Asset Management Policy
Security Classification: Public
Version 2.0 (April 2025)
Asset Management
KX has various assets under its control.
1.0 Responsibility for Assets
1.1 Inventory of Assets
Information Asset Owners and Information Custodians (roles such as Information Security SME, Technical Owner and to a lesser degree the End User) will identify, document, maintain, and verify assets under their control, including:
- Software
- Hardware
- Computer and communications services
- Cloud environments (including Infrastructure as a Service (IaaS), Platform as a Service (PaaS), Software as a Service (SaaS))
- Information assets required under legal and regulatory requirements in all jurisdictions in which KX operates. For example, the European Union General Data Protection Regulation (GDPR), Canadian Personal Information Protection and Electronic Documents Act (PIPEDA), and others as directed by general counsel.
- All other information assets such as database and data files, contracts and agreements, system, user, and operational documentation, and business continuity plans.
KX equipment will be inventoried, assigned a unique identifier and owner. The asset inventory system will record the devices unique identifier, serial number, make and model, assigned owner, and track the lifecycle of the device. Virtual machines (VMs) should have their owners and unique identifiers tracked in a similar manner.
1.2 Data Loss Prevention
Auditable monitoring is required to be in place for the secure transfer of information assets including restricted data, confidential data and source code. In addition to strong access controls for KX assets (networks, systems, cloud environments, applications, and data, which including all KX sensitive information such as source code and customer data), a Data Loss Prevention (DLP) program needs to be implemented to ensure the following:
- Sensitive data is not lost, misused, or accessed by unauthorized users.
- Classification of regulated, confidential and business critical data.
- Identify violations of security policies.
- Enforcement of corrective actions through remediation with alerts, encryption, and other protective actions to prevent end users from accidentally or maliciously sharing data that could put the organization at risk.
- Monitoring and control of endpoint activities.
- Monitoring and filtering of data streams on the network.
- Monitoring of KX data on premise and in the cloud to protect data at rest, in motion and in use.
- Providing reports to meet compliance and auditing requirements, as well as identify areas of weakness, anomalies for forensics and incident response.
1.3 Ownership of Assets
KX is the legal owner of all licensed or internally developed software, and information assets stored on or passing through its information systems, or systems/software hosted on a cloud environment on behalf of KX, except for material clearly identified as owned by third parties.
Physical assets in an information processing facility are owned by KX.
1.3.1 Bring Your Own Device
Only laptop devices that are owned and provided by KX are authorized for managing KX information, unless an exception has been granted through the risk management process.
Use of personal devices is restricted to mobile or tablet devices. Mobile or tablet devices that access KX resources, such as email, will be registered with KX and user agrees to the restrictions and guidelines, and subject to containerization.
1.3.2 Intellectual Property
Unless an exception in writing has been granted by the Legal Department, all business-related information developed by KX employees is the property of KX.
1.4 Assignment of Responsibility of Assets
1.4.1 Information Owners
All Information must have a designated Information Owner. Although Information Owners do not legally own the information, they have the responsibility and decision-making authority for information through its lifecycle, including creating, classifying, restricting, and administering its use, disclosure and disposal.
The Lead Security Architect (or equivalent role) has the authority to designate members of the KX management teams as Information Owners. When Information Owners are not specifically identified by organizational design, the Lead Security Architect will be the default owner.
Information Owners or their delegates must make the following decisions and perform the following activities:
- Define business and security requirements in planning for new or significantly changed information systems.
- Ensure information and information systems are protected commensurate with their classification and value.
- Approve changes under the change management process.
- Approve and periodically review access and authorization levels.
- Ensure user security responsibilities are understood, monitored and enforced.
1.4.2 Information Custodians
Information Custodians maintain or administer information and information systems on behalf of Information Owners by:
- Providing and managing security for the information and information systems throughout their lifecycle.
- Maintaining and operating the technical infrastructure on which information and information systems reside.
- Maintaining and operating the security infrastructure protecting information and information systems.
- Developing and maintaining documentation on information systems.
1.4.3 Information Users
An Information User is any individual user with access to KX systems or information, or the workloads of customers. Information Users are required to follow all security requirements defined by Information Owners and implemented by Information Custodians. Information Users are responsible for familiarizing themselves and complying with all KX policies, procedures, and standards, in addition to any relevant policies of FD.
Questions regarding the appropriate handling of a specific type of information should be directed to either the Information Owner or the Information Custodian.
