POL00362907 - Cyber security standard - asset management standard v2.2

Evidence on official site

POL00362907

POL00362907
Post Office Limited - Document Classification: INTERNAL
Cyber Security Standard
Asset Management Standard
Version — V2.2
INTERNAL Page 1 of 13 Asset Management Standard

2.22
POL00362907
POL00362907

Post Office Limited - Document Classification: INTERNAL

1 Overview

1.1 Introduction by the Standard Owner
1.2 Purpose.

1.3 Core Principles

LG Application .......cccccccccceeeeceeeeesseeeeesueeesueeeeseueeessueeseseeesesseeeseseeeeseeeseeeseeeeensneees 3
2 Policy FraMework.......cccesseeeeeeeeeeeeeeeeeeeeeeeeeeeeeeesaeeeeeaeeeeeaneeeeaaeeeeeaaeeeeaaeeeeeaeeesenee 4
2.1 Policy FraMeWork.......cccecssssesseeeeeeeeseeeeeseeeeeeeeesseeeeeeeeeeeeeeeeseeesssseeseeeeeeeeeeeeeeeee 4
2.2 WHO MUSt COMPIY?......ccecssseesssseeeeeseeeseeeeeeseeeussaueneeeeeeeseeeeeeseeessseaseaeeneneeeeseeeee# 4
3 MINIMUM CONtrOIS....... cece ee terre eee eee reer rene ee ee eee tnneeeeee ene 5
4 Where to go for Help .........cccccceececceceeeeeeeseeeeseeeeeeeeeeeeeeeeeeeeeeseesasseeeeeeeeeeeeeeeeees 12
4.1 Additional Policies ...........ccceeeeeeeeeeseeeeeeeeeeeeeeeeeeeeeeeseeeeeeeeeeeeeeneeeeeeeeeeeeeeeaaee 12

4.2 How to raise a concern

4.3 Who to contact for more information

5 Version Control..

5.1 Version Control
5.2 Standard Approval .......cccseccsseeeeeseeeeeeeeeeeeeeeeeeseeeeeeaeeeesaueeeeaaeeeeeeaeeesaaeeeeene essen 13

INTERNAL Page 2 of 13 Asset Management Standard
2.22
POL00362907
POL00362907

Post Office Limited - Document Classification: INTERNAL

1 Overview

1.1 Introduction by the Standard Owner

Post Office is committed to protecting its employees, customers, Third Party Supply Chain
and information assets from damaging or illegal actions by individuals, either knowingly
or unknowingly. Post Office enables this through the development and deployment of
policies, standards and guidelines which are aligned to international best practices.
Effective cyber and information security is a team effort involving everyone in Post Office

1.2 Purpose

The purpose of the Asset Management Standard is to provide a structured and consistent
approach to the management of all Post Office logical and physical assets (including
software assets).

1.3 Core Principles

Compliance with this standard will ensure that the following principles are met:

Assets will be managed securely through their lifecycle
Assets require ownership

Asset registers will be kept up to date

Assets will be disposed of securely

1.4 Application

This standard relates to all Post Office information and physical assets whether they are
owned directly by Post Office or managed on behalf of Post Office by a third party supplier.

INTERNAL Page 3 of 13 Asset Management Standard
2.22
POL00362907
POL00362907

Post Office Limited - Document Classification: INTERNAL

2 Policy Framework

2.1 Policy Framework

This standard forms part of the Cyber and Information Security Policy Set. This contains
controls that form part of the Information Technology Control Framework (ITCF) governed
by the overarching Post Office wide framework.

2.2 Who must comply?

Compliance with this standard is mandatory for all Post Office employees and applies
wherever in the world Post Office’s business is undertaken. All third parties who do
business with Post Office, including consultants, suppliers and business and franchise
partners, will be required to agree contractually to this standard or have their own
equivalent standard/policy.

INTERNAL Page 4 of 13 Asset Management Standard
2.22
Post Office Limited - Document Classification: INTERNAL

3 Minimum Controls

POL00362907

POL00362907

The table below sets out the minimum control standards.

Control Ref Control Attestation Guidance
Obtain management authorization for restricted storage media transit or
PHTO660 Control the transiting and distribution from a controlled access area.
internal distribution or external
distribution of assets. Transport restricted media using a delivery method that can be tracked.
PHT0663 Restrict physical access to Protect electronic storage media with physical access controls.
Media protection policy and procedures shall be documented and implemented to
. . ensure that access to digital and physical media in all forms is restricted to
PHT0665 Establish, implement, and authorized individuals. Procedures shall be defined for securely handling,
maintain a media protection . 7
olic transporting and storing media
Policy. Disseminate and communicate the media protection policy to interested personnel
and affected parties.
Control access to restricted storage media.
Establish, implement, and Physically secure all electronic storage media that store restricted data or
PHTO667 maintain removable storage restricted information. A - - aoe
media controls. Logically secure any associated data using the appropriate level of encryption in
line with the classification of the data.
Control the storage of restricted storage media. - CTRLO020583
INTERNAL Page 5 of 13 Asset Management Standard

