MailSlurp logo

legal

MailSlurp Asset Management Compliance

Below is a high-level overview of MailSlurp's Asset Management Policy and the processes used to track, protect, and retire company assets.

1. Asset Management Policy or Framework

MailSlurp's Asset Management Policy provides a structured approach to identifying, classifying, and securing all information assets throughout their lifecycle. This policy adheres to standard frameworks (e.g., ISO 27001, NIST SP 800-53) and ensures:

  • Asset Identification and Ownership Every physical and digital asset is assigned a unique identifier and designated owner, ensuring clear accountability for maintenance, usage, and disposal.

  • Classification and Labeling Assets are classified based on sensitivity (e.g., Confidential, Internal, Public) and labeled accordingly to guide handling and storage requirements.

  • Lifecycle Management Procedures are in place for onboarding, routine audits, and decommissioning. Decommissioned assets undergo secure sanitization to prevent unauthorized data exposure.

  • Access Controls Role-based access mechanisms govern who may modify, handle, or use each asset. Controls are periodically reviewed for continuous alignment with the principle of least privilege.

  • Policy Enforcement and Reviews The Asset Management Policy is reviewed annually or upon significant operational change to reflect evolving regulations and business needs.

2. Asset Management Process

MailSlurp implements a systematic asset management process comprising five key phases:

  1. Asset Registration Newly procured hardware or software undergoes an intake procedure, during which each item is logged in the centralized Asset Registry. Ownership and classification levels are assigned at this stage.

  2. Change Tracking and Configuration Management Updates to assets (e.g., firmware patches, new software versions) are recorded, providing real-time visibility into operational changes. Configuration checks ensure consistency with security baselines and compliance standards.

  3. Periodic Auditing Routine inspections verify the accuracy of the Asset Registry, confirm the presence of necessary security controls, and uncover discrepancies or unauthorized assets. Findings trigger remediation tasks, which are tracked through our internal ticketing system.

  4. Incident Handling If an asset is compromised or misused, incident response protocols guide containment, forensic analysis, and root-cause investigation. Lessons learned feed back into the policy to bolster future resilience.

  5. Decommissioning and Disposal When an asset reaches end-of-life or is no longer in use, it undergoes secure disposal (e.g., cryptographic wiping of storage media). Decommissioning procedures ensure all sensitive information is removed and ownership records are updated.

3. Asset Inventory Overview

MailSlurp maintains a secure internal asset registry for systems, applications, devices, repositories, cloud resources, and service accounts used to deliver the platform. Public documentation intentionally summarizes categories rather than exposing internal identifiers or infrastructure details.

Asset category Examples Control summary
Cloud infrastructure Compute, storage, networking Inventory, ownership, access review, logging
Application services APIs, web applications, workers Change tracking, deployment controls, monitoring
Data stores Databases and object storage Encryption, backups, least-privilege access
Source control Repositories and build systems Access review, branch protections, audit logs
Employee devices Workstations and approved tools Device management, encryption, offboarding checks

Classification levels are assigned based on regulatory requirements and business impact. Ownership is assigned to accountable teams so updates, monitoring, and access control remain traceable.

4. Logical access

MailSlurp's Logical Access Management policy ensures that all access rights are provisioned, monitored, and revoked based on the principles of least privilege and role-based access control. We require formal approval before granting new or elevated permissions, with each request documented in our ticketing system and subject to periodic audit to validate ongoing necessity. Revocations occur immediately upon employee departure or change of role, and we maintain a detailed activity log of access modifications, including justifications and authorizations. Regular reviews of privileges help confirm that authorized personnel maintain only the minimum necessary access, enhancing security and compliance throughout the organization.