Federal Electricity & Water Authority (FEWA)

Asset Management Policy

Version 1.0

Approved by:
NAME <date of approval>
TITLE

Document review and approval

Revision history
Version Author Date Revision
1.0 Document Created

This document has been approved by

Version Name Signature Date reviewed
1.0

FEWA Internal
Page 2 of 11 Version 1.0
Table of Contents

1 OBJECTIVE .................................................................................................................................... 4
2 SCOPE AND APPLICABILITY ........................................................................................................... 4
3 POLICY .......................................................................................................................................... 5
3.2 RESPONSIBILITY FOR ASSETS POLICIES ................................................................................................. 6
3.3 INVENTORY OF ASSETS..................................................................................................................... 6
3.4 ASSET CATEGORIES ......................................................................................................................... 7
3.5 ACCEPTABLE/GENERAL USE: ............................................................................................................ 8
3.6 UNACCEPTABLE USE: ...................................................................................................................... 8
3.7 PROTECTION................................................................................................................................ 10
4 COMPLIANCE .............................................................................................................................. 11
5 RELATED DOCUMENTS ................................................................................................................ 11

FEWA Internal
Page 3 of 11 Version 1.0
1 Objective

To ensure that all information assets of FEWA are identified, inventoried, and
assigned owners;
Ensure that appropriate handling procedures are implemented for the information
categories
To ensure that the criticality of each asset to FEWA's business purposes (i.e., goals
and objectives) is known and that the asset is appropriately managed and protected
throughout its lifecycle.
Inventory and classify all assets to ensure appropriate protections according to their
classification.
Define roles and responsibilities to achieve and maintain appropriate protection of
the FEWAs assets.
Prevent unauthorized disclosure, modification, removal, or destruction of
information assets that could impact availability, integrity, and confidentiality.

2 Scope and applicability

This policy applies to all FEWA employees, contractors, subcontractors, vendors, sub-
vendors, consultants, manufacturers and temporary staff hereafter referred to as users.
All managers are directly responsible for supporting the policy and ensuring staff
compliance in their respective departments.

This policy applies to all FEWA information/data, including (but not limited to) all services,
processes, systems, assets and components managed by Information and Communication
Technology and Operation Technology Departments.

The policies outlined in this document shall be implemented during procurement,

engineering, commissioning, testing, operations, maintenance and disposal phases of the
assets lifecycle. Ensure that implementation of all maintenance and supporting policies is
carried out during a scheduled maintenance window to minimize any adverse impact to safe
and secure operations of the ICS.

FEWA Internal
Page 4 of 11 Version 1.0
3 Policy

At each stage in the assets management lifecycle (procurement through disposal),

security requirements and business relevance shall be considered.
If there is an option of asset buy back/exchange from the vendor, the same can be
practiced after management approval. This shall not compromise the sensitive
data/information of the organization.

FEWA Internal
Page 5 of 11 Version 1.0
3.1.1 Secure log-on procedures shall be in place, taking into consideration following
requirements:
Warning banners.
Protection against brute force.

3.2 Responsibility for Assets Policies

3.2.1 A complete, detailed, and continuously maintained inventory of all information assets
shall be in place.

3.3 Inventory of Assets

3.3.1 The minimum asset inventory attributes that shall be recorded in the information
asset inventory are:
asset owner
asset custodianship
asset name
asset tag
IP address
mac address
serial number
hardware/firmware version
operating system version and patches
installed application software version and patches
third party application software version and patches
assets security requirements
assets business criticality
assets data classification
role based account names with privilege level, and
last review date.
3.3.2 Asset inventory shall be reviewed and updated at least quarterly or based on major
updates or changes to the asset configuration.
3.3.3 Automated mechanisms to help maintain an up-to-date, complete and accurate asset
inventory shall be employed wherever technically feasible.

