term Definition
A security principle indicating that individuals shall be able to be
Accountability
identified and to be held responsible for their actions.
Information that has value to the organization such as forms, media,
Asset
networks, hardware, software and information system.

Page 5/20
 ASSET MANAGEMENT POLICY

The state of an asset or a service of being accessible and usable upon

Availability
demand by an authorized entity.
An asset or a service is not made available or disclosed to unauthorized
Confidentiality
individuals, entities or processes.
A means of managing risk, including policies, procedures, and guidelines
Control
which can be of administrative, technical, management or legal nature.
A description that clarifies what shall be done and how, to achieve the
Guideline
objectives set out in policies.
A vulnerability and threat together result in an incident. An information
security incident is indicated by a single or a series of unwanted or
Incident unexpected information security events that have a significant
probability of compromising business operations and threatening
information security.
The preservation of confidentiality, integrity, and availability of
Information Security information. Additionally, other properties such as authenticity,
accountability, non-repudiation and reliability can also be involved.
Maintaining and assuring the accuracy and consistency of asset over its
Integrity
entire life-cycle.
Affixing a physical or electronic label identifying the security category of
Labelling a document, file or records series in order to alert those who handle it
that it requires protection at the applicable level.
A person or group of people who have been identified by Management
as having responsibility for the maintenance of the confidentiality,
Owner
availability and integrity of an asset. The Owner may change during the
lifecycle of the asset.
A plan of action to guide decisions and actions. The policy process
includes the identification of different alternatives such as programs or
Policy
spending priorities, and choosing among them on the basis of the
impact they will have.
A combination of the consequences of an event (including changes in
Risk
circumstances) and the associated likelihood of occurrence.
An equipment or interconnected system or subsystems of equipment
that is used in the acquisition, storage, manipulation, management,
System
control, display, switching, interchange, transmission or reception of
data and that includes computer software, firmware and hardware.
A person or body that is recognized as being independent of the
Third Party
parties involved, as concerns the issue in question.
Table 1: Terms and Definitions

4.4. Change, Review and Update

This policy shall be reviewed once every year unless the owner considers an earlier review necessary to
ensure that the policy remains current. Changes of this policy shall be exclusively performed by the
Information Security Officer and approved by Management. A change log shall be kept current and be updated
as soon as any change has been made.

Page 6/20
 ASSET MANAGEMENT POLICY

4.5. Enforcement / Compliance

Compliance with this policy is mandatory and it is to be reviewed periodically by the Information Security
Officer. All IAU units (Deanship, Department, College, Section and Center) shall ensure continuous
compliance monitoring within their area.

In case of ignoring or infringing the information security directives, IAU’s environment could be harmed (e.g.,
loss of trust and reputation, operational disruptions or legal violations), and the fallible persons will be made
responsible resulting in disciplinary or corrective actions (e.g., dismissal) and could face legal investigations.

A correct and fair treatment of employees who are under suspicion of violating security directives (e.g.,
disciplinary action) has to be ensured. For the treatment of policy violations, Management and Human
Resources Department have to be informed and deal with the handling of policy violations.

4.6. Waiver
Information security shall consider exceptions on an individual basis. For an exception to be approved, a
business case outlining the logic behind the request shall accompany the request. Exceptions to the policy
compliance requirement shall be authorized by the Information Security Officer and approved by the ICT
Deanship. Each waiver request shall include justification and benefits attributed to the waiver.

The policy waiver period has maximum period of 4 months, and shall be reassessed and re-approved, if
necessary for maximum three consecutive terms. No policy shall be provided waiver for more than three
consecutive terms.

4.7. Roles and Responsibilities (RACI Matrix)

Table 2 shows the RACI matrix1 that identifies who is responsible, accountable, consulted or informed for
every task that needs to be performed. There are a couple of roles involved in this policy respectively: ICT
Deanship, Information Security Officer (ISO), Human Resources Department / Administrative Unit (HR/A),
Owner and User (Employees, Faculty Members, Students, Contractors, Consultants and Third Parties).

