Skip to Content
Nemu Inc.
Asset and Info ManagementπŸ“¦ Information Asset Management Program

πŸ“¦ Information Asset Management Program

1. Purpose

This document establishes Nemu Inc.’s management-approved asset management program for identifying, classifying, protecting, and managing information assets and IT resources throughout their complete lifecycle. This program ensures appropriate controls are applied based on asset criticality and data sensitivity.

2. Scope

This program applies to all information and IT assets including:

  • Data Assets: Customer data, business records, intellectual property, and operational data
  • Systems: Databases and storage in Supabase, applications hosted on Render
  • Infrastructure: Cloud services, networking components, and security tools
  • Applications: Node.js APIs, Next.js applications, and third-party SaaS tools
  • Collaboration Tools: Google Workspace (Gmail, Drive, Docs, Sheets, Meet)
  • Development Assets: Source code repositories (GitHub), CI/CD pipelines
  • Endpoint Devices: Laptops, mobile devices, and workstations used by team members
  • Removable Media: USB drives, external hard drives (when used)

3. Program Ownership and Governance

3.1 Program Owner

Security Lead (or CTO when combined role) serves as the Asset Management Program Owner and is responsible for:

  • Maintaining and updating this policy and associated procedures
  • Ensuring the asset inventory remains current and accurate
  • Coordinating lifecycle management activities across teams
  • Conducting annual program reviews and updates
  • Reporting program status to executive leadership

3.2 Management Approval

This asset management program has been approved by executive leadership and is reviewed at least annually or when significant changes occur to:

  • Organizational structure or technology architecture
  • Regulatory or compliance requirements
  • Business operations or service offerings
  • Security threats or incident lessons learned

3.3 Communication

This program is communicated to all constituents through:

  • New hire onboarding materials and training
  • Internal knowledge base and policy repository
  • Security awareness training (annual refresher)
  • Team meetings and security updates
  • Direct notification when policy changes occur

4. Asset Identification and Inventory

4.1 Asset Inventory Requirements

Nemu Inc. maintains a centralized inventory of information assets that documents:

Inventory FieldDescriptionPurpose
Asset Name/IDUnique identifier for the assetTracking and reference
Asset TypeSystem, application, data store, device, serviceCategorization
Asset OwnerIndividual responsible for the assetAccountability
Data ClassificationConfidential, Internal, or PublicRisk-based controls
Data Types ProcessedCustomer, payment data, business records, etc.Compliance and protection
Hosting EnvironmentSupabase, Render, Google Workspace, endpointInfrastructure dependency
Access ControlsAuthentication/authorization mechanismsSecurity posture
Backup/RecoveryBackup frequency and retentionBusiness continuity
Lifecycle StageActive, deprecated, decommissionedOperational status
Last Review DateDate of last inventory verificationCurrency validation

4.2 Key Information Assets

Production Systems of Record

  • Supabase Postgres Databases

    • Owner: Engineering Lead
    • Data Classification: Confidential (customer data)
    • Data Types: User accounts, application data, business records
    • Environment: Supabase (PostgreSQL with encryption at rest, TLS in transit)
    • Access: Row-level security, role-based access control
    • Backup: Automated daily backups with 30-day retention

  • Supabase Storage Buckets

    • Owner: Engineering Lead
    • Data Classification: Confidential (user-uploaded files)
    • Data Types: Customer files, documents, media
    • Environment: Supabase (encrypted at rest)
    • Access: Bucket policies, authenticated access only

Application Services

  • APIs (Production)

    • Owner: Engineering Lead
    • Data Classification: Confidential (processes customer data)
    • Environment: Render (with TLS termination)
    • Access: API authentication, environment-based secrets
    • Monitoring: Application logs, error tracking

  • Frontend Applications

    • Owner: Engineering Lead
    • Data Classification: Public frontend, Internal/Confidential API interactions
    • Environment: Render (CDN with HTTPS)
    • Access: Public pages, , Mobile app, authenticated routes for customer portals

Collaboration and Productivity Tools

  • Google Workspace
    • Owner: Operations Lead
    • Data Classification: Mix of Confidential (customer communications), Internal, and Public
    • Data Types: Email, documents, spreadsheets, presentations, calendar
    • Environment: Google Cloud (encryption at rest and in transit)
    • Access: SSO with 2FA enforcement, domain restrictions
    • DLP: Google Workspace DLP rules for sensitive data

Development and Source Control

  • GitHub Repositories
    • Owner: Engineering Lead
    • Data Classification: Internal (source code), Public (open source components)
    • Environment: GitHub (private repositories)
    • Access: 2FA required, branch protection, code review requirements
    • Secrets Management: GitHub Secrets for CI/CD, no secrets in code

Endpoint Devices

  • Employee Laptops and Workstations
    • Owner: Individual employee (managed by Operations/IT)
    • Data Classification: Confidential (may cache customer data)
    • Security Controls: Full-disk encryption, screen lock, antivirus, patch management
    • Access: Individual user accounts, company-managed where possible

