3.1.1 Inventory and ownership of assets

Assets associated with information and information processing facilities should be identified and an inventory of these assets should be drawn up and maintained. Assets maintained in the inventory should be owned.

• Identify assets relevant in the lifecycle of information and document their importance. The lifecycle of information should include creation, processing, storage, transmission, deletion and destruction.
• Assign ownership and classification for each of the identified assets.
• Conduct periodical inventories of assets to ensure that effective protection takes place.
• Implement a process to ensure timely assignment of asset ownership. Ownership should be assigned when assets are created or when assets are transferred to the organization. The asset owner should be responsible for the proper management of an asset over the whole asset lifecycle.
• The asset owner should:
  a) ensure that assets are inventoried;
  b) ensure that assets are appropriately classified and protected;
  c) define and periodically review access restrictions and classifications to important assets, taking into account applicable access control policies;
  d) ensure proper handling when the asset is deleted or destroyed.

See also CISControl 1 Inventory and Control of Enterprise Assets and CIS Control 2 Inventory and  Control of Software Assets .

3.1.2 Return of assets

All employees and external party users should return all of the organizational assets in their possession upon termination of their employment, contract or agreement.

• Formalize the termination process to include the return of all previously issued physical and electronic assets owned by the organization.
• In cases where an employee or external party user purchases the organization’s equipment or uses their own personal equipment, follow the procedure to ensure that all relevant information is transferred to the organization and securely erased from the equipment.
• In cases where an employee or external party user has knowledge that is important to ongoing operations, that information should be documented and transferred to the organization.

3.2.1 Labelling of information

An appropriate set of procedures for information labelling should be developed and implemented in accordance with the information classification scheme adopted by the organization.

• Develop procedures for information labelling that cover information and its related assets in physical and electronic formats. The labelling should reflect the established classification scheme. The labels should be easily recognizable.
• Make sure that the procedures give guidance on where and how labels are attached in consideration of how the information is accessed or the assets are handled depending on the types of media. Define cases where labelling is omitted, e.g. labelling of nonconfidential information to reduce workloads.

3.2.2 Handling of assets  

Procedures for handling assets should be developed and implemented in accordance with the information classification scheme adopted by the organization.

• Develop procedures for handling, processing, storing and communicating information consistent with its classification. The following items should be described:
  a) access restrictions supporting the protection requirements for each level of classification;
  b) maintenance of a formal record of the authorized recipients of assets;
  c) storage of IT assets in accordance with manufacturers’ specifications;
  d) clear marking of all copies of media for the attention of the authorized recipient.

3.3.1 Management of removable media

Procedures should be implemented for the management of removable media in accordance with the classification scheme adopted by the organization.

• Consider the following guidelines for the management of removable media:
  a) if no longer required, make the contents of any re-usable media unrecoverable;  
  b) where necessary and practical, require authorization for media removed from the organization and keep a record of such removals in order to maintain an audit trail;   c) store all media in a safe, secure environment, in accordance with manufacturers’ specifications;  
  d) if data confidentiality or integrity are important considerations, use cryptographic techniques to protect data on removable media;  
  e) store multiple copies of valuable data on separate media to further reduce the risk of coincidental data damage or loss;  
  f) enable removable media drives only if there is a business reason for doing so; 
  g) consider registration of removable media to limit the opportunity for data loss.  

3.3.2 Disposal of media

Media should be disposed of securely when no longer required, using formal procedures.

• Establish formal procedures for the secure disposal of media to minimize the risk of confidential information leakage. Consider the following items:
  a) dispose securely the media containing confidential information, e.g. by incineration or shredding, or erasure of data for use by another application within the organization;
  b) it may be easier to arrange for all media items to be collected and disposed of securely, rather than attempting to separate out the sensitive items;  
  c) if an external party is used for collection and disposal services for media, select a suitable external party with adequate controls and experience;  
  d) log the disposal of sensitive items in order to maintain an audit trail. 

3.3.3 Physical media transfer  

Media containing information should be protected against unauthorized access, misuse or corruption during transportation.

• Consider the following guidelines to protect media containing information being transported:
  a) use reliable transport or couriers and develop procedures to verify the identification of couriers;
  b) make sure that the packaging is sufficient to protect the contents from any physical damage likely to arise during transit, for example protecting against any environmental factors that may reduce the media’s restoration effectiveness such as exposure to heat, moisture or electromagnetic fields;
  c) keep logs to identify the content of the media and the protection applied. Record the times of transfer to the transit custodians and receipt at the destination.
  d) consider additional physical protection of the media when confidential information on media is not encrypted.