1
The responsibility assignment RACI matrix describes the participation by various roles in completing tasks for a business process. It is
especially useful in clarifying roles and responsibilities in cross-functional/departmental processes. R stands for Responsible who performs

Page 7/20
 ASSET MANAGEMENT POLICY

Roles
ICT ISO HR/A Owner User
Responsibilities
Maintaining and updating an asset inventory of IAU’s assets. R,A C C
Implementing appropriate controls to protect the confidentiality,
R,A C
integrity, availability and authenticity of sensitive information.
Assigning asset ownership for new assets in IAU’s environment. R C C,I
Managing and updating information assets of IAU. R
Conducting and managing risk management activities (e.g., asset
C,I R,A I
classification).
Classifying the assets based on Asset Management Policy and
R,A C R I
Procedure.
Assigning value for the assets. R,C R,C R,A I
Adhering to information security policies and procedures
C C C R,A,I
pertaining to the protection of information.
Reporting actual or suspected security incidents to ICT Deanship. A,C C R
Ensuring resigned or terminated employee return all IAU’s assets
C C R,A
interested before they complete termination process.
Revoking access rights (logical and physical) to assets upon
R,A C C
employee termination or change.
Applying security measures in protecting removable media and
R,A C R,I
disposing unused information in a secure way.
Table 2: Assigned Roles and Responsibilities based on RACI Matrix

4.8. Relevant Documents

The followings are all relevant policies and procedures to this policy:

 Information Security Policy

 Access Control Policy

 Operations Security Policy

 Communications Security Policy

 System Acquisition, Development and Maintenance Policy

 Information Security Incident Management Policy

 Compliance Policy

 Asset Classification Procedure

a task, A stands for Accountable (or Approver) who sings off (approves) on a task that a responsible performs, C stands for Consulted
(or Consul) who provide opinions, and I stands for Informed who is kept up-to-date on task progress.

Page 8/20
 ASSET MANAGEMENT POLICY

 Change Management Procedure

 Risk Management Procedure

 System Acquisition, Development and Maintenance Procedure

4.9. Ownership
This document is owned and maintained by the ICT Deanship of University of Imam Abdulrahman bin Faisal
.

Page 9/20
 ASSET MANAGEMENT POLICY

5. Policy Statements
The following subsections present the policy statements in 10 main aspects:

 Inventory of Assets

 Ownership of Assets

 Acceptable Use of Assets

 Return of Assets

 Classification of Information

 Labelling of Information

 Handling of Assets

 Management of Removable Media

 Disposal of Media

 Physical Media Transfer

5.1. Inventory of Assets

1. ICT Deanship shall establish a process and procedure for recording, maintaining and updating an
inventory of all information assets (i.e., asset register) owned and managed by IAU. This inventory
shall be categorized into five main types: hardware, software, information, people and service as per
the risk management policy and procedure.

2. Assets inventory shall contain asset identification, description, location, classification, value, label and
owner.

REF: [ISO/IEC 27001: A.8.1.1]

5.2. Ownership of Assets

1. ICT Deanship shall assign an Owner for each asset, who shall be responsible for assigning
classifications to assets; and responsible for protecting, managing and handling of critical asset.

