1. Purpose
Establish requirements for maintaining a comprehensive inventory of all enterprise assets and ensuring only authorized assets are connected to [ORGANIZATION]'s network infrastructure.
2. Scope
This policy applies to all hardware assets owned, managed, or used by [ORGANIZATION], including end-user devices, servers, network infrastructure, IoT devices, mobile devices, and cloud-hosted virtual machines, across all locations and environments.
3. Policy
3.1 Asset Inventory Requirements
[ORGANIZATION] shall maintain a detailed inventory of all enterprise assets with the potential to store or process data, updated no less frequently than [CUSTOMIZE: bi-annually/quarterly/monthly].
The asset inventory shall record, at minimum: asset tag or unique identifier, hardware address (MAC), network address (if static), hostname, asset owner, assigned department, asset type, operating system and version, physical or virtual location, and network authorization status.
All assets shall be classified as Authorized, Unauthorized, or Under Review within [CUSTOMIZE: 48 hours/1 week] of discovery.
The designated Asset Manager ([CUSTOMIZE: role/team]) shall be responsible for maintaining the accuracy and completeness of the asset inventory.
3.2 Asset Discovery
[ORGANIZATION] shall utilize automated active discovery tools to scan the network for connected assets no less frequently than [CUSTOMIZE: daily/weekly].
DHCP server logs shall be collected and used to identify and update the enterprise asset inventory no less frequently than weekly.
For IG3 environments: Passive asset discovery tools shall be deployed to continuously identify assets connected to the network, with results reviewed at least weekly.
Asset discovery tools shall cover all network segments, including DMZ, internal, guest, and cloud-connected networks.
3.3 Unauthorized Asset Response
A documented process shall exist to address unauthorized assets discovered on the network, with review occurring no less frequently than weekly.
Unauthorized assets shall be handled through one of the following actions within [CUSTOMIZE: 24/48/72] hours of identification: removal from the network, quarantine to an isolated network segment, blocking of remote connectivity, or authorization with documented approval.
All unauthorized asset incidents shall be logged and reported to [CUSTOMIZE: IT Security/CISO] for tracking and trend analysis.
3.4 Asset Lifecycle Management
All new assets shall be registered in the inventory prior to or within [CUSTOMIZE: 24/48] hours of deployment on the network.
Assets being decommissioned shall follow [ORGANIZATION]'s data sanitization and disposal procedures before being removed from the inventory.
Asset inventory reviews shall be conducted [CUSTOMIZE: quarterly/bi-annually] to verify accuracy and remove stale entries.
4. Compliance
Compliance with this policy is mandatory for all personnel within its scope. Compliance will be monitored through periodic audits, automated controls, and management review.
Exceptions to this policy must be documented with a business justification, approved by [CUSTOMIZE: CISO/Security Team], and reviewed at least annually.
5. Enforcement
Violations of this policy may result in disciplinary action up to and including termination of employment or contract, and may result in civil or criminal penalties where applicable law has been violated.
[ORGANIZATION] reserves the right to audit compliance with this policy at any time, with or without notice.
6. Review and Revision
This policy shall be reviewed at least annually by [CUSTOMIZE: CISO/Policy Owner] and updated as necessary to reflect changes in the threat landscape, regulatory requirements, or organizational structure.
All revisions shall be documented with version number, date, author, and description of changes.
Policy Approval
Approved By
Title
Date
Document Control