This Rules/Policy document is provided to you and your organization as a starting point or maturity checkpoint for existing rules/policies. It is brought to you on behalf of Jim McConnell, Principal Owner, and Ask McConnell, LLC — A Converged Security Services Provider. The content is not meant to cover every circumstance, industry, law, regulation, contractual requirement, threat, environment, or risk, but it provides an easy, defendable, highly accountable starting point for any organization. Please consult with your legal counsel and insurance provider about added requirements. If you know of peers that you think would find value in these resources, please have them contact us. These will be updated on our website regularly. We are not legally protecting these documents; we just ask for credit, shout-outs, and referrals if you find them helpful. If you have recommended updates, we are all ears. And if you need Converged Security Consulting and Training, please reach out, we would be honored to serve you and your organization.
Jim McConnell | info@askmcconnell.com | askmcconnell.com
Asset Inventory Management Policy
Updated: 8 April 2025
Protecting human lives is the highest requirement of our entire organization, whether they are employees, customers, volunteers, visitors, or part of our supply chain while under some nexus to our organization. Many times things we do online will impact people’s lives physically, financially, and emotionally.
- I will report security incidents, concerns, vulnerabilities, and threats to my supervisor or the organization’s Ethics Hotline as soon as possible and safe. If they are not available and I feel unsafe, I will contact law enforcement.
- I will track all physical and technology assets under my management control, including:
- Location
- Criticality, sensitivity, and business/information/data classification
- End of Life (EOL) and End of Service (EOS) dates
- Who manages the security of the asset
- What assets and processes the asset depends on
- What assets and processes depend on the asset
- Who has authorized access to the asset
- Who currently has access to the asset
- Who monitors the asset for malicious activities
- The replacement value of the asset
- I will verify the accuracy of inventory data — including through independent auditors and large-sample reviews — at least twice per year.
- I will not move an asset to a new location without first considering the business impact and any security or safety implications.
- I will not acquire an asset that can impact the security posture of the organization without prior approval from the security and safety teams.
- I will not change inventory attributes of an asset without coordinating with the asset’s caretaker or trustee to mitigate impact and ensure the inventory remains current.
- I will request and support inventory reconciliation steps to compare my inventory against other inventories maintained by Accounting, Technology, Real Estate, and other departments.
- I will implement metrics to manage the security and safety aspects of asset inventory management under my control.
- I will manage or support a State of Asset Inventory Management Security Report and Presentation, under Executive Session, at least yearly — covering incidents, vulnerabilities, improvements, and metrics across all security domains.
Signature Note: I am a huge fan of wet signatures on these types of documents for accountability and investigation reasons. You can add the signature lines below to each rule/policy document, or have a collective wet signature with references in the Security Commitment Agreement document available on the One-Pager library page. Organizational preference.
________________________
Print Full Legal Name
________________________
(Blue Ink) Full Legal Signature
Style of signature must closely match Driver’s License
________________________
Date
🖶 To save or print this policy, use your browser’s Print function (Ctrl+P / Cmd+P) and select “Save as PDF” if needed.