Off-site Assets Procedure

Owner: Security Officer · Approved by leadership · Version 1.0 · Effective 27 May 2026 · Next review 27 May 2027

1. Purpose

This procedure governs the handling of Glassbreak assets that are temporarily held outside Glassbreak-controlled premises — in workforce members' homes, in transit between locations, with contractors performing time-bounded work, or with third parties under formal arrangement. It exists so that off-site assets remain inventoried, traceable, and recoverable, and so that loss or non-return is detected promptly.

2. Scope

This procedure applies to:

• Managed workstations and mobile devices held by workforce members away from a Glassbreak office, including remote workers' home-office equipment.
• Hardware security keys issued to workforce members.
• Removable media approved under the Clear Desk & Clear Screen Procedure §3.4.
• Devices loaned to contractors, advisors, or interns for the duration of an engagement.
• Devices in transit between Glassbreak workforce members, between offices, or to a disposal service.
• Any physical document or token marked as confidential that has been removed from a Glassbreak office.

3. Asset register

• Glassbreak maintains an asset register listing every asset in scope of this procedure. The register records: asset class, manufacturer and model, serial number, issued-to workforce member or third party, issue date, expected return date (where applicable), and current location category (assigned-home, in-transit, on-loan, in-stock).
• The register is the source of truth for what Glassbreak owns and where it is held; the asset register feeds the decommissioning register at end of life (see the Endpoint Decommissioning Procedure §4.1).
• Every change to a register entry — issuance, transfer, return, loss, decommissioning — is recorded with the date and the executor.

4. Procedure

4.1 Issuance

1. An asset is selected from stock by the Security Officer (or delegate) for issuance to a workforce member or contractor.
2. The asset is prepared per the Onboarding Policy §4.1: full-disk encryption enabled, managed profile installed, MFA enrolled, screen-lock configured.
3. The recipient signs an acknowledgement that they have received the asset, that they have read this procedure, and that they will return the asset on the earlier of: completion of engagement, request from the Security Officer, or any event triggering the lost-or-stolen-device handling at section 4.5.
4. The asset register entry is updated: assigned-to, issue date, expected return date (for contractor loans), and current location category.

4.2 In-transit

• Assets in transit between locations are shipped via tracked carrier with delivery confirmation.
• The shipping reference is recorded against the asset register entry; the entry remains marked in-transit until receipt is confirmed.
• Devices in transit are not pre-loaded with persistent credentials. Setup is performed by the receiving workforce member under the Onboarding Policy §4.
• For high-value or high-sensitivity assets, hand delivery may be substituted for shipping at the Security Officer's discretion.

4.3 Assigned to a remote home office

• The workforce member is responsible for safekeeping of the asset while it is in their custody, per the Remote Working Procedure.
• The asset is kept at the home-office address recorded in the asset register. Any prolonged move (longer than a single travel trip) requires notice to the Security Officer and update to the register.
• The asset is presented for inspection on request from the Security Officer; spot-check inspections may be performed at any time, including by video call where in-person inspection is impractical.

4.4 Assigned to a contractor or third party

• Assets loaned to a contractor or third party are issued only under a written engagement that includes an obligation to return the asset by a specified date and to comply with this procedure and the Remote Working Procedure while the asset is in their custody.
• The asset is configured with the minimum credentials necessary for the engagement. Production access from a loaned asset requires the same MFA and managed-device controls as for workforce members (/policies/onboarding §4).
• The expected return date in the asset register is aligned to the contracted end of the engagement; an earlier return may be requested at any time.

4.5 Loss reporting

Loss, theft, or suspected compromise of an off-site asset is handled under the same procedure as for any other lost or stolen device. The workforce member or contractor in custody of the asset:

1. Reports the loss to the Security Officer immediately, by any available channel, without waiting for confirmation of theft or further investigation — per the Remote Working Procedure §4.6 step 1.
2. The Security Officer initiates the expedited access revocation under /policies/offboarding §5.2 and the credential rotation under /policies/offboarding §6 as applicable to the lost asset.
3. The asset register entry is updated to lost and cross-referenced to the incident-register entry opened under the Incident Response Policy.
4. If the asset is subsequently recovered, the recovery triggers the loss-of-trust path of the Endpoint Decommissioning Procedure §3 — the device is not returned to service without decommissioning.

4.6 Return on completion

An asset is returned in the following events:

• Workforce member departure, per the Offboarding Policy §7.
• End of the contractor or third-party engagement.
• Hardware refresh, fault, or replacement.
• Any request from the Security Officer.

Return procedure:

1. The asset is shipped or hand-delivered to the Security Officer (or designated address) by the agreed return date. Tracked shipping is required for posted returns.
2. The asset register is updated to received-pending-wipe on receipt; the serial number is verified against the register entry.
3. The asset is wiped or destroyed per the Endpoint Decommissioning Procedure before being marked in-stock, re-issued, sold, donated, or disposed.
4. The asset register entry is closed (for disposal) or re-issued (for return to stock) and the change is recorded.

4.7 Retrieval if not returned

If an asset is not returned by the agreed date:

1. The Security Officer contacts the workforce member or contractor in writing requesting return within 5 business days.
2. If the asset is not returned within that period, the matter is escalated:
   • For a workforce member departure, treat as failure to return assets per the Offboarding Policy §7 (logging and, where contractually permitted, deduction from final payments).
   • For a contractor or third party, follow the return-recovery remedies in the engagement agreement; escalate to legal counsel if recovery cannot be achieved by direct request.
3. The asset is treated as a loss under section 4.5 until physically recovered. All credentials within the asset's blast radius are rotated under /policies/offboarding §6.
4. An incident record is opened under the Incident Response Policy and triaged.

5. Periodic verification

• The asset register is reviewed at least quarterly by the Security Officer. Each entry is confirmed against the recorded custodian.
• Sample inspections are performed for at least 10% of assigned assets per quarter (or all assets for small inventories), with a request to the custodian to confirm location and condition.
• Discrepancies between the register and the inspection result are tracked as corrective actions until resolved.

6. Records

• The asset register is retained while any entry is active; closed entries are retained for at least 5 years.
• Issuance acknowledgements, shipping references, inspection results, and loss reports are filed against the relevant register entry.
• Loss incidents are recorded in the incident register per the Incident Response Policy.

7. Review

This procedure is reviewed at least annually and after any lost-asset or non-return incident. The next scheduled review is 27 May 2027.

8. Related documents

• Information Security Policy
• Onboarding Policy (§4)
• Offboarding Policy (§5, §6, §7)
• Incident Response Policy
• Remote Working Procedure (§4.6)
• Endpoint Decommissioning Procedure
• Clear Desk & Clear Screen Procedure (§3.4)

Counter-signed PDF copy available on request to compliance@glassbreak.io.