2. For each asset, the followings shall be identified:

Page 10/20
 ASSET MANAGEMENT POLICY
Role Description
Managers of
organizational units that
have primary
Owner
responsibility for assets
associated with their
functional authority
Managers, Administrators,
Service Providers, and those
Custodian designated by the information
owner to manage, process, or ▪
store information assets
▪ Reporting any suspected or actual security
Individuals, groups, or
User
organizations authorized by
the owner to access assets
Responsibilities
▪ Assigning the access rights of assets
entrusted by IAU’s Management.
▪ Classifying the assets.
▪ Ensuring that proper labeling whenever is
applicable for sensitive information.
▪ Ensuring that proper controls are in place
to address confidentiality, integrity and
availability of information.
▪ Reviewing assets classification periodically.
▪ Ensuring availability of information at all
times and circumstances.
▪ Communicating security controls and
protection requirements to the information
custodian and user.
▪ Defining and periodically reviewing access
restrictions and classifications, taking into
account applicable access control policies.
▪ Defining and periodically reviewing backup
schedules, restoration schedules, test
results of backup and restorations and
integrity of the data after restoration.
▪ Protecting IAU’s information to ensure its
confidentiality, integrity and availability.
▪ Applying information security policies and
best practices to the information.
▪ Determining and documenting the
requirements for authorized access to the
information.
▪ Performing regular backup and data validity
testing activities.
▪ Detecting and responding to security
violations, security breaches and
vulnerabilities.
Monitoring compliance with information
security policies and best practices.
violations, security breaches, and
incidences of compromised information to
the owner.
▪ Taking prior approval of the owner before
sharing information.
▪ Performing regular administrative tasks.
▪ Understanding the information asset
classifications, abiding by the security
controls defined by the owner and applied
Page 11/20
 ASSET MANAGEMENT POLICY

by the custodian.
▪ Maintaining and conserving the asset
classification and labeling established by the
owner.
▪ Contacting the owner when information is
unmarked or the classification is unknown.
▪ Using the information only for approved
IAU’s purposes.
▪ Reporting any suspected or actual security
violations, security breaches, and
incidences of compromised information to
the custodian or owner.

[ISO/IEC 27001: A.8.1.2]

5.3. Acceptable Use of Assets

1. ICT Deanship shall define an “Acceptable Use Policy” that provides guidelines for asset management.
This policy shall not impose restrictions that are contrary to establish culture of openness, trust and
integrity.

2. All IAU’s assets shall be used for business purposes as defined in the information security policy.

3. All IAU’s employees:

a. Shall acknowledge the need for protecting IAU’s information; and perform their daily
activities in compliance with the information security policy.

b. Shall not participate in illegal activities such as unauthorized access of assets, hacking,
introducing any computer contaminant or computer virus, committing acts which may disrupt
use of the assets.

4. ICT Deanship shall monitor, record, or periodically audit the use of any of its information,
telecommunications systems and equipment. Actual or suspected misuse of these systems shall be
reported to the appropriate ICT Deanship representative in a timely manner.

REF: [ISO/IEC 27001: A.8.1.3]

Page 12/20
 ASSET MANAGEMENT POLICY

5.4. Return of Assets

1. Human Resources Department, ICT Deanship and relevant departments shall ensure that all IAU’s
employees return all IAU’s assets (e.g., laptops, desktops, printers, etc.) in their possession upon
termination of their employment, contract or agreement as per clearance procedure. This may
include, but not be limited to:

a. A formal process for return (e.g., checklists against inventory) of IAU’s assets.

b. A formal process for return or destruction of IAU’s information of any kind.

c. Where employees use personal equipment, requirements for secure erasure of software and
information belonging to IAU.

2. During the notice period of employee termination, ICT Deanship shall control unauthorized copying
of any IAU’s relevant information such as software, business information and sensitive data.

REF: [ISO/IEC 27001: A.8.1.4]

Page 13/20
 ASSET MANAGEMENT POLICY

5.5. Classification of Information

1. ICT Deanship shall define information classifications based on the sensitivity, criticality, confidentiality,
privacy requirements and value of the information.

2. All information generated by or for IAU in writing, electronic or any other form shall be classified
based on the following classification scheme (four levels):

Classification Description
This classification applies to high sensitive business information that is intended
strictly for use within IAU. Its unauthorized disclosure will have a serious impact on
long term strategic objects or will put the survival of IAU at risk. It will seriously and
adversely impact IAU and its stakeholders. Legal action might apply upon
unauthorized disclosure or sharing. Access to this data shall be individually requested
1.Highly
and then authorized by the Information Owner who is responsible for the data. The
Confidential
assessment of risk and access approval shall be determined by the Information
Owner. Examples: Protected Health Information (PHI), student identifiable
information, department financial records, employees’ private information, credit and
bank details, contract research protocols and management communication.

