Asset & Configuration Management Policy
1. Purpose
Provide a framework for identifying, recording and maintaining Clerk.io assets and for ensuring that systems are configured according to approved security baselines.
2. Scope
- All hardware, software, data and cloud resources that process, store or transmit Clerk.io information.
- Applies to production, staging and corporate IT environments.
3. Asset Inventory
- The authoritative inventory is managed in Jira CMDB and synchronised nightly by internal AI agents.
- Each asset record includes owner, classification, location and lifecycle status.
- New assets must be registered before being placed into service.
4. Configuration Management
| Phase | Requirement |
| Baseline Definition | SRE defines hardened images (CIS-benchmarked container base images, Terraform modules, MDM laptop profiles). |
| Change Control | Deviations require GitHub Pull Request, peer review and automated policy-as-code checks. |
| Versioning | All IaC modules are semver-tagged; production environments pin to specific tags. |
| Drift Detection | Daily Terraform Cloud drift runs; Better Stack alert on unmanaged resources. |
5. Hardening Standards
- Cloud account defaults follow CIS AWS Foundations Benchmark v1.5.
- Endpoint devices enforce FileVault / BitLocker, password complexity and auto-patching.
- Docker images scanned with Trivy; High/Critical CVEs blocked at build time.
6. Monitoring & Review
- Internal AI agents continuously compare running resources against baselines.
- Bi-monthly audit of inventory vs. financial fixed-asset register.
7. Roles & Responsibilities
| Role | Responsibility |
| SRE Lead | Maintain IaC baselines and drift detection tooling |
| Information Security Manager | Approve hardening standards & review exceptions |
| Asset Owners | Keep asset metadata current; initiate decommissioning |
8. Decommissioning
- Servers: data wiped using
sdelete or cloud crypto-erasure; tickets archived. - End-user devices: MDM wipe & hardware returned to IT.
9. Exceptions
All exceptions documented in Jira SECURITY queue with compensating controls and expiry date.
Evidence IDs: INV-01, CFG-01, CFG-02 (see Controls Matrix).