AiVRIC User Guide | Asset Management

Purpose

To ensure technology assets are appropriately managed throughout the asset lifecycle, from procurement through disposal, and to ensure only authorized devices and components are allowed to access AiVRIC networks. This standard also ensures technology assets that store, process, or transmit AiVRIC data are adequately protected.

Scope

This standard applies to AiVRIC, its affiliates (as applicable), and all assets owned, leased, controlled, or used by AiVRIC, including data, systems, activities, and supporting facilities wherever AiVRIC data is stored, processed, or transmitted.

It also applies to employees, contractors, subcontractors, and third parties contracted by AiVRIC to handle, process, transmit, store, or dispose of AiVRIC data.

Note: This standard does not supersede applicable law or higher-level organizational directives. AiVRIC may update these requirements when needed to sustain compliance and risk posture.

Policy statement

AiVRIC protects its assets and data by implementing an IT Asset Management (ITAM) capability to identify, assess, monitor, control, and manage assets across the enterprise.

Key controls (AST)

AST-01 Asset Governance: Establish and maintain ITAM, including (1) a list of devices and (where feasible) personnel with access, (2) a method to determine owner/contact/purpose, and (3) a list of company-approved products.
AST-01.1 Asset–Service Dependencies: Map data processing activities; identify systems/apps/processes (including third parties) supporting critical functions; document dependencies; assess control appropriateness; report deficiencies as technology risks.
AST-01.2 Stakeholder Involvement: Identify stakeholders for critical systems/services based on inventories and actively involve them in secure management.
AST-02 Asset Inventories: Maintain hardware/software inventories (internally- and externally-hosted); track owner/contact/purpose; list approved products; keep inventories current; and where feasible list personnel with access.
AST-02.1 Install/Removal Updates: Update inventory as part of component installations, removals, and upgrades where feasible.
AST-02.2 Unauthorized Component Detection: Where applicable, use automated mechanisms to detect unauthorized hardware/software/firmware; take action when detected; and ensure acquisitions update inventory as approved devices connect.
AST-02.3 Data Action Mapping: Develop and document a system map of data actions that process Personal Data (PD).
AST-02.4 CMDB: Implement a CMDB (or equivalent) to monitor/record/reconcile asset attributes (configuration, ownership, lifecycle, dependencies), identify unauthorized changes, correlate with incident/change records, integrate discovery tools, and serve as the authoritative source of truth.
AST-02.5 Approved Technologies: Maintain a current list of approved hardware/software to ensure deployed technologies are authorized and compliant.
AST-03 Ownership & Accountability: Assign responsibility in writing; ensure accountable parties can exercise proper custody; maintain records for remote assets; prohibit personal use unless authorized; prohibit disposition without authorization; document make/model/serial.
AST-03.1 Accountability in CMDB: Configure CMDB to include the name/position/role of data/process owners and asset custodians responsible for administering AiVRIC assets.
AST-04 Network & Data Flow Diagrams: Verify current network diagrams exist; maintain architecture diagrams highlighting high-risk environments and compliance-impacting data flows; document all sensitive data flows.
AST-04.2 Control Boundary Representation: Identify/control boundary components (internal/external); create and maintain graphical representations; update as environments/processes/third parties change.
AST-05 Media Control: Classify media and control distribution; use secure/trackable delivery for sensitive media; require prior management approval before media is moved from secured areas (including distribution to individuals).
AST-05.1 External Media Transfer Approval: Submit requests for review/approval; justify business need and classification/destination; apply encryption/protective measures; log approvals and responsible individuals in a centralized register; review annually.
AST-06 Unattended End-User Equipment: Protect unattended equipment. When traveling with AiVRIC-issued devices, lock in trunk or maintain physical control (do not leave in vehicle).
AST-09 Secure Disposal / Reuse: Sanitize media when no longer needed; destroy media that cannot be sanitized (shred/incinerate/pulp hardcopy; render electronic media unrecoverable). Use secure containers for sensitive material awaiting destruction.
AST-10 Return of Assets: Direct manager inventories and accounts for AiVRIC-issued assets prior to departure. Upon termination/relationship expiration, AiVRIC-owned assets must be returned within 24 hours.
AST-11 Removal of Assets: Obtain authorization before relocating/transferring hardware/software/data offsite. Capture make/model/serial, owner, removal reason, removing representative/company, and estimated return date (if applicable).