This classification applies to sensitive information that is intended for use within IAU.
Its unauthorized disclosure will have a significant short term impact on operations or
tactical objectives. The information owner shall determine the required security
measures to protect from unauthorized access, modifications or disclosure.
2.Confidential
Examples: intellectual property licensed and/or under development, purchasing
information, vendor contracts, system configuration, system logs, internal audit
reports, risk assessment reports, RFP and RFI.

Page 14/20
 ASSET MANAGEMENT POLICY

This classification applies to all business information that has been released as an
internal communication or circular and has less sensitive classification than
“Confidential”. Any other information that has not been marked explicitly as
“Confidential or Public” can be deemed to be as for ‘Internal Use Only’. While its
unauthorized disclosure is against policy, it might cause minor embarrassment or
minor operational inconvenience. It is not expected to as seriously or adversely
3.Internal
impact IAU, its employees and stakeholders as leakage of confidential information
would. A reasonable level of security measures shall be applied to internal
information. Examples: routine correspondence, employees’ newsletters, inter-office
memoranda, internal policies and procedures, training materials and manuals, and
internal employees’ circulars.

This classification applies to all other information that does not clearly fit into any of
the above two classifications. Additionally, it has been explicitly approved by IAU’s
Management as suitable for public dissemination. By definition, there is no such thing
4.Public as unauthorized disclosure of this information and it may be freely disseminated
without causing any potential harm to IAU. Example: brochures, new releases,
pamphlets, websites, employees’ telephone directory, marketing materials.

3. For all existing information types, the assigned owner shall be responsible for choosing an appropriate
information classification level in accordance with IAU’s business requirements.

4. When the various sensitivity classifications of information are combined, the resulting collection of
information shall be classified at the most restricted level among in the sources.

5. All IAU’s employees shall comply with the defined information classification scheme.

6. Information classification level shall be assigned to all information that is maintained, stored or
produced by IAU.

7. The classification of each information asset shall be reviewed at least once a year.

8. Results of information classification shall be updated in accordance with changes of their value,
sensitivity and criticality through their life cycle.

REF: [ISO/IEC 27001: A.8.2.1]

Page 15/20
 ASSET MANAGEMENT POLICY

5.6. Labelling of Information

1. ICT Deanship shall be responsible for labelling the asset and maintaining the asset record. Labelling
process shall be in accordance with approved IAU’s naming practices.

2. Assets shall be maintained, handled, store, transported (or transmitted) and destroyed in accordance
with the Information Labelling and Handling Guidelines associated with the asset’s classification label.

3. For all document holding information classified as “Highly Confidential”, ICT Deanship shall:

a. Store them in locked drawers or cabinets.

b. Keep locked any office where the documents are stored when it is unoccupied.

c. Not leave keys to the storage cabinets in the office when the person with authorized access
to them is not present.

4. ICT Deanship shall define and establish procedures for handling and storage of information in order
to protect such information from unauthorized disclosure or misuse.

5. Documents, hardware items and removable media physical labelling shall include appropriate security
classifications in accordance with the Asset Management Policy.

6. Media containing information classified as “High Confidential” shall not be handed over to any
external entity or third party unless authorized by ICT Deanship with a proper business justification.
The third part shall sign a non-disclosure agreement (in case if media is damaged and it needs to
return back to the third part).

REF:[ISO/IEC 27001: A.8.2.2]

5.7. Handling of Assets

1. Information Security Officer and ICT Deanship shall establish and define proper procedures for
handling, processing, storing and communicating information based on its classification in order to
protect this information from unauthorized disclosure or misuse.

2. Employees with custody of IAU’s sensitive information shall follow security access control policies to
ensure that this information is protected from unauthorized access

Page 16/20
 ASSET MANAGEMENT POLICY

3. The use of storage media and peripheral devices (e.g., DVD writers, USB ports, flash disks, etc.) shall
be limited for IAU’s business needs only. Centralized mechanisms that control and limit the use of
such devices shall be considered.

