8.2.2.8 IT Asset Management Standard

Summary

The purpose of this standard is to define which assets must be inventoried, identify the attributes that must be included in any asset inventory, and establish appropriate oversight roles, responsibilities, and procedures for asset management.

Body

Purpose

The objective of asset management is to maximize the value, usage, and performance of an organization’s technology assets while minimizing the risk, cost, and downtime associated with managing those assets.  It involves tracking, inventorying, monitoring, maintaining, and disposing of hardware, software, and related Information Technology (IT) assets in an organized and cost-effective manner.  The purpose of this standard is to define which assets must be inventoried, identify the attributes that must be included in any asset inventory, and establish appropriate oversight roles, responsibilities, and procedures for asset management.

Supporting Policy

IT Asset Management Policy

Standard

Asset management is critical to IT's ability to understand asset usage and purpose at the University and to apply that knowledge to cybersecurity strategy. The Office of Information Technology and Department Information Technology must maintain adequately detailed inventories of all technology assets supporting University missions.

Definitions

  1. Recovery Time Objective (RTO), defined as the maximum time allowed for the recovery of an IT system or service following an interruption.
  2. Recovery Point Objective (RPO), defined as the acceptable amount of data loss measure in time.
  3. Information Systems Category, indicates how critical the asset is (e.g., Essential, Mission-Critical, Non-Critical)
  4. Data Classification, the process of categorizing Information Systems and Data into distinct classes for the purpose of identifying Information Security control requirements.
  5. Type of Asset, used to help classify the type of asset.  The classification allows for displaying of attributes applicable to the item type.
  6. Purchase Price, how much the asset cost at the time of purchase.
  7. Asset Owner, also known as Assigned To.  This is the person the asset is issued to or the primary contact for the asset. 
  8. Asset Administrator, an individual or group, with principal responsibility for: the installation, configuration, security, and ongoing maintenance of assets.  The administrator role is usually performed by personnel with an Information Technology job title.
  9. Asset Name or Fully Qualified Domain Name, the name of an asset or the complete domain name that identifies an asset on the network.
  10. Data Owner, a senior OU administrator accountable for the quality and maintenance of one or more Authoritative Sources of data relied upon for key OU operations.
  11. Data Steward, named by a Data Owner to develop and implement rules and procedures needed to ensure data and security policies set by the Data Owner are enforce.
  12. Purpose, indicates the specific university mission the asset supports (e.g., University Mission - Operations: Includes administrative and technical functions, University Mission - Teaching / Learning: Includes faculty; classroom and computer lab functions, University Mission - Research: Includes research functions, University Mission - Healthcare: Includes clinical and patient care functions.
  13. Device ID or Asset Tag, the OU assigned or a department assigned property number.
  14. Serial Number, the identification number of the asset as defined by the product manufacturer.  This could include a serial number, IMEI, or similar unique number approved by the IT Asset Management team as the appropriate attribute.
  15. MAC Address, a media access control address is a unique identifier assigned to a network interface controller (NIC) for use as a network address in communications within a network.
  16. Manufacturer, a person or company that makes goods for sale.
  17. Model, the model of a product made by a manufacturer.
  18. Building and Room, the actual physical location of the asset.
  19. Cabinet and Row, the cabinet and row where the asset is located within an OU IT Data Center.
  20. # of Hard Drives, total number of hard drives.
  21. Operating System Version, the operating system and version release.
  22. Encryption Status, indicates if the storage drive(s) is encrypted.
  23. Date of Encryption, indicates the date the encryption was enabled.
  24. Asset Status, the status of the asset (e.g., In Use, Retired, Disposed, Lost/Stolen, Repair, Reserve).
  25. IP Address, the Internet Protocol (IP) address of the network interface controller.
  26. Software Name, the name of the software application.
  27. # of Licenses, the total number of user, site, or campus licenses purchased.
  28. Links to Manuals, links to administrative or user manuals.
  29. Vendor, the name and contact information of the asset vendor.
  30. Software Version, the version purchased, if applicable.
  31. Type of Service, indicates the type of third-party service (e.g., Infrastructure-as-a-Service [IaaS], Platform-as-a-Service [PaaS], or Software-as-a-Service [SaaS]).

Asset Attributes

  1. Technology asset inventories must maintain the attributes defined in the IT Asset Management Attributes attached to this Standard.

Revision, Review, and Approval History

  • August 2023: Draft version opened for comments
  • November 2023: Comment period closed.
  • February 2024: Cybersecurity and Infrastructure Advisory Committee (CIAC): Reviewed standard, recommended for approval
  • July 2024: Standard approved by Chief Information Officer

Details

Details

Article ID: 3034
Created
Tue 8/22/23 12:36 PM
Modified
Wed 7/17/24 4:29 PM

Related Articles

Related Articles (1)

The purpose of this policy is to define which assets must be inventoried, identify the attributes that must be included in any asset inventory, and establish appropriate oversight roles, responsibilities, and procedures for asset management.

Attachments

;