Asset management

Asset management

MedStack Confidential

Metadata

responsible officer: CTO
approved by: CTO
date
- effective: 2018-06-20
- revised: 2020-06-18
- reviewed: 2022-08-31
Applicability: standard

Maintain an asset inventory

Automatically identify all assets
- Use automated tools to detect assets and to maintain and update the asset inventory.
- Link each asset to an internal or customer owner and responsible party.

Code	Section	Title
ISO	A.8.1.1	Inventory of assets
SOC2	CC6.1	The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives.

Use company-owned assets

The company must own all production systems and employee workstations.

Code	Section	Title
ISO	A.8.1.2	Ownership of assets

Acceptable Use for employees

Assets may only be used as defined in these policies.
Access PHI only in aggregate form as needed to fulfill work duties.
Do not read individual PHI records.

Code	Section	Title
ISO	A.8.1.3	Acceptable use of assets

Return organizational assets upon

termination of employee
change of role, where employee no longer requires assets

Code	Section	Title
ISO	A.8.1.4	Return of assets

Manage the installation of software

Production systems
- Install software programmatically and manage what software is installed in source control.
Workstations and mobile devices
- Install software only from trusted sources.

Code	Section	Title
ISO	A.12.6.2	Restrictions on software installation
SOC2	CC6.8	The entity implements controls to prevent or detect and act upon the introduction of unauthorized or malicious software to meet the entity’s objectives.

Enforcement

Responsible party: All managers and supervisors
sanctions: standard

References

Code	Section	Title
ISO	A.8.1	Responsibility for assets
CHI	SR8	Responsibility for information assets