2.22
Post Office Limited - Document Classification: INTERNAL

POL00362907
POL00362907

Removable media is protected and its use restricted according to policy.
Establish, implement, and maintain asset removal procedures or asset
decommissioning procedures.
Establish, implement, and Prohibit assets from being taken off-site absent prior authorisation.
PHT0674 maintain off-site physical Protect distributed assets against theft.
controls for all distributed assets. I Attach asset location technologies to distributed assets.
Employ asset location technologies in accordance with applicable laws and
regulations.
PHT0679 Establish, implement, and
maintain end user computing Establish, implement, and maintain a locking screen saver policy.
device security guidelines.
Remote lock any distributed assets reported lost or stolen.
Remote wipe any distributed asset reported lost or stolen.
Establish, implement, and .
PHTO681 maintain mobile device security peata POL not be processed on non POL assets unless the user is
guidelines. 9 PI
Removable media must be encrypted when storing POL data in
accordance with the classification of the data.
INTERNAL Page 6 of 13 Asset Management Standard

2.22
Post Office Limited - Document Classification: INTERNAL

POL00362907

POL00362907

Separate systems that transmit,
process, or store restricted data The organization must keep sensitive information separate from other information
PHT0682 from those that do not by 7
. : to the maximum extent possible
deploying physical access
controls.
Establish, implement, and
PHT0683 maintain asset return Require the return of all assets upon notification an individual is terminated.
procedures.
seh i Establish, implement, and maintain a clear screen policy.
PHTO685 Establish, implement ane Clear desk rules for papers and removable storage media and clear screen rules
Policy. for information processing facilities should be defined and appropriately enforced.
Establish, implement, and maintain a capacity planning baseline. - CTRLO020615
Establish, implement, and maintain future system capacity forecasting methods.
Align critical Information Technology resource availability planning with capacity
planning.
PHTO880 Establish, implement, and Provide excess capacity or redundancy to limit any effects of a Denial of Service
maintain a capacity management I attack. - CTRL0020727
CTRLOO20614 plan. Utilize resource capacity management controls.
The organisation must Identify availability and capacity implications of changing
business needs and improvement
opportunities. Use modelling techniques to validate availability, performance and
capacity plans.
INTERNAL Page 7 of 13 Asset Management Standard

2.22
Post Office Limited - Document Classification: INTERNAL

POL00362907

POL00362907

ich jf The organisation must have an asset management policy that details how the
Establish, implement, and fy + oe
PHTO0990 ra asset lifecycle is managed. This includes all the steps from procurement to
maintain an Asset Management , aa, i"
program. disposal to ensure assets are fully utilised, accounted for and physically protected
Assign an information owner to organizational assets, as necessary.
Apply security controls to each level of the information classification standard.
. : Define confidentiality controls.
PHTO992 Fateh oatroction ane ames Establish, implement, and maintain the systems' availability level. CTRLO020669
for all systems and assets. Define integrity controls. ape A F
Establish, implement, and maintain the systems' integrity level.
Define availability controls
Apply asset protection mechanisms for all assets according to their assigned Asset
PHT0999 Classify assets according to the Classification Policy. CTRL0020563
Asset Classification Policy. Resources (e.g., hardware, devices, data and software) are prioritized based on
their classification, criticality and business value.
Establish, implement, and maintain an Information Technology inventory with
asset discovery audit trails. - CTRL0020647
Include each Information System's system boundaries in the Information
Technology inventory.
PHT1001 Establish, implement, and Identify processes, Information Systems, and third parties that transmit, process,
maintain an asset inventory. or store personal data.
Business processes must be in place and documented to manage the life cycle of
assets including:
Identifying critical Assets
Managing assets from procurement to Disposal
Establish, implement, and
PHT1005 maintain a hardware asset Include network equipment in the Information Technology inventory.
inventory.
Include interconnected systems
PHT1007 and Software as a Service in the I The organisation must maintain and understand how a systems are connected and
Information Technology the cloud resources being used need to be inventoried.
inventory.
INTERNAL Page 8 of 13 Asset Management Standard