4. Portable storage media holding unencrypted sensitive IAU’s information shall be placed in locked
furniture when not in use.

5. Access to IAU’s sensitive information or valuable information shall be granted only to specific
individuals, not groups, on a need-to-know basis and after IAU’s Management authorization has been
obtained.

6. All information shall be handled based on the following method:

Description Public Internal Confidential High Confidential

Information this Routine or daily operation Confidential or sensitive Information requiring the
widely available information requiring no information that would not highest level of protection
throw public special measures to protect necessarily exposed the because disclosure is likely
throw from unauthorized access university to significant loss, to result in significant
publication, modification or disclosure but the data owner has advertise impact to the
pamphlets, web but this are not widely determine security university (embarrassment,
content and available to the public measures are needed to financial loss, etc...)
other protected from
Definition
distribution unauthorized access,
methods and modification or disclosure
disclosure,
alternation or
modification
will cause no
risk to the
university
Brochures, new Routine correspondence, Intellectual property Protected Health
releases, employee newsletters, licensed and/or under Information (PHI) student
pamphlets, web inter-office memoranda, development, records, identifiable information,
site internal internal policies and purchasing information, department financial data,
Example
phone procedure vendor contracts, system and personal information,
directions and configuration, system logs, credit or bank details,
marketing risk report, RFP and RFI contract researches
material protocols
Transmission
No special No special handling Use of email to transfers Use of email to transfers
Email within handling required but reasonable confidential information is confidential information is
IAU required precaution shall be taken discouraged, forwarding discouraged, forwarding
only allowed by data owner only allowed by data owner
No special No special handling Use of email strongly Encryption is required
handling required but reasonable discouraged consider using
Email Outside required precaution shall be taken encryption, broadcast to
IAU distribution list is
prohibited. Forwarding only
allowed by data owner
Data No special Encryption is Encryption is required Encryption is required
Transfers (File precautions recommended but not
Transmissions, required required
Website)

Page 17/20
 ASSET MANAGEMENT POLICY

Description Public Internal Confidential High Confidential

Data Print and No restrictions Printer has to be located in Monitoring required and Monitoring required and
Printer an area not accessible by removal of the printed removal of the printed
Location general public material immediately material immediately
It shall be It shall be backed up This information shall be It shall be backed up
backed up monthly and incrementally backed up monthly and monthly and incrementally
monthly and based on information incrementally based on based on information
incrementally recovery requirement by information recovery recovery requirement by
Backup and
based on data owner and business requirement by data owner data owner and business
Recovery
changes operational needs. and business operational operational needs.
Backup shall be tested to needs. Backup shall be tested to
ensure reliability. Backup shall be tested to ensure reliability.
ensure reliability. Never overwrite the most
recent back up.
Storage
No special Reasonable precautions to Storage in a secure manner Storage on a lockable
Printed
precautions prevent access by (secure area, lockable enclosure shall be locked
Materials
required nonemployee enclosure) shall be locked when not in use
when unattended.
Storage on all Storage on all devices are Store on secure drivers or Storage on secure driver
devices are allowed but access control secured shared driver only. only.
Electronic allowed but shall be enforced. Data shall be stored on an Password protection of the
Documents access control internally accessible server, document preferred.
shall be and no be stored on a
enforced. server directly accessible
from the internet.
No special Reasonable precautions to Store in a secure manner, Store in a secure manner,
precautions prevent access by e.g. password access or e.g., password access or
required. authorized personal. reduce to print format reduce to print format
Emails
delete electronic form, and delete electronic form, and
store in accordance with store in accordance with
storage of the print storage of the print
materials. materials.

