Standard: Device Asset Inventory

Scope

• All university owned or managed end-user devices (non-consumables), networking devices, servers, storage devices, and Internet of Things (IoT) devices. Personally owned devices should not be included in the inventory

Rationale

• A comprehensive inventory of networked institutional device assets provides for and assist with a number of endeavors and capabilities, including the following:
  • Ensuring that only authorized systems store and process enterprise data
  • Understanding the full scope of the university environment in need of cybersecurity protections and operational support and what each device is used for
  • Quick and efficient incident response and assignment of vulnerability management discoveries based on clear identification of who is responsible for the device and where it is located
  • Identification of assets missing from centralized management tools
  • Facilitating the removal of unauthorized devices from enterprise networks
  • Assistance with lifecycle management of devices

Definitions

• Data Classification: the Information Security Office's (ISO) data classification schema can be found here
• Data Owner: the individual or group responsible for the protection, usage, and quality of the data in question
• Responsible Local IT Support: the technical group responsible for primary support of a device
• End-user: the party in possession of or the primary user of a device

Standard

• Establish and maintain an accurate, detailed, and up-to-date inventory of all enterprise assets with the potential to store or process data, including:
  • End-user devices (including portable and mobile devices)
  • Network devices
  • Non-computing / Internet of Things (IoT) devices
  • Servers (including physical and virtual, on-prem and cloud-hosted)
  • Storage devices attached to the network or that store Restricted data
• The inventory should include the following attributes for each asset at a minimum. The Service Asset & Configuration Management (SACM) Guide provides additional recommended attributes to track within the inventory:
  • Associated Data Classification - the highest data sensitivity level stored, processed, or transmitted by the device
    • If Restricted data:
      • Description of the Restricted data
      • Relationships to other assets and data flows
      • Data asset owner(s) - the individuals or groups responsible for the protection, usage, and quality of the Restricted data involved
    • If Confidential data:
      • Description of the Confidential data
      • Data asset owner(s) - the individuals or groups responsible for the protection, usage, and quality of the Confidential data involved
    • All data classifications:
      • Configuration Item Type (aka Product Model) - the category type of the device e.g. End-user device, server, printer, switch, etc
      • Description - a brief description of what the device is
      • Device Use Case - the business purpose of the device
      • Supplier - the vendor or manufacturer of the device
      • External ID - the unique identifier of the device, such as a serial number
      • Asset Name - the unique name of the device, may be the serial number if the device does not have a 'name'
      • Network address(es) - the most recently used or static IP address(es) of the device
      • Hardware address(es) - the MAC address(es) of the device (physical and wireless)
      • Device Owner - the end-user or primary person responsible for the device
      • Owning Department - the Responsible Local IT Support Group
      • Billing Party - the party responsible for purchasing the device and any additional expenses related to maintaining or support the device
      • Status - the general status of whether or not the device is in-use / active, in storage, disposed of, inactive / missing, out for repair, etc
      • Asset Location - the physical location of the device, where possible the data-jack or building and room location should be included, devices that commonly roam or 'work from home' should be noted as such
      • First seen and/or last seen date - the date the device was initially added to the inventory and/or the most recent data the asset record was updated manually or by automated discovery tools
      • Last reviewed date - the date of the most recent review of the asset record's accuracy
• Use DHCP logging or IP address management tools to update the inventory at least weekly
• Utilize an active discovery tool to identify assets connecting to the network and update the inventory at least weekly. An example of a potential active discovery tool would be a network vulnerability scanning tool
• Utilize a passive discovery tool to identify assets connecting to the network and update the inventory at least weekly. Examples of potential passive discovery tools include MECM and JAMF
• Establish a process for removing assets from the inventory when they are no longer in use

Appendix

Related policies and standards:

• ISO Data Classification Schema
• Standard: End-of-Life Operating Systems
• Service Asset & Configuration Management (SACM) Guide

Standard Administration

Next Review Date

• 12/15/2024

Responsible Officer

• Vice President for Information Technology & Chief Information Officer

Contact

• Assistant VP for IT Services Security, Compliance, and Risk Management

Approval(s) and Date(s)

• Initial Approval: 20 December 2023