UW System Administrative Procedure 1035.A

Information Security: IT Asset Management Standard

Original Issuance Date: August 18, 2020

Last Revision Date: April 11, 2023

1. Purpose of Procedures

The purpose of this standard is to establish the minimum required University of Wisconsin (UW) Information Technology (IT) Asset information to be maintained by institutions in an IT Inventory. IT inventories are to be made available to support secure information systems operations and governance. This represents minimum IT Inventory requirements, and institutions may maintain additional information as they see fit.

2. Responsible UW System Officer

Associate Vice President for Information Security

3. Definitions

Please see SYS 1000, Information Security: General Terms and Definitions, for a list of general terms and definitions. Terms and definitions found within this policy include:

  • IT Asset
  • IT Asset Owner
  • IT Inventory

4. Procedures

A. Standards

The following defines the minimum IT Inventory requirements for IT Asset items and details. An institution’s IT Inventory is not required to be maintained in a single system for all IT Assets. Institutions may maintain their IT Inventory at a level of granularity and in systems that are efficient and effective to maintain accuracy and currency and are accessible for operations. When IT Inventory items are maintained in a vendor portal, the institution’s IT Inventory must include a reference to the vendor portal and the process to obtain the IT Inventory information.

I. Inventory of Devices, including Physical, Virtual, or Cloud-based

Institution IT Inventories must include the following devices that connect to a network and store and transmit data: hosts and servers that run application software; infrastructure and enterprise service devices, such as networking devices, storage nodes, and telecommunications infrastructure equipment; end-user and client computing devices, such as desktops, laptops, tablets, and mobile phones; and computing support devices that store and transmit data, such as multi-function printers and scanners, smart monitors, telecommunication endpoint equipment, audio and video equipment, and Internet of Things (IoT) devices. When applicable, IT inventories must include the following IT Asset item details:

    • Unique identifier, device name, or hostname, as defined by the institution
    • Additional hostname(s), if applicable
    • Operating system type (e.g., Linux, Windows) and version (major version)
    • MAC address(s) and or IP address(s), as defined by the institution
    • Location:
      • If at the institution, the building and room. If not known, may use the location of the assigned user or department
      • If hosted by another institution or provider, identify the hosting provider, including cloud-based provider.
    • If physical:
      • Manufacturer or make
      • Model or description
      • Serial number
      • IT Asset tag number
    •  If virtual, virtualization software application that hosts the virtualized asset
    •  If cloud-based:
      • Vendor
      • Product name
      • License Information
    • IT Asset Owner
    • Assigned user or department
    • Device Type
    • Purpose
    • Criticality of asset information. Institutions may define a default value and only identify when it is different
    • Lifecycle Status
    • Date updated

II. Inventory of Software Applications

Institution IT Inventories must include the following IT Asset item details for software applications that are licensed or institution-built for academic and business use. This includes: the primary software components that provide application services on host servers and client computing devices, both on-premise and in a cloud environment, commonly referred to as Software as a Service (SaaS); and infrastructure applications, e.g., web servers, database servers, and virtualization software, both on-premise and in a cloud environment, which may be referred to as SaaS or Platform as a Service (PaaS).

For institution-built software applications, only one inventory item representing the composite system is required. For licensed applications, the inventory items are by product or license. The IT Inventory is NOT REQUIRED to include scripts, plug-in components, Dynamic Link Libraries (DLL) or similar.

    • Unique common name identifier
    • Vendor:
      • If commercial, vendor name
      • if open-source, organization name
      • if institution-built, denote that and include name of the institution
    • Software product name of the primary license
    • License information, description, and count
    • Hosting locations and/or provider(s)
      • If installed locally or on-premise, identify the data center(s) or types of devices (e.g. workstations)
      • If hybrid, installed both on-premise and hosted off-site, include the data center(s) or type of devices and the name(s) of the external hosting provider(s)
      • If hosted, include the name(s) of the hosting provider(s)
    • Assigned user or department
    • IT Asset Owner
    • Application Type
    • Purpose
    • Criticality of the software. Institutions may define a default value and only identify when it is different
    • Date updated

5. Related Documents

Regent Policy Document 25-5, Information Technology: Information Security

UW System Information Security Program

UW System Administrative Policy 1035, Information Security: IT Asset Management

6. History

Revision 2: April 11, 2023

Revision 1: November 7, 2020

Original Issuance Date: August 18, 2020