Asset Management & Information Classification Policy

Document ID: DPWAT-ISMS-POL-004
Version: 1.0
Owner: ISMS Manager / CISO (RMSI) — Timo Andreas Bejan
Approved by: Administrator (ADM) — Anna Boros
Effective date: 2025-10-15
Next review: 2027-02-01 (or on major change)

1. Asset types in scope

• Information assets: source code, project docs, customer information, contracts, credentials, ISMS documentation.
• Physical assets: company-owned laptops, phones, screens, removable media.
• Service assets: SaaS systems/accounts (Google Workspace, GitHub, YouTrack, etc.).
• Third-party assets: customer-owned devices and customer environments.

2. Asset inventory

DP WAT maintains:

• an asset register for company-owned devices and key SaaS systems (asset-register),
• a supplier register for external parties and services (supplier-register).

3. Classification (minimum)

DP WAT uses these information classes:

• Public: safe to publish.
• Internal: for DP WAT personnel; not public.
• Confidential: customer info, source code, credentials, contracts, security records.

Handling rules:

• Confidential information must be shared only with authorized persons and via approved tools.
• Credentials/secrets are always Confidential.

4. Third-party assets (customer-owned devices)

If customer-owned devices access DP WAT systems or other customer information, this must be:

• identified in the asset register as a third-party asset, and
• approved via risk assessment/exception.