Information Security: IT Asset Management Standard

Original Issuance Date: August 19, 2020

Last Revision Date: November 13, 2020

Effective Date: September 1, 2021

1. Purpose of Procedures

The purpose of this standard is to establish the required data elements to be recorded and tracked during inventory of information technology (IT) assets and when these data elements are to be updated. To establish annual reporting requirements of IT asset inventories.

2. Responsible UW System Officer

Associate Vice President (AVP) for Information Security

3. Definitions

Please see SYS 1000, Information Security: General Terms and Definitions, for a list of general terms and definitions. Terms and definitions found within this policy include:

Low Risk
High Risk
IT Asset
Moderate Risk

4. Procedures

A. Standards

There are two main categories of IT assets that must be inventoried: hardware and software. Specific IT asset details to be recorded and tracked are identified for each category below.

I. Inventory of IT Hardware Assets

Hardware inventory records must include the following details:

IT Asset Type (desktop workstation; laptop; tablet; multi-function device; printer; scanner; server; network appliance; data center IT asset)
IP Address
MAC Address
Location
Capital IT Asset (Y/N; any single IT asset which has an acquisition cost of $5,000 or more and a useful life of at least two years)
Serial Number
Make, model, description
IT Asset Tag Number
Purchase/Acquisition Date
Assigned Owner
Operating System
Licensing Information (if applicable)
Date of Last Inventory

II. Inventory of Software Assets

Software inventory records must include the following details:

Software Product Name
Manufacture Name
Version Number
License Type (if applicable)
Date of Last Inventory

III. IT Hardware Asset Provisioning and Decommissioning

The IT asset inventory must be updated when:

Moving or transferring an IT asset
Borrowing or loaning an IT asset
An IT asset is lost, stolen, nonrepairable or obsolete
An IT asset is no longer needed and needs to be repurposed/disposed

All IT asset disposal requests must be documented and accompanied by justification.

Decommissioned IT assets must be stored in a secure space until repurposed or disposed.

B. Reporting

The report format for annual inventories will be made available by the UW System Office of Information Security (OIS). Annual inventories must be signed and dated by the institutional Chief Information Officer (CIO) or central administration CIO and submitted to OIS at the beginning of each calendar year.