4.3 Inventory Maintenance

  • Asset inventory is reviewed and updated quarterly
  • New assets are added within 30 days of deployment or acquisition
  • Decommissioned assets are documented and removed after secure disposal
  • Annual comprehensive review conducted by Security Lead with asset owners

5. Asset Ownership and Accountability

5.1 Asset Owner Responsibilities

Each information asset is assigned an Asset Owner who is accountable for:

  1. Security and Compliance

    • Ensuring appropriate technical controls are implemented and maintained
    • Verifying data classification is correct and documented
    • Coordinating security assessments and audits
    • Implementing remediation for identified vulnerabilities

  2. Access Management

    • Reviewing and approving access requests
    • Conducting quarterly access reviews
    • Ensuring least privilege principles are followed
    • Revoking access promptly when no longer needed

  3. Data Protection

    • Ensuring encryption requirements are met (at rest and in transit)
    • Verifying backup and recovery procedures are operational
    • Coordinating data retention and disposal activities
    • Responding to data subject access requests affecting the asset

  4. Incident Response

    • Participating in security incident investigations
    • Providing technical expertise during incident response
    • Implementing corrective actions post-incident

  5. Lifecycle Management

    • Planning for asset upgrades, migrations, or replacements
    • Coordinating secure decommissioning procedures
    • Maintaining documentation and configuration records

5.2 Asset Owner Assignments

Asset CategoryPrimary OwnerBackup
Production databases and APIsEngineering LeadCTO/Security Lead
Supabase infrastructureEngineering LeadCTO/Security Lead
Render hosting servicesEngineering LeadCTO/Security Lead
Google WorkspaceOperations LeadCTO/Security Lead
Source code repositoriesEngineering LeadSenior Developer
Employee endpointsIndividual UserOperations Lead
Security and monitoring toolsSecurity LeadEngineering Lead

6. Asset Lifecycle Management

6.1 Phase 1: Planning and Acquisition

Before deploying new assets or systems:

  1. Business Justification

    • Document business need and expected data types to be processed
    • Identify data classification levels that will be handled
    • Determine if the asset will process customer-scoped data

  2. Security Assessment

    • Conduct vendor security due diligence for third-party services
    • Review security features: encryption, access controls, logging, backup
    • Assess compliance capabilities (SOC 2, ISO 27001, GDPR, etc.)
    • Evaluate data residency and sovereignty requirements

  3. Privacy Review

    • Determine if a Data Processing Agreement (DPA) is required
    • Review vendor’s privacy policy and data handling practices
    • Assess data transfer mechanisms for international vendors
    • Document in privacy impact assessment if processing sensitive data

  4. Approval and Procurement

    • Security Lead approval required for systems processing Confidential data
    • Executive approval for services with annual cost >$10,000 or strategic importance
    • Contract review for security and privacy terms

6.2 Phase 2: Deployment and Configuration

During implementation:

  1. Secure Configuration

    • Apply security baselines and hardening guidelines
    • Enable encryption at rest and in transit
    • Configure logging and monitoring
    • Implement network security controls (firewalls, security groups)

  2. Access Control Setup

    • Configure authentication (SSO, 2FA where available)
    • Implement role-based access control (RBAC)
    • Apply least privilege principles
    • Document access procedures

  3. Data Protection

    • Configure backup and recovery procedures
    • Set retention policies aligned with data retention schedule
    • Enable data loss prevention (DLP) rules where applicable
    • Implement encryption key management

  4. Documentation

    • Add asset to inventory with all required fields
    • Document configuration and architecture
    • Create runbooks for common operations
    • Update disaster recovery and business continuity plans

  5. Testing and Validation

    • Verify security controls are functioning
    • Test backup and recovery procedures
    • Validate access controls and permissions
    • Conduct security testing (vulnerability scanning, penetration testing for critical systems)

6.3 Phase 3: Operational Use

During active operation:

  1. Continuous Monitoring

    • Monitor logs for security events and anomalies
    • Track system performance and availability
    • Review access logs and authentication attempts
    • Alert on configuration changes

  2. Access Reviews

    • Quarterly access reviews by asset owners
    • Immediate revocation upon employee departure
    • Validation that access remains necessary and appropriate
    • Documentation of review results

  3. Maintenance and Updates

    • Apply security patches within 30 days (critical: 7 days)
    • Update dependencies and libraries regularly
    • Review and update configurations as needed
    • Conduct annual security assessments

  4. Compliance Activities

    • Participate in audits and assessments
    • Maintain evidence of control effectiveness
    • Update documentation for changes
    • Respond to compliance findings

  5. Backup Verification

    • Validate backup completion daily/weekly
    • Test restoration procedures quarterly
    • Verify backup encryption and access controls
    • Maintain backup retention per policy

