Purpose
This procedure establishes how Maelstrom AI identifies, classifies, tracks, and protects information assets throughout their lifecycle.
Asset Classification
Levels
| Level | Definition | Examples | Handling |
|---|---|---|---|
| Restricted | Highest sensitivity | Signing keys, HMAC secrets | Cloudflare KV only, strict access |
| Confidential | Internal sensitive | API tokens, internal docs | Password managers, team-only access |
| Internal | Internal use | Team communications, designs | Team access, not public |
| Public | Can be disclosed | Source code, ISMS docs, APIs | Published openly, GitHub/docs site |
Asset Categories
Cryptographic Assets (Restricted):
- RedJubjub signing keys
- HMAC authentication secrets
- API keys for infrastructure
Code & IP (Public):
- Source code repositories (open source)
- Cryptographic implementations
- SDK code
Infrastructure (Internal/Confidential):
- Cloudflare account access
- GitHub administrative access
- Configuration data
Operational Data (Internal):
- Audit logs (including IP addresses)
- Analytics data
Asset Register
See Asset Register for complete inventory.
Maintained by: Security Lead Review frequency: Quarterly Updates: When assets added, changed, or retired
Asset Ownership
All assets assigned an owner (by role):
- ISMS Owner. Overall asset responsibility, signing keys
- Security Lead. Security controls, audit logs
- Developer. Code repositories, development assets
Asset Lifecycle
Acquisition
- Document in asset register
- Classify appropriately
- Assign owner
- Implement controls based on classification
Use
- Handle per classification level
- Access controls enforced
- Audit logging where appropriate
Disposal
- Follow Data Retention Policy
- Cryptographic erasure for sensitive assets
- Document disposal in asset register
Related Documents
Document Information
- Version. 1.1
- Effective Date. 2025-01-13
- Last Updated. 2026-02-16
- Owner. ISMS Owner
- Review Frequency. Annually
- Classification. Public