Asset Management Policy

Document Number : JSPL/AMP/2021-11

Version 3.0, Date: 20-05-2021

-Confidential-
All information contained in this document is proprietary and intended solely for use by

Jindal Steel & Power Limited Group Companies Employees,

Any unauthorized duplication or distribution is strictly prohibited.

1
 Document Control
Document Publication History

Document Prepared by Jagat Singh CHANDRAWAT - Manager

Document Reviewed by Rajesh Kumar – Head IT
Document Approved by Saurabh Ganeriwala- CDO
Document Authorized by Sudhanshu Saraf – Director Transformation
Document Owned by IT Department
Effective Date 20-May-2021
Review Frequency Two Years
Document Classification Confidential

Document Distribution List

# Name Organization Purpose

1. Director Transformation JSPL Authorize
2. CDO JSPL Approve
3. Head IT JSPL Review & Update
4. Location IT Head JSPL Enforcement
5. Group Users/Employees JSPL Information

Document Approval History

Version Date Name Role Comments
1.0 01.06.2014 Vipul Anand GCIO
2.0 01.08.2019 Rajesh Kumar Group IT Head As per Audit
Recommendation –June
2018
3.0 06.05.2021 Saurabh Ganeriwala GCDO As Per ITGC Framework

Authorized Signatory

Name Role Date Signature

Sudhanshu Saraf Director 20-May-2021
Transformation
FW FW Policies for approval and sanction.eml

2
 Table of Contents

1. PURPOSE......................................................................................................................................4

2. SCOPE............................................................................................................................................4

3. POLICY ..........................................................................................................................................4

3.1 ASSET PLANNING ......................................................................................................................4

3.2 ASSET ACQUISITION ................................................................................................................4

3.3 ASSET INSPECTION, ACCEPTANCE AND DISTRIBUTION .............................................4

3.4 ASSET VERIFICATION ..............................................................................................................5

4. END POINT MANAGEMENT....................................................................................................5

4.1 INFORMATION SECURITY ......................................................................................................5

4.2 ENDPOINT SOFTWARE ...........................................................................................................5

4.3 ADMINISTRATIVE ACCESS .....................................................................................................6

4.4 AUTHENTICATION ...................................................................................................................6

4.5 ANTIVIRUS SOFTWARE AND FIREWALL ..........................................................................6

4.6 SERVERS AND WEB APPLICATIONS ...................................................................................6

5. POLICY COMPLIANCE ..............................................................................................................7

3
1. Purpose
The purpose of the IT Asset Management Policy is to protect the company against loss
and prevent security incidents, to reduce the company’s risk profile to external and
internal pressures, to state commitment to legal compliance and to lower cost and
improve productivity through more efficient and effective IT Asset Management. IT
Asset Management is a foundational policy which helps support other IT Operations and
Information Security policies. The policy ensures that information systems, applications
and components on or accessed from JSPL network, and owned by JSPL or hosting JSPL
data, are effectively documented and tracked throughout their life-cycle.
2. Scope
This policy applies to all employees/users and affiliates operating within the company’s
network environment or utilising Information Resources. It covers the data networks,
LAN servers and personal computers (stand-alone or network-enabled), located at JSPL
offices and JSPL production locations, where these systems are under the jurisdiction
and/or ownership of JSPL, and any personal computers, laptops, mobile device and or
servers authorised to access the JSPL data networks. No employees/users are exempt
from this policy.
3. Policy
JSPL requires that all IT Assets must be documented and tracked from the day they enter
our network or environment, until after they have been decommissioned.
3.1 Asset Planning
Certain activities or events may trigger acquisition and/or disposition of IT Assets, such
as:
• Scheduled asset acquisitions, conducted in accordance with the capacity management
plan or obsolescence needs.
• Receiving an IT Asset Requisition/Disposal Form due to an unplanned event(theft,
damage etc.).
3.2 Asset Acquisition
• JSPL IT Location HOD’s shall request new or replacement of IT Assets through NFA.
• If a purchase or lease agreement exists for the kind of asset being requested, that asset
shall be ordered from the existing vendor, pursuant to the terms of the agreement.
• If such an agreement does not exist, IT Support may recommend entering into one.
3.3 Asset Inspection, Acceptance and Distribution
• Physical assets shall be received by the JSPL stores department and forwarded to IT
Department.
• IT shall inspect and test assets for performance and capability prior to acceptance, if
possible.
• Purchase Department shall contact the vendor for replacement of the nonconforming
asset and dispose of the nonconforming asset in accordance with any purchase
agreement in place.

