8.2.1.15 IT Asset Management Policy

Purpose

The objective of asset management is to maximize the value, usage, and performance of an organization’s technology assets while minimizing the risk, cost, and downtime associated with managing those assets.  It involves tracking, inventorying, monitoring, maintaining, and disposing of hardware, software, and related IT assets in an organized and cost-effective manner.  The purpose of this policy is to define which assets must be inventoried, identify the attributes that must be included in any asset inventory, and establish appropriate oversight roles, responsibilities, and procedures for asset management. 

Definitions

See Information Technology and Security Definitions 

Scope

This policy applies to information technology (IT) assets owned, leased, operated, or managed by the University and include the following: 

  • Computers 
    • User Endpoint (desktops, laptops)   
    • Mobile Devices (tablets, smartphones) 
  • Displays 
    • Monitors, Televisions, Projectors  
  • Items that have an operating system 
    • Servers 
    • Storage Systems 
    • Network Devices and appliances 
  • Items that connect to the university network 
  • Items that add modular capacity or functionality to another asset through a (chassis) slot or port 
  • Any removable media (flash drives, external hard drives, etc.) that will store/interact/transmit federally regulated data 
  • Software, interfaces, databases, and data 
  • Personally-owned devices used in OU’s Research or Service mission 

Responsible Office

The Chief Information Officer (CIO), with assistance/support from the Office of Compliance, is responsible for administering this policy and ensuring compliance.  Internal Audit or other departments may periodically assess compliance with this policy and report violations to the Board of Regents. 

Web Address For This Policy

https://universityok.navexone.com/content/docview/?docid=377&public=true

Policy Statement

Asset management is critical to IT's ability to understand asset usage and purpose at the University and to apply that knowledge to cybersecurity strategy.  The Office of Information Technology and Department Information Technology must maintain adequately detailed inventories of all technology assets supporting University missions.

Roles and Responsibilities

Office of Information Technology (OU IT)

  1. The Office of Information Technology (OU IT) must maintain an Asset Management Program.
  2. OU IT must maintain a centralized system of record (computerized inventory) of all IT assets, except for data assets.
  3. OU IT Governance, Risk, and Compliance must maintain a centralized system of record (data catalog) of all data assets in accordance with the Data Governance Policy
  4. The OU IT Asset Management (ITAM) team shall be responsible for ensuring relevant data concerning end user devices and managed in OU IT device management platforms, are imported and updated as needed. 
  5. OU IT Learning Spaces shall be responsible for ensuring asset records are maintained for audio/video (A/V) equipment in centrally-managed academic spaces.
  6. The ITAM team shall monitor devices in the Asset Management tools to discover changes in usage, location, and support.
  7. The ITAM team shall monitor asset management discovery tools using multiple protocols (WMI, SSH, SNMP, UPnP, and installed agents) to ensure asset management information remains accurate.
  8. The ITAM team shall use integrations with other tools as they become available.
  9. The OU IT Network and Telecom team shall be responsible for entering asset inventory data used to track OU IT data center network equipment locations, network, and telecom equipment.
  10. The OU IT Operations team shall be responsible for entering asset inventory data used to track OU IT data center server assets.
  11. The OU IT Endpoint Management Lifecycle Management Team shall be responsible for managing the Computer Standardization Program.
  12. The OU IT Business Office shall be responsible for providing campus license information to be tracked.
  13. Upon request, the OU IT Business Office shall provide data from vendors and tools to update billing or purchase attributes. 
  14. OU IT shall make available an Asset Inventory spreadsheet template to facilitate Departmental IT asset inventory until the system of record is available for use.

Asset Administrator(s)

  1. Asset Administrator(s) shall be responsible for verifying specific user information associated with end user devices and connected peripherals.
  2. Asset Administrator(s) shall be responsible for notifying ITAM on asset status change (location change, disposition, owner).
  3. Asset Administrator(s) shall be responsible for managing A/V equipment assets when owned by the department.
  4. Asset Administrator(s) shall be responsible for maintaining a Departmental IT asset inventory that includes at a minimum, the required attributes defined in the IT Asset Management Standard, until the system of record is available for use.