Operating procedures

ITAM governance: Maintain an approved products list; ensure asset onboarding includes owner/custodian assignment and purpose.
Inventory discipline: Update inventories during installs/removals/upgrades; reconcile discrepancies through ticketed remediation.
CMDB as source of truth: Record configuration, ownership, lifecycle state, and dependencies; integrate discovery tools where feasible; correlate with incident/change records.
Critical service mapping: Maintain an asset-to-service dependency map for critical business functions; register deficiencies as technology risks.
Diagrams & flows: Keep network diagrams and data flow diagrams current; explicitly document sensitive data flows and high-risk segments/control boundaries.
External media transfers: Require management approval; document business justification, classification, and destination; encrypt media as appropriate; log approvals in a centralized register.
Secure disposal: Sanitize or destroy media per approved methods; retain evidence (certificate of destruction, ticket, vendor record) as applicable.
Workforce separation: Manager-led asset return checklist; inventory and account for assigned assets; complete return within 24 hours where applicable.
Offsite removal: Require authorization and capture required details (make/model/serial, owner, reason, remover, return date).

Data classification & handling (summary)

AiVRIC classifies information to ensure assets and media are protected proportionate to sensitivity. Distribution is limited based on business need, and protective controls increase with classification.

Classification	Qualification	Distribution
Restricted	Critical business value; highly sensitive proprietary information; protection dictated externally (legal/contractual).	Only authorized workforce/contractors/partners with a specific business need.
Confidential	Sensitive; protection dictated internally by policy and/or contractual requirements.	Only authorized workforce/contractors/partners with a specific business need.
Internal Use	Non-sensitive internal information or third-party information not qualifying for more restrictive labels.	Authorized workforce/partners with a business need; not for public release.
Public	Explicitly approved for public release.	Freely shareable internally and externally.

Handling expectations (high-level)

Encryption: Use strong encryption for sensitive data in transit and at rest (mandatory for higher sensitivity). Avoid FTP for sensitive classifications.
Remote access: For highly sensitive data, remote access must be business-justified and protected by MFA.
Printing/scanning: Verify destinations; avoid unattended printouts; encrypt scanned images when handling sensitive data; use confidential printing where required.
Email: Use strong encryption as required; prohibit forwarding for higher sensitivity.

For full handling controls by classification (NDA, transmission, data-at-rest, mobile, email, physical mail), refer to the authoritative standard.

Compliance, exceptions, and enforcement

Compliance measurement

AiVRIC verifies compliance through technical scans and assessment mechanisms, internal or external audits, and security dashboards/reports.

Exceptions

Exceptions must be formally requested and reviewed by the designated AiVRIC security authority. Requests should define scope, business justification, risk impact, mitigating controls, owner actions, and a timeframe to achieve minimum compliance.

Non-compliance

Violations may result in disciplinary action up to and including termination of employment/contract, termination of third-party agreements, denial of access to IT resources, and other remedies as permitted by law and contract.

Framework alignment

This standard is designed to support common assurance and compliance expectations. The source standard aligns Asset Management (AST) to a control framework and references SOC 2, ISO/IEC 27001:2022, and HIPAA as applicable.

SOC 2: Asset and configuration accountability, access governance, and operational monitoring expectations.
ISO/IEC 27001:2022: Organizational context and scope considerations for asset-related controls.
HIPAA (where applicable): Device and media controls for regulated information handling.

Exact cross-references are maintained in the authoritative internal mapping for AiVRIC’s control framework.

Evidence & ownership

Control owners: Security & Compliance, IT Operations, and Product/Engineering (as applicable).

Evidence examples: CMDB/inventory exports, approved product list, discovery scan results, risk/ticket records, network/data flow diagrams, media transfer approvals register, destruction certificates/vendor records, separation checklists, and offsite removal authorizations.

Review cadence: At least annually, and after material changes to systems, third parties, or regulatory/contractual obligations.

Contact: [email protected]

Asset Management (AST)

On this page