_private/qwestly-docs/Policies/Asset Management Policy.md

Table of Contents

Asset Management Policy

Purpose

  1. To identify company assets and define appropriate protections and responsibilities.
  2. To ensure that information receives an appropriate level of protection in accordance with its importance to the company.
  3. To prevent unauthorized disclosure, modification, removal, or destruction of company information stored on media.

Scope

This policy applies to all company-owned or managed information systems.

Policy Implementation for Small Organizations

For startups with fewer than 10 employees:

  • Asset inventory may be maintained in a shared spreadsheet until growth justifies specialized tools
  • CEO or CTO may serve as asset owner for multiple categories
  • Quarterly reviews may be conducted informally but must be documented
  • Third-party disposal services may not be cost-effective; secure in-house disposal is acceptable with proper documentation

Asset Inventory and Classification

All company assets shall be inventoried and classified as follows:

Physical Assets:

  • Laptops, computers, and mobile devices
  • Networking equipment and servers
  • Authentication devices (hardware tokens, phones with company 2FA)
  • Office equipment and furniture

Digital Assets:

  • Software licenses and subscriptions
  • Source code repositories
  • Customer data and intellectual property
  • Company data and documentation
  • Cloud service accounts and configurations

Asset Classification:

  • Critical: Assets containing customer data or essential for business operations
  • Sensitive: Assets containing company confidential information
  • Standard: General business assets with standard protection requirements

The asset inventory shall be maintained in Google Sheets within the companyโ€™s Google Workspace and reviewed quarterly.

Cloud and Software Asset Management

Software as a Service (SaaS) and cloud assets shall be managed as follows:

  • All SaaS subscriptions must be approved by management
  • Company accounts must use business email addresses, not personal accounts
  • Shared accounts are prohibited; each user must have individual access
  • Administrative access to cloud services requires multi-factor authentication
  • SaaS assets must be included in quarterly access reviews
  • Departing employees' access to all cloud services must be revoked within 24 hours

Examples include but are not limited to: Google Workspace, GitHub, AWS, Slack,
development tools, and design software.

Ownership and Responsibilities

Asset Owner Responsibilities:

  • CEO: Strategic business systems and customer-facing infrastructure
  • CTO: Technical infrastructure, development tools, and security systems
  • Department Heads: Department-specific tools and resources
  • Individual Employees: Assigned laptops, phones, and personal productivity tools

Asset owners are responsible for:

  • Defining appropriate access controls for their assets
  • Ensuring proper backup and recovery procedures
  • Approving access for other team members
  • Monitoring for unauthorized use or security incidents

Personal Device Usage (BYOD)

Personal devices may access company resources under the following conditions:

  • Device must have screen lock with PIN/password/biometric protection
  • Company data must be accessed only through approved applications (Google Workspace, etc.)
  • Personal devices with company data must be reported if lost or stolen
  • Company reserves the right to remotely wipe company data from personal devices
  • Personal devices are subject to reasonable security requirements

Prohibited on Personal Devices:

  • Direct access to production systems or databases
  • Storage of company source code or customer data
  • Administrative access to company systems

Acceptable Use of Assets

Rules for the acceptable use of company information, assets, and information processing facilities shall be identified and documented in the Information Security Policy.

Loss or Theft of Assets

Immediate Response (within 4 hours):

  • Report incident to CTO and CEO via phone, email, or Slack
  • If device contained customer data, initiate incident response procedures
  • Change passwords for any accounts accessible from the device
  • Remote wipe device if capability exists

Documentation Requirements:

  • Complete incident report within 24 hours
  • Document what data/systems may have been exposed
  • Record remediation actions taken
  • Notify relevant customers if their data may be affected

Return of Assets

All employees and third-party users of company-issued or owned equipment shall return all of the company assets within their possession upon termination of their employment, contract, or agreement.

Handling of Assets

Employees and users who are issued or handle company equipment are expected to use reasonable judgment and exercise due care in protecting and maintaining the equipment.

Employees are responsible for ensuring that company equipment is secured and properly attended to whenever it is transported or stored outside of company facilities.

All mobile devices shall be handled in accordance with the Information Security Policy.

Besides employee-issued devices, no company computer equipment or devices may be moved or taken off-site without appropriate authorization from management. For remote work, the use of company devices in remote locations is implicitly approved, as outlined in the Information Security Policy.

Asset Disposal & Re-Use

Physical Devices:

  • Hard drives must be wiped using NIST 800-88 compliant methods
  • SSDs require cryptographic erasure or physical destruction
  • Mobile devices must be factory reset after company data removal
  • Certificate of Destruction required for devices containing customer data

Cloud and Digital Assets:

  • Software licenses must be properly cancelled to avoid ongoing charges
  • Cloud storage must be securely deleted with verification
  • Source code repositories must be archived before deletion

Access credentials must be rotated after system decommissioning

Customer Asset Return

Any physical assets owned by customers shall be promptly returned to the customer following service termination in accordance with the terms of the contract or service agreement.

Exceptions

Requests for an exception to this policy must be submitted to your manager for approval.

Violations & Enforcement

Any known violations of this policy should be reported to your manager. Violations of this policy can result in immediate withdrawal or suspension of system and network privileges and/or disciplinary action in accordance with company procedures up to and including termination of employment.

Document History

Version Date Description Written by Approved by
1.0.0 6/13/25 Dominick Pham Adam Boender