Asset Tagging

  1. Physical assets with a purchase price greater than $5,000 must have a University of Oklahoma asset tag affixed.  Asset tags are not to be removed and should be considered permanently affixed to the asset. 

Asset Identification

  1. All physical assets shall be assigned a unique and descriptive asset name or identifier and be tracked through the entire lifecycle.

Asset Deployment

  1. After new technology has arrived and been inventoried, all current university processes such as OU Property Control tagging shall be followed. 
  2. Each piece of technology must be submitted to the Asset Management tool.  Depending on the type of technology, specific criteria must be captured, in accordance with the IT Asset Management Standard – Asset Attributes.

Asset Transfers

  1. Knowing when assets change locations, owners, or receive new parts that should be tracked, the technician responsible for the asset must update the asset information.

Asset Retire/Disposition

  1. Physical asset disposal activities must be recorded in the system of record and must contain at a minimum:
    1. Serial number
    2. University asset tag, if applicable
    3. Description of asset
    4. Name of person or company completing data destruction
    5. Data destruction method used.

Verification of Inventory

  1. Asset Administrator(s) must conduct a verification of the asset inventory and attributes, at least annually and more often as necessary.
  2. Asset Administrator(s) must submit annually to OU IT a department asset inventory with required attributes.
  3. If assets are lost or stolen, the Asset Owner must submit a police report with their campus OU Police Department and submit a Security Incident Report with a copy of the police report attached.

Asset Acquisition/Procurement

  1. New asset technology purchases must follow all processes currently in place, such as the Computer Standardization Policy, Printer Standardization Program, and Cybersecurity Policy – Security Assessment.

References

  • National Institute of Standards and Technology Cybersecurity Framework (CSF), ID.AM-1, ID.AM-2, ID.AM-4, ID.AM-5
  • National Institute of Standards and Technology Special Publication 800-171, Protecting Controlled Unclassified Information: 3.4.1, 3.1.20, 3.1.21
  • Health Insurance Portability and Accountability Act of 1996 (HIPAA), Security Rule §164.308(a)(1)(ii)(A), 164.308(a)(2)(ii), 164.310(d), 164.308(a)(1)(ii)(A), 164.308(a)(7)(ii)(E), 164.308(a)(4)(ii)(A), 164.308(b), 164.314(a)(1), 164.314(a)(2)(i)(B), 164.314(a)(2)(ii), 164.314(b)(2)
  • National Institute of Standards and Technology Special Publication 800-53 Revision 5, Security and Privacy Controls for Federal Information Systems, CM-8, PM-5, AC-20, SA-9, CP-2, RA-2, SA-14, SC-6
  • Payment Card Industry (PCI) Data Security Standards, 2.4, 9.9, 11.1.1, 12.3.3, 12.3.7, 1.1.1, 1.1.2, 1.1.3, 9.6.1, 12.2, 12.4, 12.5, 12.8, 12.9
  • OU Cybersecurity Policy
  • OU Vulnerability Management Program
  • OU IT Disaster Recovery Policy
  • OU IT Data Backup Policy

Revision, Review, and Approval History

  • August 2023: Policy drafted.  Opened for comments.
  • August 2023: Office of the Provost reviewed.  Submitted comments.
  • August 2023: Information Technology reviewed.  Submitted comments.
  • October 2023: Comment period closed.
  • November 2023: Cybersecurity and Infrastructure Advisory Committee reviewed.  Policy recommended for signature and approval.
  • May 2024: Policy approved and signed by University President.
100% helpful - 2 reviews
Print Article

Related Articles (2)

The Information Technology and Security Policy Definitions includes defined terms relevant to OU's IT and information security policies and standards.
The purpose of this standard is to define which assets must be inventoried, identify the attributes that must be included in any asset inventory, and establish appropriate oversight roles, responsibilities, and procedures for asset management.