1.4.4 Cloud Environment, Platform and Service Owners
The Cloud Environment, Platform or Service owners maintain or administer the cloud, platform, and / or the services which reside on the cloud or platform on behalf of the Information Owners by:
- Providing and managing security for the cloud, platform and services throughout their Secure Software Development Lifecycle (SSDLC).
- Maintaining and operating the technical infrastructure on which the cloud, platform and services are developed and / or reside.
- Maintaining and operating the security infrastructure that protects applications and services.
- Developing and maintaining documentation regarding the cloud, platform and services.
1.5 Acceptable Use of Assets
The acceptable use and protection of KX information and technology assets is the responsibility of all Information Users. All KX users must follow the KX Acceptable Usage Policy, KX Code of Conduct, Information Security Protocol, and other mandatory KX and / or FD training or policies.
Employee workstations are assets managed by the standard KX processes and tools. Employees are not permitted to use personal devices (BYOD) for work-related tasks unless they have received an authorized exception.
Information Security is Everyone’s Responsibility. Security starts with YOU.
2.0 Information Classification
2.1 Classification of Information
KX information and information systems shall be classified and protected in a manner commensurate with their sensitivity, value, criticality, and legal requirements to ensure access is restricted to users on a need-to-know basis. Information Owners must assess and mitigate the risks specific to the business environments in which KX operates in. KX must follow the KX Information Ownership and Classification Standard.
Use of a data security classification system simplifies information security decisions, minimizes information security costs, and ensures consistent and appropriate handling of information.
Information Owners and Information Custodians are responsible for:
- Documenting procedures to label different types of information with its information security classification and protection requirements.
- Documenting information handling procedures for the secure processing, storage, transmission, declassification and destruction.
- Classifying information and information systems in accordance with KX Data Classification Policy.
- Implementing cost effect control systems designed to reasonably address risks in each business process or application.
- Periodically reviewing classifications to ensure appropriate level.
KX implementation of data classification policies must include processes for:
- Defining information types for categorization.
- Categorizing information systems based on the security classification of information stored, handled or processed by the information system.
- Making decision on categorization based on:
- Legal and regulatory requirements.
- Economic impact to loss of information
- Impact on other information and information systems
- Cost to create and replace information
- Change to information sensitivity over time
- Designating a default category
- Evaluating the process on a periodic basis
2.2 Information and System Classification
Note: Only one level of classification can be shared freely – KX Public classification. All other Classification of information can only be shared with appropriate approval and under the restriction of a current and active Non-Disclosure Agreement (NDA or CDA).
2.3 Labeling of Assets and Information
Asset Identification – All assets will be identified as Primary or Secondary Assets.
Primary assets:
- Business processes and activities
- Information
Secondary / support assets (on which primary elements of the scope rely) of all types:
- Hardware
- Software
- Cloud environments
- Network
- Personnel
- Site
- Organization structure
Information types which must be considered for labeling include:
- Printed records
- Electronic records
- Reports
- Files
- On-screen displays or messages
Information Owners must select and document the appropriate label type for each information type.
Automatic information labeling must be used where possible (for example: by use of document templates, standard report footers, printer watermarks, etc.).
Where direct information labeling is not possible, alternate methods must be used to communicate the information security classification, such as:
- Marking storage media
- Descriptions in information sharing agreements or system interface specifications
- Use of metadata
2.4 Handling of Assets
All systems that may contain customer data or workloads are provisioned, maintained and controlled by KX.
Information Owners and Information Custodians must document information handling procedures for the secure processing, storage, transmission, declassification and destruction.
Information protection procedures must take into account the information security classification, labeling and handling processes and the access control policies.
Procedures must be defined for interpreting information classification labels from, and handling information exchanged with, other jurisdictions.
3.0 Media Handling
3.1 Management of Removable Media
Information Owners and Information Custodians are responsible for the management of removable media, such as tapes, disks, flash drives, removable hard drives, CDs, DVDs, USB, and printed media. NOTE: Removable media CANNOT be used for any information unless there is a specific business need, AND, you have an approved exception.
3.2 Disposal of Media
Media containing sensitive, restricted, and / or confidential information must be:
- Cross-cut shredded
- Placed in designated and secured destruction containers, or
- Securely disposed of by an entity which provides a certificate of destruction for the media
Information Users must NOT discard media containing sensitive, restricted or confidential information in trash bins, recycle bins or other publicly accessible locations.
3.3 Physical Media Transfer
Information Custodians are responsible for:
- Using approved couriers and verifying credentials upon pick-up and delivery of packages
- Retaining receipts for media shipments and logging media shipments, and
- Using packaging that will protect media from loss, damage and disclosure of information classification