Standard: ISO / Device asset inventory

Scope

  • All university owned or managed end-user devices (non-consumables), networking devices, servers, storage devices, and Internet of Things (IoT) devices. Personally owned devices should not be included in the inventory

Rationale

  • A comprehensive inventory of networked institutional device assets provides for and assist with a number of endeavors and capabilities, including the following:
    • Ensuring that only authorized systems store and process enterprise data
    • Understanding the full scope of the university environment in need of cybersecurity protections and operational support and what each device is used for
    • Quick and efficient incident response and assignment of vulnerability management discoveries based on clear identification of who is responsible for the device and where it is located
    • Identification of assets missing from centralized management tools
    • Facilitating the removal of unauthorized devices from enterprise networks
    • Assistance with lifecycle management of devices

 

Definitions

  • Data Classification: the Information Security Office's (ISO) data classification schema can be found here
  • Data Owner: the individual or group responsible for the protection, usage, and quality of the data in question
  • Responsible Local IT Support: the technical group responsible for primary support of a device
  • End-user: the party in possession of or the primary user of a device

Standard

  • Establish and maintain an accurate, detailed, and up-to-date inventory of all enterprise assets with the potential to store or process data, including:
    • End-user devices (including portable and mobile devices)
    • Network devices
    • Non-computing / Internet of Things (IoT) devices
    • Servers (including physical and virtual, on-prem and cloud-hosted)
    • Storage devices attached to the network or that store Restricted data
  • The inventory should include the following attributes for each asset at a minimum. The Service Asset & Configuration Management (SACM) Guide provides additional recommended attributes to track within the inventory:
    • Associated Data Classification - the highest data sensitivity level stored, processed, or transmitted by the device
      • If Restricted data:
        • Description of the Restricted data
        • Relationships to other assets and data flows
        • Data asset owner(s) - the individuals or groups responsible for the protection, usage, and quality of the Restricted data involved
      • If Confidential data:
        • Description of the Confidential data
        • Data asset owner(s) - the individuals or groups responsible for the protection, usage, and quality of the Confidential data involved
      • All data classifications:
        • Configuration Item Type (aka Product Model) - the category type of the device e.g. End-user device, server, printer, switch, etc
        • Description - a brief description of what the device is
        • Device Use Case - the business purpose of the device
        • Supplier - the vendor or manufacturer of the device
        • External ID - the unique identifier of the device, such as a serial number
        • Asset Name - the unique name of the device, may be the serial number if the device does not have a 'name'
        • Network address(es) - the most recently used or static IP address(es) of the device
        • Hardware address(es) - the MAC address(es) of the device (physical and wireless)
        • Device Owner - the end-user or primary person responsible for the device
        • Owning Department - the Responsible Local IT Support Group
        • Billing Party - the party responsible for purchasing the device and any additional expenses related to maintaining or support the device
        • Status - the general status of whether or not the device is in-use / active, in storage, disposed of, inactive / missing, out for repair, etc
        • Asset Location - the physical location of the device, where possible the data-jack or building and room location should be included, devices that commonly roam or 'work from home' should be noted as such
        • First seen and/or last seen date - the date the device was initially added to the inventory and/or the most recent data the asset record was updated manually or by automated discovery tools
        • Last reviewed date - the date of the most recent review of the asset record's accuracy
  • Use DHCP logging or IP address management tools to update the inventory at least weekly
  • Utilize an active discovery tool to identify assets connecting to the network and update the inventory at least weekly. An example of a potential active discovery tool would be a network vulnerability scanning tool
  • Utilize a passive discovery tool to identify assets connecting to the network and update the inventory at least weekly. Examples of potential passive discovery tools include MECM and JAMF
  • Establish a process for removing assets from the inventory when they are no longer in use

Appendix

Related policies and standards:

Standard Administration

Next Review Date

  • 12/15/2024

 

Responsible Officer

  • Vice President for Information Technology & Chief Information Officer

 

Contact

  • Assistant VP for IT Services Security, Compliance, and Risk Management

 

Approval(s) and Date(s)

  • Initial Approval: 20 December 2023

 

Print Article