Punjab State Power Corporation Limited

(PSPCL)

Standard Operating Procedure

SOP02: Asset Management Procedure

SOP –Asset Management Process

Document Control
Document Title: SOP02 – Asset Management Procedure

Internal
Page 1
SOP –Asset Management Process

Table of Contents
1. Purpose ........................................................................................................................... 4
2. Scope .............................................................................................................................. 4
3. Prerequisites.................................................................................................................... 4
4. Responsibilities............................................................................................................... 4
5. Procedure ........................................................................................................................ 4
5.1 Inventory of Assets.................................................................................................. 4
5.2 Information Classification ....................................................................................... 5
5.3 Information Labeling and Handling ........................................................................ 6
5.4 Ownership of Assets................................................................................................ 7
5.5 Acceptable use of Assets ......................................................................................... 8
5.6 Enforcement ............................................................................................................ 8
6. Document Review .......................................................................................................... 8
7. Reference ........................................................................................................................ 8

Internal
Page 2
SOP –Asset Management Process

Abbreviations

PSPCL Punjab State Power Corporation Limited

SOP Standard Operating Procedure

DCM Data Center Manager

R-APDRP Restructured Accelerated Power Development and Reforms

Programme

ISC Information Security Council

IT Information Technology

SAN Storage Area Network

ROM Read Only Memory

Internal
Page 3
 SOP –Asset Management Process

1. Purpose
The purpose of this document is to provide guidelines to implement appropriate security
mechanism to safeguard the information assets owned by PSPCL. Grouping shall be in
such a way that only the authorized users shall access the information system assets
owned by PSPCL.

2. Scope
This policy applies to all the information system assets such as information related to IT,
laptops, Desktops, Servers etc. owned by PSPCL. All employees of PSPCL are subject to this
policy and required to abide by it.

3. Prerequisites
None

4. Responsibilities
Datacenter Manager/ Concerned Process Owner

5. Procedure
5.1 Inventory of Assets
The Procedures to be followed for inventory of assets are given below:
 The asset owner shall ensure that all the details of the asset like type of asset, location,
owner, asset sensitivity based on value to business etc. shall be entered in the information
asset register.
 The assets have been categorized as follows:

Asset Description
Categorization
Physical Assets Servers, Storage devices (SAN), Network Devices like
Routers, Switches, Firewalls and security devices like IPS etc.

Internal
Page 4
 SOP –Asset Management Process

Asset Description
Categorization
Software Assets Business Applications such as SAP, MDAS and all licensed
software packages deployed at the Data Center / DR site
Paper Based Assets All documents of PSPCL.
Electronic Business information stored in PSPCL server and storage
Information Assets devices.
People Assets PSPCL employee and key vendor personnel deployed in the
PSPCL.
Services Key utilities like – Power, Internet and other vendor based
services provided from external source

 The information asset register and information assets shall be checked periodically on
monthly basis.

5.2 Information Classification

The asset owners are responsible for ensuring the implementation of these procedures.
Classification Guidelines
 Information of PSPCL shall be classified into five types as defined below:
o Secret
o Highly Confidential
o Confidential
o Internal
o Public

These classifications are defined as follows:

o Secret: This classification shall be applied to the information and material, the
unauthorized disclosure of which is expected to cause exceptionally grave damage to
PSPCL business. Access shall be done after approval from competent authority

Internal
Page 5
 SOP –Asset Management Process
o Highly Confidential: This classification will be applied to the information and material,
the unauthorised disclosure of which is expected to cause serious damage to PSPCL
business. Access shall be given to only authorized members.
o Confidential: This classification will be applied to the information and material, the
unauthorised disclosure of which is expected to cause damage to PSCPL business. Access
shall be limited to specific members with proper authentication and authorisation.
o Internal: This classification will be applied to the information and material, the
unauthorised disclosure of which is expected to cause undesirable effects to PSPCL
business. Access shall be given to all PSPCL employees
o Public: This classification will be applied to the information and material, which do not
have the classification listed above. Such documents can be viewed without security
clearance and open in public

 The ISC shall reserves the right to modify the classification order of Information assets,
based on business requirements.

5.3 Information Labeling and Handling

Following guidelines have been defined for information labeling and handling
Information Labeling
 Purchasing of any asset shall follow the Purchasing Policy and Purchasing Management
Process
 Asset owners shall ensure that the Secret, Highly confidential, Confidential, information
either in paper form will be externally labeled (marked) with the appropriate classification
 The labeling shall be maintained until the paper / removable media is destroyed /disposed
off.
 In case of electronic documents, footers added to the document shall indicate the
classification.
 If the electronic document is to be printed or viewed in .pdf format, the security
classification shall appear.

Internal
Page 6
 SOP –Asset Management Process

 Prior to any asset installation, a PSPCL engineer shall be assigned to the equipment for the
completion of associated asset record in the system.

Information Handling
 Information assets shall be handled as per the assigned classification category.
 Retention period and depreciation value of IT assets shall be as per PSPCL Accounts
Circular no. 22/2017 and latest amendments if any.
 All core IT assets including removable media such as floppy, CD ROM, USB storage device
or any other such media shall be disposed off as per SOP09_Disposal of Electronic media
Management Procedure_v1.2
 PSPCL classified information shall not be transferred to any party for any purpose other
than business purpose.
 The naming convention of PSPCL data files shall be meaningful and capable of being
recognized by its intended users.
 When not in use, all classified information will always be protected from unauthorized
disclosure. When left in an unattended room, such information shall be locked in
appropriate cabinets.
 Printers shall not be left unattended if sensitive information is being printed.
 Asset Management shall be carried out through asset management tool like ITCM to
manage entire information of asset.

5.4 Ownership of Assets

 Any movement of IT assets shall be done only after obtaining approval from the asset
owner. Asset inventory register shall be revised by the data center team / after movement
of assets.
 The information about the locations and owners of all the information assets shall be
mentioned in the information asset register.
 Custodian of the asset owner at PSPCL IT office / Data Center / DR Site / other concerned
offices shall be responsible for exercising due diligence in protecting information assets

Internal
Page 7
 SOP –Asset Management Process
entrusted to them and immediately report the loss, theft or damage of any information
asset to the competent authority (SE or above).
 Guidelines shall be followed strictly while purchasing any licenses.

5.5 Acceptable use of Assets

 PSPCL employee and third-party users will use PSPCL assets strictly for business purposes
only.
 The acceptable use policy shall include (but not limited to) electronic mail usage, internet
usage, information processing facilities usage and system usage.
 Accessing the Assets: Only authorized personnel must be allowed to access the IT assets
like servers, network devices etc. The access to the IT assets should be restricted through
physical/biometric security setup.


5.6 Enforcement
1. This policy shall comply with all other relevant IT policies of PSPCL.

2. Any employee who is found to have violated this policy may be subject to disciplinary
action as per Employee Punishment & Appeal regulations of PSPCL.

6. Document Review
The document shall be reviewed after every year or as when required with the prior
approval from the competent authority.

7. Reference
PSPCL ISMS Policy Document for PO02: Asset Management Policy

Internal
Page 8