Policy Owner: CISO
Effective Date: May 8, 2026
Reviewed: Annually
Next Review: May 8, 2027

Purpose

To identify organizational assets and define appropriate protection responsibilities. To ensure information receives an appropriate level of protection in accordance with its importance to the organization. To prevent unauthorized disclosure, modification, removal, or destruction of information stored on media.

Scope

All Neuroscale-owned or -managed information systems.

Inventory of assets

Assets associated with information and information-processing facilities that store, process, or transmit classified information are identified and inventoried. The Neuroscale asset inventory lives in Vanta and Rippling.

Ownership of assets

Each asset in the inventory is owned by a specific individual or group. Owners are responsible for maintaining and protecting the asset throughout its lifecycle.

Acceptable use of assets

Rules for acceptable use of information, assets, and information-processing facilities are documented in the Information Security Policy.

Loss or theft of assets

All Neuroscale personnel must immediately report the loss of any information system — laptop, smartphone, PDA, authentication tokens (key fobs, OTP generators, devices with a software auth token installed) — or any other device that can store or process Neuroscale data. Reporting: see Lost or stolen device.

Return of assets

All employees and third-party users return all organizational assets upon termination of employment, contract, or agreement. See the Offboarding procedure.

Handling of assets

Employees and contractors are expected to use reasonable judgment and exercise due care in protecting and maintaining issued equipment.
  • Equipment must be secured and properly attended whenever transported or stored outside company facilities.
  • All mobile devices are handled per the Information Security Policy.
  • Excepting employee-issued devices, no company computer equipment may be moved or taken off-site without management authorization.

Equipment maintenance

Workforce-issued laptops, mobile devices, and peripherals are maintained throughout their lifecycle to preserve confidentiality, integrity, and availability:
  • Patching & OS updates. Security and OS updates are enforced via Rippling MDM on company-issued devices; non-compliant devices are reported to the CISO and remediated. Deferral beyond the policy window requires CISO approval.
  • Refresh cycle. Laptops are refreshed on a 3–4 year cycle, sooner where the device no longer receives vendor security updates or is not capable of running supported endpoint controls. The CHRO and CISO maintain the refresh roster.
  • Hardware health. Battery, storage, and other hardware components are checked at refresh and on user-reported issue; replaced where they impair availability of business-critical functions.
  • Repair and warranty. Vendor repair is performed only by authorized providers. Confidential data is removed (or the device wiped) before any third-party repair where feasible; Confidential data must not be left on a device sent for repair without explicit CISO approval.
  • Off-cycle replacement. Devices used by personnel handling Confidential data may be replaced off-cycle on suspected compromise (treat as P0 / P1 incident — see Incident Response).

Asset disposal & re-use

Devices and media that stored or processed confidential data are securely disposed of when no longer needed. Data must be erased prior to disposal or re-use using an approved method, or a Certificate of Destruction (COD) must be obtained for devices destroyed by a third party. Refer to NIST SP 800-88r1 — Guidelines for Media Sanitization to select an appropriate method. The current device-disposal procedure and the approved third-party destruction-vendor list are documented in Records Disposal & Certificates of Destruction.

Customer asset return

Any physical assets owned by customers are promptly returned following service termination, in accordance with the contract or service agreement.

Exceptions

Requests for exceptions must be submitted to the CISO for approval.

Violations & enforcement

Report violations to the CISO. Violations can result in suspension of privileges and disciplinary action up to and including termination.

Version history

VersionDateDescriptionAuthorApproved by
1.0May 8, 2026Initial versionCameron WolfeIshan Jadhwani