Asset & Configuration Management Policy
1. Purpose
Provide a framework for identifying, recording and maintaining Clerk.io assets and for ensuring that systems are configured according to approved security baselines.
2. Scope
- All hardware, software, data and cloud resources that process, store or transmit Clerk.io information.
- Applies to production, staging and corporate IT environments.
3. Asset Inventory
- The authoritative inventory is managed in Linear CMDB and synchronised nightly by internal AI agents.
- Each asset record includes owner, classification, location and lifecycle status.
- New assets must be registered before being placed into service.
- For all production assets, the designated ultimate asset owner is the Head of Product, who is accountable for risk acceptance and prioritisation of remediation.
- Day-to-day operational management of production assets (including keeping inventory attributes current) is delegated to the SRE Lead.
4. Configuration Management
| Phase | Requirement |
| Baseline Definition | SRE defines hardened images (CIS-benchmarked container base images). |
| Change Control | Deviations require GitHub Pull Request, peer review and automated policy-as-code checks. |
| Versioning | All IaC modules are semver-tagged; production environments pin to specific tags. |
| Drift Detection | Daily configuration drift scans; Better Stack alert on unmanaged resources. |
5. Hardening Standards
- Cloud account defaults follow CIS AWS Foundations Benchmark v1.5.
- Production infrastructure (e.g. cloud servers, containers, managed services) follows hardened baselines via infrastructure-as-code; configuration changes are peer-reviewed and monitored for drift.
- Employee endpoint devices (laptops, mobiles) are treated as untrusted clients regardless of network location. They are not used to store customer data; access to customer data is only via strongly authenticated web applications and SaaS services (SSO with MFA) with data remaining in backend systems.
- Docker images scanned for vulnerabilities; High/Critical CVEs blocked at build time.
6. Monitoring & Review
- Internal AI agents continuously compare running resources against baselines.
- Bi-monthly audit of inventory vs. financial fixed-asset register.
7. Roles & Responsibilities
| Role | Responsibility |
| Head of Product | Ultimate owner of all production assets and their associated risks |
| SRE Lead | Day-to-day operational management of production assets; maintain IaC baselines and drift detection tooling |
| Information Security Manager | Approve hardening standards & review exceptions |
| Asset Owners | Keep asset metadata current; initiate decommissioning |
8. Decommissioning
- Servers: data wiped using secure erase or cloud crypto-erasure; tickets archived.
- End-user devices: Secure wipe & hardware returned to IT.
9. Exceptions
All exceptions documented in Linear SECURITY queue with compensating controls and expiry date.
Evidence IDs: INV-01, CFG-01, CFG-02 (see Controls Matrix).