FEWA Internal
Page 6 of 11 Version 1.0
3.3.4 Maintenance of the information asset inventory shall be facilitated in accordance
with the change management and risk management processes, to address accurate
updates of the entitys information asset inventory list.
3.3.5 Change management, risk management, resource management and business
continuity plans shall take into consideration an assets criticality/business relevance.
3.3.6 Ownership, Responsibility and Accountability of assets shall be established:
Information Asset Owners/Systems Administrator of assets such as
Hardware, Software, Data Stores shall be identified and shall be
accountable for the asset.
All stakeholders involved in the asset management lifecycle shall be made
aware of, and have access to, the asset management policy, processes and
procedures in place.
Asset owner/Systems Administrator shall ensure all assets are properly
inventoried, classified, securely protected and reviewed.
Asset owner shall ensure secure handling when the asset is
decommissioned or destroyed.
Asset owner/Systems Administrator shall also be responsible for:
Approving access to the asset.
Approving and reviewing security measures for assets.
Recommending additional controls or advising against controls in
light of system criticality and cybersecurity risk.
Ensuring all legal requirements related to the asset are met.

3.4 Asset Categories

The information assets at FEWA would be broadly divided into the following
categories:

FEWA Internal
Page 7 of 11 Version 1.0
 Physical Assets / Infrastructure
Information Softcopy
Information - Hardcopy
Software
Services
Personnel

3.5 Acceptable/General Use:

In general, all information systems shall be used for intended purpose only.
For maintenance and support purposes by the system vendors and
authorized personnel, laptops or diagnostic devices may be allowed after
verification and approval.
All portable media used in FEWAs environment shall be used for this
purpose only.

3.6 Unacceptable Use:

Under no circumstances is a FEWA employee authorized to engage in any
activity on information systems that is not in line with FEWA policies.
The lists below are by no means exhaustive, but attempt to provide a
framework for activities that fall into the category of unacceptable use:
Violations of the rights of any person or company protected by
copyright, trade secret, patent or other intellectual property, or
similar laws or regulations, including, but not limited to, the

FEWA Internal
Page 8 of 11 Version 1.0
 installation or distribution of "pirated" or other software products
that are not appropriately licensed for use by FEWA.
Unauthorized copying of copyrighted material and the installation
of any copyrighted software for which FEWA does not have license
is strictly prohibited.
Introduction of malicious programs into the network or server (e.g.,
viruses, worms, Trojan horses, etc.).
Revealing account password to others or allowing use of your
account by others. This includes employees who are not a custodian
of the system.
Security breaches include, but are not limited to, accessing data of
which the employee is not an intended recipient or logging into a

FEWA Internal
Page 9 of 11 Version 1.0
 server or account that the employee is not expressly authorized to
access, unless these duties are within the scope of regular duties.
Circumventing user authentication or security of any host, network
or account. o Interfering with, or denying service to, any user in
computers (for example, denial of service attack).
Using any program/script/command, or sending messages of any
kind, with the intent to interfere with, or disable, via any means,
locally or via Network.
Printers shall not be used for printing personal documents and shall
not be shared with other business systems.
System display screens/monitors shall be used only for their
intended purpose. Any input facility (USB, Speaker, etc.) on the
screen shall not be used.
Bringing your own device (BYOD) and personal equipment.o
Sharing critical/sensitive system information to others without
approval.

3.7 Protection
FEWA assets and organizational records shall be protected from loss,
destruction and unauthorized access.
The media for storage of records should be accordingly identified to
safeguard against loss of data.

FEWA Internal
Page 10 of 11 Version 1.0
4 Compliance

All users shall comply with this mandatory policy.

All defined security policies are applicable to systems wherever technically feasible.
However, where the security measures discussed in security policies cannot be
implemented, exceptions shall be raised and compensating controls devised to mitigate
the risk.
All instances where compensating controls have been implemented shall be
documented together with justification and associated cybersecurity risk. Re- evaluation
of raised exceptions shall occur, at least annually, to understand if security policies
became technically possible.
Any personnel who find any potential non-compliance with this policy must report the
non-compliance to their manager, who must process the reported non-compliance
including forwarding all reports of potential non-compliance to the ICT/ICS System
Administrator/Asset Owner and IT Support.
Violations of this policy, including failure to report non-compliance, are subject to
investigation and disciplinary action supervised by HR. Strict confidentiality shall be
maintained on all notified violations.
The Policy Owner is responsible for providing support and advice about this policy.

5 Related Documents

Definitions & Abbreviations

Roles and Responsibilities

FEWA Internal
Page 11 of 11 Version 1.0