2.22
Post Office Limited - Document Classification: INTERNAL

POL00362907

POL00362907

Include software in the
PHT 1008 Information Technology Software platforms and applications within the organization are inventoried.
inventory.
. : Inventory logs must be properly maintained for all media
PHT1009 rrauntaina eloraoe meds Media inventories must be conducted at least annually
1 Inventories of backup media, storage location, and access controls for the media
inventory. : "
or physical location
The organization should maintain an accurate inventory of all deployed databases,
along with their contents.
Establish, implement, and Establish and maintain a data inventory, based on the enterprise's data
PHT1010 maintain a records inventory and I management process. Inventory sensitive data, at a minimum. Review and
database inventory. update inventory annually, at a minimum, with a priority on sensitive data
An inventory of information and other associated assets, including owners, should
be developed, and maintained
Record the physical location for applicable assets in the asset inventory.
Record the manufacturer's serial number for applicable assets in the asset
Record the make, model of +
PHT1011 device for applicable assets in inventory.
. Record the related business function for applicable assets in the asset inventory.
the asset inventory. R i" A i
ecord the owner for applicable assets in the asset inventory.
Record all changes to assets in the asset inventory.
Establish, implement, and Establish, implement, and maintain software asset management procedures.
PHT1017 maintain a software Establish, implement, and maintain software license management procedures. -
accountability policy. CTRLOO20662
pHT1020 Establish, implement, and deposed on systems prior to when the system is redeployed or the system is
maintain a system redeployment Transfer legal ownership of assets when the system is redeployed to a third party.
program. = CTRLOO20747
It is necessary to formulate a disposal plan for the system, clarify the disposal
PHT1023 Establish, implement, and procedure, and discard it with approval from the person in charge of operation
maintain a system disposal and the user's department
program. The organisation shall define system disposal procedures
INTERNAL Page 9 of 13 Asset Management Standard

2.22
Post Office Limited - Document Classification: INTERNAL

POL00362907

POL00362907

Where data assets are encrypted the encryption keys should be
destroyed to prevent access. The data must be deleted by the supplier
as per contract, Where data is not encrypted the supplier has to
provide evidence that the data has been destroyed in line with best
practice (as per contract)
When data is no longer required the information must be destroyed in
a secure manner and in accordance with the data retention policy and
best practice subject to the classification of the data
PHT1024 Establish, implement, and Establish and maintain maintenance reports. CTRLO020606
maintain a system preventive The organisation must document its approach to maintaining assets that support
CTRLO020632 maintenance program critical services. This needs to includes the steps taken to maximise the reliability
: and availability of the assets to support business need.
Maintain contact with the device
PHT1026 manufacturer or component Obtain justification for the continued use of system components when third party
manufacturer for maintenance support is no longer available.
requests.
PHT1028 Scooraing to the syctoms seset Approve all remote maintenance sessions. CTRL0020564
Pea Log the performance of all remote maintenance. CTRLO020705
classification.
PHT1031 Conduct maintenance with Remote maintenance of organizational assets is performed in a manner that
authorized personnel. prevents unauthorized access.
PHT1032 Perform periodic maintenance Maintenance and repair of organizational assets is performed and logged in a
according to organizational ; i
timely manner, with approved and controlled tools.
standards.
It is necessary to make sure that the system has completely ceased operations
Disassemble and shut down prior to the start of disposal
PHT1033 unnecessary systems or unused The organization must develop a hardened Standard Operating Environment for
systems. servers and workstations that includes removing unnecessary software, operating
system components, and hardware
INTERNAL Page 10 of 13 Asset Management Standard

2.22
POL00362907
POL00362907

Post Office Limited - Document Classification: INTERNAL

PHT1034
Dispose of hardware and

CTRLO020721 software at their life cycle end. Assets are formally managed throughout removal, transfers and disposition.

When a system transitions to a production environment, unplanned modifications

PHT1035 Review each system's to the system occur. If changes are significant, a modified test of security
operational readiness. controls, such as configurations, are needed to ensure the integrity of the security
controls.
INTERNAL Page 11 of 13 Asset Management Standard

2.22
POL00362907
POL00362907

Post Office Limited - Document Classification: INTERNAL

4 Where to go for help

4.1 Additional Policies

This standard is part of the Cyber Security Policy framework. The full set can be found at:

https://poluk.sharepoint.com/sites/cybersecurity2/SitePages/Cyber-and-Information-
Security-Policy-Set.aspx

4.2 How to raise a concern

Any Post Office employee who suspects something is wrong has a duty to:

e Discuss the matter fully with their Line Manager; or,
e Report their suspicions by contacting the Service Desk.

4.3. Who to contact for more information

If you need further information about this standard or wish to reI
to this standard, please contact Cyber Security Team via cyber

in relation

INTERNAL Page 12 of 13 Asset Management Standard
2.22
Post Office Limited - Document Classification: INTERNAL

5 Version Control

POL00362907
POL00362907

5.1 Version Control

Date Version Updated by Change Details

24/07/2019 0.1 IPA & IT Security First draft for review

04/01/2020 1.0 IT Security Final draft version for approval

12/06/2020 1.0 Cyber Security Approved by ISC

28/07/2021 1.1 Cyber Compliance Final draft version for approval

02/08/2021 2.0 Cyber Compliance Approved by ISC

23/11/2022 21 Cyber Compliance Update to align with control
framework UCF

25/04/2023 2.2 Cyber Compliance CSF Approval for publication

5.2 Standard Approval

Standard Owner:
Standard Author:
Approved by CSF:

Next review:

INTERNAL

Chief Information Security Officer

Hazel Freeman
25/04/2023
25/04/2024

Page 13 of 13

Asset Management Standard
2.22