|Policy Category||Policy No. & Title||Policy Owner/Administrator||Effective Date||Revision Number||Revision Eff. Date||Review Cycle|
Information Governance, Security & Technology
IT Asset Management
|VP of Information Security||September 15, 2021||N/A||N/A||Every 2 years|
The purpose of this policy is to establish information security standards for the asset management processes relevant to University of Maryland Global Campus ("UMGC" or "University") Information Technology Resources.
Scope and Applicability
This policy applies to all University Information Systems and Information Technology Resources. All Users are responsible for adhering to this policy.
Capitalized terms shall have the meaning ascribed to them herein and shall have the same meaning when used in the singular or plural form or any appropriate tense.
Asset: An IT asset is a piece of software or hardware within an information technology environment. Tracking of IT assets within an IT asset management system can be crucial to the operational or financial success of an enterprise. IT assets are integral components of the organization's systems and network infrastructure.
Asset Management: The management of IT assets requires well-developed processes and clear policies. IT asset management software may track physical devices, software instances and licenses, and even the cabinets that house them. Managers should be able to look up warranty and vendor information and understand how each asset contributes to the environment. Change control procedures are effective ways to manage upgrades and replacements.
Asset Management Software: Asset management software is a dedicated application which is used to record and track an asset throughout its life cycle, from procurement to disposal. It provides an organization with information like where certain assets are located, who is using them, how they are being utilized and details about the asset. The asset management software is used for management of both software and hardware assets.
Authorized User: A User who has been granted authorization to access electronic Information Resources and is current in their privileges.
Confidential Data: Data that requires restrictions on access and disclosure, including the protection of personal privacy and proprietary information.
Contractor: A person or a company that undertakes a contract to provide materials or labor to perform a service.
Controlled Unclassified Information (CUI): Controlled Unclassified Information (CUI) is information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls. However, CUI does not include classified information (see definition above) or information a non-executive branch entity possesses and maintains in its own systems that did not come from, or was not created or possessed by or for, an executive branch agency or an entity acting for an agency. CUI includes Personally Identifiable Information (PII).
Data: Data is element(s) of Information in the form of facts, such as numbers, words, names, or descriptions of things from which "understandable information" can be derived.
Data Handling: Handling is any use of data, including but not limited to marking, safeguarding, transporting, disseminating, re-using, and disposing of the information.
Employee: University staff and faculty, including nonexempt, exempt, and overseas staff and collegiate faculty.
Personally Identifiable Information (PII): An individual's first name and last name, personal mark, or unique biometric or genetic print or image, in combination with one or more of the following data elements:
A social security number;
A driver's license number, state identification card number, or other individual identification number issued by a state government unit;
A passport number or other identification number issued by the United States government;
An Individual Taxpayer Identification Number; or
A financial or other account number, a credit card number, or a debit card number that, in combination with any required security code, access code, or password, would permit access to an individual's account.
User: A member of the University community, including but not limited to Staff and Faculty, and other individuals performing services on behalf of University, including Contractors, volunteers and other individuals who may have a need to access, use or control University Data.
Asset Management – Hardware and Software
All Users must adhere to the University's IT Asset Management Policy for all IT hardware and software that is owned by the University to ensure that these Assets are properly managed throughout their life cycle.
UMGC will employ an Asset Management System to maintain an inventory of hardware assets that:
Accurately reflects the UMGC Information System
Includes all hardware assets within the authorization boundary of the UMGC Information System
Is at a level of detail necessary for appropriate tracking and status reporting of assets. Includes hardware inventory specifications (e.g., manufacturer, device type, model, serial number, physical location), component owners, machine names, and network addresses.
The following types of hardware Assets are included but not limited to:
Laptop Mobile Computers
Printers, Copiers, Scanner, Fax Machines, and Other Peripheral Devices
Network Appliances (e.g., Firewalls, Routers, Switches, Uninterruptible Power Supplies (UPS), Endpoint Network Hardware, and Storage)
Private Branch Exchange (PBX) and Voice over Internet Protocol (VoIP) Telephony
The following types of hardware Assets are not included in this policy:
Non-serialized items such as keyboards, mice, external connectors ("dongles") and adapters, USB memory sticks (thumb drives), memory cards, etc.
UMGC will employ an Asset Management Information System to maintain an inventory of software Assets that:
Accurately reflects the UMGC system
Includes all software Assets within the authorization boundary of the UMGC Information System
Is at a level of detail necessary for appropriate tracking and status reporting of Assets
Includes items such as software license number and component owners.
The following types of software Assets are included in this policy:
Enterprise level software
All individually licensed software, both per-seat and concurrent licensing
All software licenses that are acquired when they are bundled with hardware purchases
The inventory of Assets should be reviewed every 2 years and the asset management system should be updated whenever:
Hardware or software system components are installed.
Hardware or software system components are removed.
Hardware or software system components are updated.
Notification of Changes
Departments, consultants, and contractors will be responsible for notifying IT of any changes in the physical location or ownership of IT hardware or software, which includes all asset issuances, moves, and returns, of any sensitive equipment.
Departments should not redistribute Assets. Assets must be returned to IT for proper tracking, assessment, re-issuance or disposal.
Replaced or surplus Assets must be returned to IT for reallocation or proper disposal.
When reallocating or disposing of any IT hardware Asset, any Confidential data, including CUI Data, must be removed prior to disposal.
Asset Management – Data
All Users should adhere to the University's Data Classification Policy to ensure that Data which meets the Confidential Data and Controlled Unclassified Information (CUI) qualifications is handled properly.
Exceptions to this policy should be submitted to the VP of Information Security for review and approval. If an exception is requested a compensating control or safeguard should be documented and approved.
Any Employee, Contractor, or third-party performing duties on behalf of the University with knowledge of an alleged violation of this Policy shall notify the VP of Information Security as soon as practicable.
Any Employee, Contractor, or other third-party performing duties on behalf of the University who violates this Policy may be denied access to Information Resources and may be subject to disciplinary action, up to and including termination of employment or contract or pursuit of legal action.
UMGC X-1.02 Data Classification
UMGC X-1.04 Information Security
UMGC X-1.07 Information Security Audit and Accountability
UMGC X-1.08 IT Resources Configuration Management
UMGC X-1.12 Acceptable Use
UMGC X-1.14 Media Protection
UMGC 300.00 Sensitive Equipment
USM Policy 240.0 VIII-1.10 – Policy for Capitalization and Inventory Control
This policy is effective as of the date set forth above.