4
 • All assets must have an ID number. Either an internal tracking number will be assigned
when the asset is acquired or the use of Manufacturer ID numbers.
• An asset tracking database shall be created to track assets. It will include all information
on the Asset Transfer Checklist table and the date of the asset change.
• When an asset is acquired, an asset ID will be assigned for the asset and its information
shall be entered in the asset tracking database.
• Only IT personnel shall distribute and install IT Assets.
• In the case of assets designed for use by individuals, installation shall be scheduled
primarily for the user’s convenience.
• Upon installing hardware, IT Support shall give each item a unique Asset ID. IT shall
update the IT Asset Inventory Database after installing assets.

3.4 Asset Verification

IT shall conduct a periodic assessment of IT Assets to verify their status (i.e., in use/not
in use).
If an asset is not being used or is not being used as specified (for example, the IT Asset
Inventory Database and IT Network Map are not in agreement), IT Support shall take
corrective action, which may include:
o Taking the asset out of service as per process.

4. End Point Management

4.1 Information Security
• All care should be taken to prevent unintended exposure, modification, or removal of
sensitive data and information as a result of leaving this information on the screen or
desk, exposed in such a way that it can be viewed or accessed by an unauthorised
individual. This includes information stored on portable storage media or hard copy.

4.2 Endpoint Software

All software contains security vulnerabilities, and software vendors are constantly
supplying updates (patches) to address these vulnerabilities when they are identified.
• Endpoint software Operating Systems (OS) and application software are to be kept up
to date with the latest security related patches, as soon as it is practical to do so, i.e.:
o Critical security patches must be applied within 4 weeks of them being released by
vendors.
o Important security patches must be applied within 8 weeks of them being release by
vendors.
o Endpoint systems must be restarted following installation, to ensure security patches
have been fully installed.
o Where possible, it is recommended that endpoint devices are set to auto-update
their security patch levels, and restart if necessary to complete the installation.
• OS that reaches end of support life should not be connected to JSPL network unless
appropriate security measures are taken (like antivirus protecting that version of OS).

5
 • IT can install Endpoint device management software, as required, on any Endpoint
connected to the JSPL network in order to manage JSPL policy, legal, and commercial
compliance requirements.
• The removing or disabling of Endpoint device management software without prior
approval of IT is considered a breach of this policy.
• IT will audit JSPL owned Endpoint devices on the JSPL Domain as required, and has the
ability to install updates to software on these devices to address software vulnerabilities
or licensing issues with IT managed software.

4.3 Administrative Access

In accordance with the principle of least privilege, unnecessary administrative access on
JSPL owned Endpoint devices will be restricted.

4.4 Authentication
Endpoint devices containing JSPL information assets that are not publicly available, or
devices which attach to JSPL network, must be secured as appropriate by a network.

4.5 Antivirus Software and Firewall

• All Endpoint devices capable of running an antivirus software program are required
to do so before being connecting to the JSPL internal network. Additionally, any such
antivirus software must be running the latest virus definitions to accurately detect
the latest viruses and malware, and be set to automatically update when newer
definitions become available.
• Disabling or removing of Antivirus software, or disabling of Antivirus software
definition updates on endpoints is prohibited.
• All Endpoint devices capable of running local firewall software are required to do so
to protect the device from external threats such as hacking by unauthorised parties.
4.6 Servers and Web applications
• All Servers (or devices exposed to the internet, in the DMZ, or running web services),
will be ‘hardened’, meaning they will have all the necessary security updates applied to
their Operating System’s, hardware patches (firmware updates), and installed software;
to reduce the chances of vulnerabilities being exploited. All such updates must be
reviewed and maintained regularly to ensure they remain up to date. It is the Server
Administrator’s responsibility to manage this.
• New Services that are externally (internet) facing will require independent security
vulnerability and penetration testing to be performed by a security specialist, to provide
assurance that data or services won’t be exposed to medium or high risk security
threats.

6
5. Policy Compliance
• Compliance Measurement
The Information security team will verify compliance to this policy through various
methods, including but not limited to, periodic walk-through, business tool reports,
internal and external audits, and feedback to the policy owner.
• Exceptions
Any exception to the policy must be approved by the Information Security Committee
in advance.
• Non-compliance
An employee found to have violated this policy may be subject to disciplinary action,
up to and including termination of employment.