91黑料网

>

Secure IT Asset Management Standard

Contacts & Dates:

UNIVERSITY STANDARD STATEMENT

This standard establishes what details must be included about an IT Asset in the Central IT Asset Inventory.

REASON FOR STANDARD

A Central IT Asset Inventory is a digital register of IT Asset details and is a foundational element that helps empower the security program by providing a holistic view of the entire IT environment. You can鈥檛 secure what you don鈥檛 know about.

To ensure accurate and proper inventory, security, use, and disposal, all University-Owned IT Assets will be recorded in a centralized database. This database will contain information required to properly identify and secure these assets throughout their lifecycle.

The Office of Cybersecurity will review this standard biennially with feedback collected from representatives across VU to understand new concerns and dynamic requirements to best serve the VU community and adhere to VU Information Security Principles listed in the Information Security Policy.

SCOPE AND AUDIENCE

This standard applies to the entire 91黑料网 community including, but not limited to, faculty, staff, students, contractors, post-doctoral fellows, temporary employees, and volunteers (collectively called 鈥淰U Community Members鈥). All University-Owned IT Assets used to collect, transmit, process, store, or host institutional data are in-scope for this policy.

DEFINITIONS

  • All Terms

    Central IT Asset Inventory: A digital register of IT assets owned or managed by organization containing important asset information such as configuration, location, owner, criticality, etc.听

    Disaster Recover Tier: A classification of criticality determined by a Business Impact Assessment (BIA) to ensure the resiliency of university IT assets to continue operation during, or to recover from a disaster event.听听

    End User: VU community member that operates an asset that is responsible for ensuring appropriate use and physical security of assigned IT assets.听

    Information Technology (IT) Asset: Devices, systems, and applications that enable the organization to achieve university business, academia, and research. IT assets include but are not limited to hardware assets (e.g., servers, laptops, printers, IoT devices, etc.) and software assets (e.g., operating systems, applications, cloud components, etc.).听

    IT Asset Owner: An individual or team accountable for overall management and lifecycle of their respective IT assets.听 If applicable, responsible for partnering with IT Asset Stewards for central inventory and lifecycle management functions.听

    IT Asset Steward: An individual or team that is responsible for day-to-day maintenance and support of IT assets and their configurations.听

    University-Owned IT Asset: An IT asset purchased or leased with university funding (e.g., department funds, grants) and are the legal property of the university or that the university has legal responsibility for.听

STANDARD

University-Owned IT Asset details must be recorded in the Central IT Asset Inventory. Entries and updates must be made when it is procured, deployed, gifted, reassigned, transferred, lost, stolen, retired, or disposed. Required fields are listed in Table 1.

There are and will be various methods for collecting and documenting the required information below. It is the ultimate responsibility of the IT Asset Owner to ensure this occurs.

Table 1. Central IT Asset Inventory: Required Fields

Hardware Software
Purchase/Acquisition Date Purchase/Acquisition Date
IT Asset Type
(e.g., desktop, laptop, server, network appliance, etc.)		 Software Product Name
Make, model, description, serial number Manufacturer Name
Asset Name Version Number
IP Address Data Classification
MAC Address Disaster Recovery Tier
Physical Location Assigned IT Asset Owner
Operating System version Assigned IT Asset Steward
Data Classification Assigned End User
Disaster Recovery Tier Date of Last Inventory
Assigned IT Asset Owner
Assigned IT Asset Steward
Assigned End User
Date of Last Inventory

EXCEPTIONS

On a rare occasion, a security policy exception may be considered depending on the impact to the university mission and security risk(s) introduced. Exception requests must be submitted to the VU Chief Information Security Officer for evaluation and risk assessment. The CISO, or a delegate, will grant or deny the request based on the level of risk.听

ENFORCEMENT

Any VU community member that violates this policy may be subject to disciplinary action up to and including termination. The Chief Information Security Officer will refer violations to university units (e.g., Student Accountability Office, Human Resources, and Deans) as appropriate. Violations may also constitute a violation of state or federal law and individuals shall be accountable as applicable.

FORMS AND TOOLS

FREQUENTLY ASKED QUESTIONS

  • Where is the central IT asset inventory?

    Identification and implementation of a Central IT Asset Inventory is underway by VUIT. Until that resource is available, all IT Asset Owners should maintain their own inventory of assets under their purview. This could be an excel spreadsheet or other tool. IT Asset Owners must cooperate with Cybersecurity and provide their inventory, where needed.

  • When do IT Asset Owners and/or Stewards need to add their IT assets in the central asset inventory?

    IT Assets managed locally or at the departmental level should be inventoried by IT Asset Owners and/or Stewards using their own means until the centrally provided resource is available. VUIT will provide implementation updates as they become available.听

  • What if I have questions or need general guidance?

    Contact VUIT by submitting a ticket .

RELATED INFORMATION

HISTORY

Review Date
Summary of Changes
September 2023Update the effective date
February 2025Update the effective date, revised the FAQs, and added a review cadence