SYS 1035, Information Security: IT Asset Management and SYS 1035.A, Information Security: IT Asset Inventory Standard were distributed to campuses for review in February 2023. In lieu of listing institutional comments and UWSA’s responses in the associated summary document, UWSA has created this page due to the high volume of comments we received.
For questions or clarification, please contact the UW System office of Information Security at email@example.com.
Suggestion 1: Remove annual reporting requirement and limit reporting to ad hoc requests from UWSA departments.
- Resolution 1: Suggestion implemented. The policy has been updated to remove requirements for annual reporting of IT inventories, however a clause remains wherein institutions must report IT inventory items upon request. Additionally, related documents in the policy and procedure referencing reporting have been removed, and the guidance document will be rescinded.
Suggestion 2: Concern raised with the ability to keep inventories up to date within a month of changes, however no alternative or suggestion provided.
- Resolution 2: Suggestion not implemented. No action taken to resolve given lack of suggested alternatives and only one institution raised this concern.
Suggestion 3: Consider adding definition for IT Lifecycle.
- Resolution 3: Suggestion not implemented. Defined within sentence in that lifecycle management includes deployment, transfer and loan, and retirement and disposal.
Suggestion 4: Change scope when disposal requests must be documented and accompanied by justification and limit to physical assets. Challenges with lower value assets, such as raspberry pies, peripherals, etc.
- Resolution 4: Suggestion implemented. Language changed to require that institutional (documented) lifecycle management processes must identify when hardware IT asset disposal requests should be documented and accompanied by justification. This will provide institutions flexibility to require documentation aligned with their risk tolerance.
Suggestion 1: Limit inventories of IT assets in section 4.A.I to only assets that store or process high risk data and/or are connected to trusted network security zones.
- Resolution 1: Suggestion not implemented. Concern seems to be specific to IT assets that would typically not fall within scope of the assets identified in section 4.A.I. This would potentially cause a major gap in intended coverage of inventories. For example, workstations of telecommuting employees may not be captured.
Suggestion 2: Limit inventory of software and applications, in section 4.A.II, to those operating on hardware in a trusted network security zone and/or storing or processing high risk data.
- Resolution 2: Suggestion not implemented. Concerns appear to be again focused on software that would not typically fall within scope of the types of software listed in 4.A.II. For example, student developed software as part of an academic course would not be considered institution-built for academic and business use.
Suggestion 3: Concern raised that additional tools would be required to identify location of IT assets, as required in section 4.A.I, since change rate is high.
- Resolution 3: Suggestion not implemented. No recommendations or suggested alternatives provided. Flexibility in language to designate assigned user or department if building and room not known.
Suggestion 4: Clarify the statement in 4.A.I ‘If virtual, unique identifier of the virtualization software application that created the virtualized asset.’ It is not clear if this is referring to VMware, Hyper-V, or the build process used.
- Resolution 4: Suggestion implemented. Clarified this bullet point.
Suggestion 5: Concerns with defining ‘criticality of asset information’ in section 4.A.I. Defining criticality is subjective and would require manual input and review of each asset and prohibit automation of asset inventory.
- Resolution 5: Suggestion not implemented. Ability to assign default value for all and not required to change default value. Institutions are strongly encouraged to adjust criticality of assets as part of DRP and BCP efforts, in addition to ensuring critical assets are prioritized for other efforts, such as patching.
Suggestion 6: Limit ‘If inactive’ within 4.A.I to physical assets. Virtual assets do not need to be tracked once they are removed from service.
- Resolution 6: Suggestion implemented. Section revised to instead capture lifecycle status.
Suggestion 7: Recommend changing ‘licensed or institution-built’ to ‘licensed, used, or institution-built’ in section 4.A.II, inventory of software applications.
- Resolution 7: Suggestion not implemented as this would be nearly impossible to capture where free software is downloaded or used by faculty and staff in the course of the academic mission. However, institutions can supplement this policy and standard to include such a requirement if they desire.
Suggestion 8: Similar to the comment above, recommend including software which may be in use and obtained without formal licensing, such as open source, ‘free’ services, etc. within the scope of software inventories.
- Resolution 8: Suggestion not implemented as this would be nearly impossible to capture where free software is downloaded or used by faculty and staff in the course of the academic mission. However, institutions can supplement this policy and standard to include such a requirement if they desire. This can be considered in future iterations of this policy as an advancement if initial milestones of inventories are met.
Suggestion 9: In section 4.A.II (Host bullet point), why are individual hostnames needed if software are installed locally? Suggest renaming field to reflect the hosting provider instead and replace ‘hostname or unique identifier’ with ‘Department(s) hosting the software’.
Similar suggestion – Remove need for requiring host information in section 4.A.II for software as it creates duplicate information.
- Resolution 9: Suggestion implemented. This section was further revised taking this recommendation into consideration.
Suggestion 10: Suggested edits were provided by UW-Madison to the first paragraph of section 4.A.I.
- Resolution 10: Suggestion implemented in part, however the expansion of the scope of identified IT assets was not incorporated. If institutions would like to inventory items beyond the scope of IT Assets identified in this section, they have the flexibility to do so.
Suggestion 11: In section 4.A.I, suggest expanding the explanation for IT asset details for Virtual and Cloud-based assets and include examples to assist with understanding.
- Resolution 11: This comment will be taken into consideration for future guidance documents that will expand on examples and explanations for certain policy elements.
Suggestion 12: Consider moving software inventory requirements to a separate policy.
- Resolution 12: Suggestion not implemented, but may be taken into consideration in future iterations and revisions of the policy. The focus and intent of this policy does include the inventory of software inventories. Suggestions made to clarify intent incorporated (see below remaining suggestions).
Suggestion 13: Update SYS 1035 background section to include a statement about purpose and intended use of the software inventory.
- Resolution 13: The purpose, scope, and background sections of 1035 were reviewed, and no additional edits were deemed necessary at this time.
Suggestion 14: Clarify the granularity of the software inventory to be reported in and include examples in section 4.A.II.
- Resolution 14: Reporting requirements have been removed so this suggestion is no longer relevant.
Suggestion 15: Clarify if scope of software inventories includes licensed and/or institution built for Research.
- Resolution 15: Scope of software inventories includes Research. Institutions can document a policy exception in cases where they would not like to include Research.
Suggestion 16: In section 4.A.II, consider limiting Application Type, Purpose and Criticality of software to servers and not client computing devices due to the manual resources needed to document and collect this information.
- Resolution 16: Suggestion not implemented. Institutions may assign a default value for these software attributes on client computing devices and adjust these values when necessary.
Suggestion 17: In section 4.A.II, recommend updating ‘Cloud provider’ to ‘Vendor’ in sentence ‘Denote if it is a cloud application and provide name of cloud provider.’
- Resolution 17: Suggestion implemented.
Suggestion 18: Remove ‘Local’ in the sentence “If on-premise and local, hostname or unique identifier” in section 4.A.II.
- Resolution 18: Suggestion implemented. Addition of local appears redundant.