|Corda Network Foundation||Document history|
1 Proposed policy
This document describes the Foundation’s approach to the management of IT assets in relation to Corda Network. Specifically, it describes methods for proper acquisition, installation, handling, tracking and disposal of IT assets to meet defined requirements. Requirements include ensuring adherence to company and industry standards, ensuring consistency throughout the Foundation, and conforming to customer, legal, and regulatory requirements.
Corda Network depends on a complex set of technology infrastructure to deliver capabilities to network participants. This infrastructure represents significant capital and operational investment by the Foundation. Effective management of this infrastructure as a portfolio of assets is important in order to optimise costs in support of the Foundation’s strategic objectives.
In the context of this document, an asset may be any Corda Network component of identifiable economic value to the Foundation. This includes, but is not limited to:
- Electronic equipment - servers, network appliances, hardware security modules etc.
- Storage infrastructure.
- Software licenses.
- Virtualised infrastructure components leased from cloud service providers.
- Supporting documentation.
- Contracts governing all of the above.
This policy applies to all assets across all Corda Network environments, including both pre-Production and Production environments.
This policy includes assets for both Corda Network core services (Doorman, Notaries, Network Map etc.) and any participant infrastructure operated by the Foundation on behalf of Corda Network participants (Corda node VMs etc.)
Excluded from this policy are:
- Assets not directly controlled by the Foundation.
- The Foundation-controlled assets which are not dedicated to the support of Corda Network capabilities, e.g. personal use laptops, mobile devices, or general office infrastructure.
- Cloud-based resources as distinct assets. In the context of this document, a Microsoft Azure or AWS account may be considered an asset; individual cloud resources are treated as configuration parameters of that asset.
The Operator(s) is accountable for ensuring all assets are appropriately tracked throughout their lifecycle.
Each asset must have an assigned owner, who is responsible for the general maintenance and upkeep of the asset. The Operator(s) is accountable for ensuring that ownership of assets is assigned and tracked on an on-going basis to ensure compliance with this policy.
A register of asset ownership shall be maintained to provide internal visibility for the ownership of the Foundation and Operator(s) assets.
5 Asset Assessment
The Foundation and Operator(s) shall assess, on an on-going basis, the extent to which its assets meet Corda Network requirements.
A formal asset assessment shall be conducted every 6 months, at a minimum. Asset assessments should also be conducted whenever a large turnover of assets is expected (for example, a large number of licenses are due to expire).
Outputs from asset assessments shall include:
- Identification of any gaps wherein the current asset inventory does not satisfy Corda Network requirements, or does not do so in an optimal way.
- Recommendations for additional assets to be acquired in order to address any gaps.
- Recommendations for disposal of any assets which are deemed surplus to requirements.
The Operator(s) is accountable for ensuring that asset assessments are carried out on a timely basis to an adequate level of rigour. The outcome of asset assessments must be ratified by the Foundation before carrying out any recommendations.
6 Cost Management
The Foundation shall monitor all costs accruing from Corda Network assets and manage them appropriately.
The Operator(s) is accountable for ensuring that the costs associated with the Corda Network inventory are measured, aggregated and reported on a regular basis, in a form which allows senior management to understand and assess the impact of inventory costs on Corda Network strategy.
Where costs relate to operation of an asset or group of assets (e.g. virtual machines allocated by Operator(s)), the owner of those assets must provide timely and accurate information to enable the reporting of these costs and their relationship to operational metrics (e.g. # VMs, hours of operation etc.).
7 Asset Acquisition
Ultimate accountability for investment in Corda Network assets by the Operator(s) rests with the Operator(s). Acquisition decisions are made on the basis of:
- The asset meeting a clear requirement for the on-going or future delivery of Corda Network capabilities.
- The asset demonstrating cost effectiveness relative to alternative options.
7.1 Vendor selection
The Operator(s) must maintain a list of preferred vendors for specific asset types. The Operator(s) is accountable for maintaining and reviewing this list on a regular basis (every 6 months at a minimum).
Where a preferred vendor already exists for a given asset to be acquired, and the expected total purchase value is below $20,000 USD, the purchase may proceed with the preferred vendor according to standard the Foundation acquisition policies, without conducting a vendor selection process. Where no preferred vendor exists, and/or the purchase is expected to exceed $20,000 USD, a separate vendor selection exercise must be carried out in advance of purchase.
Disposal of an asset is required whenever the following conditions apply:
- The asset is determined to no longer meet a requirement in the delivery of Corda Network capabilities;
- There is no reasonable expectation for the asset to be required for other Foundation purposes in the forseeable future, and
- The continuing cost of ownership of the asset exceeds any expected benefits from retaining the asset
The Operator(s) is accountable for ensuring the appropriate disposal of all assets which have reached the end of their lifecycle.
Disposal of all assets (including sale, transfer, donation, write off, physical disposal / recycling) must be done in adherence with all laws and regulations in the applicable jurisdiction.
Prior to disposal, measures must be taken to remove all sensitive data from assets in accordance with the Foundation’s information classification, information retention and data protection policies (as appropriate).