6.4 Phase 4: Decommissioning and Disposal

When retiring assets or systems:

  1. Decommissioning Planning

    • Identify all data locations (primary, backups, caches, logs)
    • Determine data migration needs (if replacing system)
    • Assess legal hold and retention requirements
    • Schedule decommissioning during maintenance window

  2. Data Migration (if applicable)

    • Migrate required data to replacement system
    • Validate data integrity post-migration
    • Update application configurations and integrations
    • Test replacement system functionality

  3. Access Revocation

    • Disable all user and service account access
    • Revoke API keys and credentials
    • Remove network access and firewall rules
    • Delete service accounts and authentication tokens

  4. Data Destruction

    • Delete data from primary storage locations
    • Purge backups per retention schedule (or request early deletion)
    • Clear cached data and temporary files
    • Verify deletion through logs or provider confirmation

  5. Documentation and Closeout

    • Document decommissioning date and method
    • Update asset inventory (mark as decommissioned)
    • Obtain certificates of destruction for physical media
    • Archive configuration and architecture documentation
    • Close vendor accounts and cancel subscriptions

6.5 Physical Asset Disposal

For endpoint devices and physical hardware:

  • Full-disk encryption must be enabled throughout device lifecycle
  • Before disposal: Perform secure wipe using NIST-approved methods (NIST SP 800-88 guidelines)
  • If secure wipe is not possible: Physical destruction by certified vendor
  • Maintain disposal records including date, method, and responsible party
  • Obtain certificate of destruction from disposal vendor

7. Data Classification Integration

All assets in the inventory must document the classification level(s) of data they process or store:

  • Confidential: Customer data, financial data, authentication credentials, security configurations
    • Requires: Encryption at rest and in transit, access logging, restricted access, DLP monitoring
  • Internal: Business plans, internal communications, non-public metrics, employee data
    • Requires: Internal-only access, authentication, basic logging
  • Public: Marketing content, public documentation, published blog posts
    • Requires: Integrity controls, change management, publication approval

Asset owners must verify and update data classification during quarterly inventory reviews.

8. Controls by Asset Type

8.1 Database and Storage Assets

  • Encryption at rest (provider-managed keys)
  • TLS/SSL for all connections (sslmode=require)
  • Row-level security policies (Supabase)
  • Automated backups with tested recovery
  • Access restricted to application service accounts
  • Database activity logging and monitoring

8.2 Application Services

  • Secure coding practices and code review
  • Authentication and session management
  • Input validation and output encoding
  • Security headers and HTTPS enforcement
  • Environment-based secret management
  • Application logging and error tracking
  • Dependency vulnerability scanning

8.3 Collaboration Tools (Google Workspace)

  • 2FA enforcement for all users
  • Domain restrictions on file sharing
  • DLP rules for sensitive data patterns
  • External sharing restrictions
  • Retention policies per data retention schedule
  • Audit logging enabled
  • Context-aware access policies

8.4 Endpoint Devices

  • Full-disk encryption required (FileVault, BitLocker)
  • Automatic screen lock (5 minutes)
  • Antivirus/EDR software installed
  • Operating system and application patching
  • Company-managed where feasible
  • Lost/stolen device remote wipe capability

8.5 Third-Party Services

  • Vendor security assessment before onboarding
  • Data Processing Agreements executed
  • Access via SSO where available
  • Least privilege service accounts
  • Periodic vendor security reviews
  • Documented in asset inventory

9. Audit Evidence

The following evidence demonstrates compliance with this program:

  • Current asset inventory with all required fields (including data classification)
  • Asset owner assignments and responsibilities documentation
  • Quarterly inventory review records
  • New asset onboarding security assessments
  • Decommissioning and disposal records
  • Access review documentation
  • Vendor security assessment reports
  • Management approval of this program
  • Training records showing program communication to constituents

10. Compliance Mapping

FrameworkControl References
SOC 2CC1.3 (Organizational structure), CC6.1 (Logical access), CC8.1 (Asset inventory and management)
ISO 27001:2013A.8.1.1 (Inventory of assets), A.8.1.2 (Ownership of assets), A.8.1.3 (Acceptable use), A.8.2.1 (Classification)
  • Data Classification and Handling Policy
  • Acceptable Use Policy
  • Asset Destruction and Secure Disposal Procedures
  • Encryption and Key Management Policy
  • Access Control Policy
  • Data Retention and Disposal Schedule
  • Vendor Security Assessment Procedures

12. Policy Metadata

AttributeValue
Document OwnerHead of Engineering
Approval AuthorityCEO
Approved Date11/16/2025
Last Reviewed11/16/2025
Next Review Date11/16/2026
Version2.0

Questions or Concerns: support@mynemu.com
General Support: support@mynemu.com

Β© 2025 Nemu Inc. All rights reserved.

Last updated on
πŸ” Encryption and Key Management PolicyCloud Services