IT Asset Management Policy
1. Background and Purpose
The purpose of the IT Asset Management Policy is to achieve and maintain appropriate protection of the IT assets of Melbourne Racing Club, its subsidiaries, and related entities (“MRC”). This policy defines key principles and requirements which MRC will apply to its assets to achieve its business objectives.
This policy aligns with relevant clauses of ISO 27001: A.8: Asset Management.
2. Scope
This policy’s scope includes all information technology assets and information processing facilities owned by MRC (“IT Assets”). The primary audience for this policy are MRC’s Information Technology Department.
3. Policy
MRC must clearly identify all IT Assets and document these throughout their lifecycle. The asset inventory must include all information necessary to recover from an emergency or disaster. The asset inventory must include information such as, but not limited to:
- Type of asset;
- Format;
- Location;
- Backup information;
- License information; and
- Business value.
Owners should be identified for all IT Assets and the responsibility for the maintenance of appropriate controls should be assigned. The implementation of specific controls may be delegated by the owner as appropriate, but the owner remains primarily responsible for the protection of the assets.
3.1. Roles and Responsibilities:
All IT Assets should be owned by designated personnel from MRC. Routine tasks may be delegated, e.g. to a custodian looking after the asset daily, but the responsibility remains with the owner.
IT Asset Owners should be responsible for:
- Ensuring that IT Assets are appropriately classified; and
- Defining and periodically reviewing access restrictions and classifications, taking into account requirements stated in the MRC Access Control Policy.
3.2. Acquisition of IT Assets
- A formal acquisition process must be followed.
- All requirements must be identified at the requirements phase of a project and justified, agreed, and documented as part of the overall business case for an information system.
- All IT Asset acquisition must adhere to MRC Group Capex Policy, Authorised Limits Policy and MRC Procurement Policy.
3.3. IT Asset Management
IT assets with a value of less than $1000 may be subject to exceptions or simplified procedures within this policy, as determined by the IT department and in accordance with the organization's risk management approach. All IT Assets irrespective of their accounting treatment must be recorded and managed as per below:
- A centralized inventory of all IT assets must be maintained and regularly updated by the IT department.
- All IT Assets must have a unique identification number and the unique assigned number must be maintained throughout the lifecycle of the IT Asset;
- All IT Assets must be registered within the corporate IT Asset Register which must be protected against data loss and alteration by unauthorised persons;
- The IT Asset Register must be accurate, up to date, consistent and aligned with other inventories;
- The IT Asset Register must include all information necessary to recover from an emergency or a disaster. The inventory must capture details such as type of asset, format, location, backup information, and license information.
3.4. Ownership of IT Assets
Ownership must be assigned when IT Assets are procured or when IT Assets are transferred to MRC. The IT Asset owner should be responsible for management of IT Assets over the whole asset lifecycle.
- MRC must assign ownership to the role that makes appropriate use of the asset, or to the role that is best suited to fulfil the responsibilities of an IT asset owner;
- IT Asset owners must have the appropriate level of authority to effectively perform their roles and responsibilities.
3.5. Physical Media Transfer
Physical Media containing information must be protected against unauthorised access, misuse, or corruption during transportation.
MRC must ensure:
- Reliable transport or couriers are used;
- Procedures are in place to verify the identification of couriers;
- Packaging must be sufficient to protect the contents from any physical damage;
- MRC must keep record of delivery acknowledgement received from transporter or courier.
3.6. Removal of IT Assets
Equipment, information, or software must not be taken offsite without prior authorisation.
- Employees and external party users who have authority to permit offsite removal of IT Assets must be identified;
- Time limits for asset removal must be set and returns verified for compliance;
- IT Assets must be recorded when removed or returned at offsite.
3.7. Security of Equipment and IT Assets Offsite
Security controls must be applied to offsite IT Assets considering the different risks of working outside of MRC premises.
- Equipment and media taken off premises must not be left unattended in public places;
- Manufacturer’s instructions for protecting equipment must always be observed, e.g. protection against exposure to strong electromagnetic fields;
- Controls should be applied for offsite IT Assets based on risk assessment;
- Offsite equipment transfer among different individuals or external parties must be logged to maintain the chain of custody.
3.8 Return of IT Assets
- All employees and external party users must return all the MRC assets, including IT Assets, in their possession upon termination of their employment, contract, or agreement.
3.9. IT Asset Disposal
- All data stored on IT Assets must be sanitised prior to disposal so that all data is removed from the IT system;
- IT Assets with residual value to MRC must be evaluated for reclamation and re-deployment within MRC;
- Software license that are no longer being used must be marked as no longer being leveraged and made available for redeployment.
4. Applicability of Other Policies
- Information System Acquisition, Development, and Maintenance Policy;
- Information Security Policy;
- Access Control Policy;
- Bring Your Own Device Policy – September 2020;
- Authorised Limits Policy;
- Group Capex Policy; and
- Procurement Policy.
5. Key Legislation, Acts & Standards
- ISO/IEC 27001:2022Information security, cybersecurity and privacy protection — Information security management systems — Requirements – https://www.iso.org/standard/82875.html; and
- ISO/IEC 27002:2022 Information security, cybersecurity and privacy protection — Information security controls – https://www.iso.org/standard/75652.html.
6. Enforcement
Violations may result in disciplinary action, which may include suspension, restriction of access, or more severe penalties up to and including termination of employment. Where illegal activities are suspected, MRC may report such activities to the applicable authorities. If any provision of this policy is found to be unenforceable or voided for any reason, such invalidation will not affect any remaining provisions, which will remain in force.
7. Review
This Policy is recommended to be reviewed biennially.[1]
8. Further assistance
For advice and assistance on policy matters please direct your enquiries to MRC’s IT Department via itsupport@mrc.net.au.
9. Glossary of Terms/Definitions
Term
Definition
Assets
Any hardware, software or information element of MRC’s information processing environment. Examples include but not limited to:
- Hardware (servers, laptops, routers, mobile devices, USBs etc)
- Software (developed applications, purchased software, tool and
utilities)
Information (see ‘Information’ definition below).
Asset Owner
Person responsible for an asset’s continuing performance over its life.
Identification
The process by which a unique identity is assigned to an entity.
Information
Raw data to which interpretation/presentation have been applied to provide context.
Information Processing
Facility
A physical location or infrastructure where information is processed, i.e.
a datacentre or communications room.
Inventory
A complete list of assets such as property, goods in stock, or the contents of a building.
IT Assets
Any information or operations system, tool, database, application, repository, technical services, hardware and/or device that is used while providing or meeting MRC business activities or business needs, or any technical tool (devices, hardware, etc.) that connects to the MRC internal network directly.
Lifecycle
The useful life of an asset from initial construction or purchase through to its disposal. Life-cycle data will also define what is required over the operational life to maintain the asset’s condition and ability to deliver the required level of service.
Physical Media
Physical media can be pressed or pre-recorded optical media like CDs, DVDs, and Blu-rays, or other data storage device, that utilise flash memory to store data. Often called a USB drive, flash drive, or thumb drive.
Mobile Devices
A portable device that can be used for certain applications and data storage. Examples are PDAs or Smartphones.
Risk
The combination of the probability of an event and its consequences.
User
All employees of MRC, whether permanent, temporary, casual, part-time or on fixed-term contracts employees, partners and third parties who have access to MRC system
[1] Review date is recommended only. Should this Policy have not been reviewed or updated by its review date, this Policy shall still remain in force and does not expire.