No special Use lockable container or Use lockable container or Use lockable container or
Portable
precautions devices. devices. devices.
Devices
required.
No special Secure with lockable Secure with a lockable Secure with a lockable
Storage by
precautions enclosures and access enclosures and access enclosures and access
Third Party
required. control required. control required. control required
Marking No restrictions Internal use only “Confidential” “High Confidential”
Document
Physical Security
Password Password protect screen Password protect screen Password protect screen
protect screen savers to shall be used savers to shall be used savers to shall be used
savers to shall when not in use. when not in use. when not in use.
be used when Sign off when not in use for Sign off when not in use for Sign off when not in use for
Workstation
not in use. long time. long time. long time.
Sign off when
not in use for
long time.
Not permitted. Secure area location and Secure area location and Secure area location and
limited access based on the limited access based on the limited access based on the
Server
job responsibilities. job responsibilities. job responsibilities.

No restriction. Printouts to be collected Minimize the print and Print only when necessary
Printing immediately. collect immediately. and do not leave
unattended.

Page 18/20
 ASSET MANAGEMENT POLICY

Description Public Internal Confidential High Confidential

No restriction. No restriction. Access to sensitive area Access to sensitive area
shall be restricted using shall be restricted using
Office Access access control. access control.
Confidential information
must be kept under lock.
Device shall not Device shall not be left Device shall not be left Device shall not be left
Portable be left unattended at any time unattended at any time. unattended at any time and
Devices unattended at Consider using lock and must be placed under lock
any time. access control. and access control.
Contain Password access control. Password access control Password/biometric/
changes by only Contain changes based on authentication based access
Access authorized the Data owner and control.
Control person. business need. Content changed based on
the data owner and
business need.
REE: [ISO/IEC 27001: A.8.2.3]

5.8. Management of Removable Media

1. Information security requirements shall be considered in the management of removable information
and related technology media.

2. The followings shall be considered for management of removable media:

a. All media shall be stored and kept in a safe, secure environment and in accordance with
manufacturer’s specifications and applicable IAU’s information security policies and
procedures.

b. In case of media is no longer require, its contents that need to be removed shall be made
unrecoverable.

c. Removable media drives shall be allowed if there is a business need.

d. Multiple copies of IAU’s valuable information shall be stored and kept on separate media to
ensure its availability in case of data damage or loss.

REF:[ISO/IEC 27001: A.8.3.1]

5.9. Disposal of Media

1. All IAU’s sensitive media shall be disposed as per the “Asset Management Policy and Procedure”,
retention period or end of use of media. Once media is disposed, it shall be documented and reported
to the Owner.

Page 19/20
 ASSET MANAGEMENT POLICY

2. The owner’s authorization shall be obtained before all media are removed or disposed.

3. All disposed media shall be logged in an updated media disposal log in order to maintain an audit trail.

4. All IAU’s sensitive information whether document hardcopies or stored in electronic form that are
no longer needed, shall be disposed in a secure way, using approved equipment and procedures to
ensure that information cannot be recovered. Disposal shall be conducted using one of the following
methods, but not be limited to:

a. Shredding.

b. Pulping / Recycling.

c. Incineration (i.e., converting it to carbon dioxide and waste vapour “Ash” by fire).

5. A record of disposed sensitive information shall be kept for at least 5 years according to IAU’s
regulatory requirements. Record shall include as a minimum:

a. Date of disposal.

b. The name of the person carrying out the disposal.

c. The name of the owner.

d. The obtained approval of the owner.

e. The disposal method followed.

6. Before storage media is sent to a third party, all IAU’s sensitive information shall be deleted,
concealed, or replaced according to IAU approved methods.

REF:[ISO/IEC 27001: A.8.3.2]

5.10. Physical Media Transfer

1. Wherever possible, cryptographic techniques shall be used to protect the confidentiality, integrity
and authenticity of sensitive information during physical media transportation.

2. All IAU’s sensitive information in hardcopy form shall be sent through a trusted courier or registered
mail and shall always be tracked with a weigh bill number and require recipient signature. Delivery of
such information to intermediaries shall not be allowed.

REF: [ISO/IEC 27001: A.8.3.3]

Page 20/20
 ASSET MANAGEMENT POLICY

-------------------------------------------------------- End of Document -------------------------------------------------

Page 21/20