Versions Compared

Version Old Version 7 New Version 8
Changes made by

Eric Zematis

Eric Zematis

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Description

The purpose of this standard is to establish the minimum required information to be maintained in an IT Inventory for Lehigh-owned assets including end-user/server devices and information systems containing Lehigh data. IT inventories are to be made available to support secure information systems operations and governance.

Establish and maintain an accurate, detailed, and up-to-date inventory of all Lehigh-owned assets with the potential to store or process data, to include: end-user devices (including portable and mobile), network devices, non-computing/IoT devices, and servers. Ensure the inventory records the network address (if static), hardware address, machine name, enterprise asset owner, department for each asset, and whether the asset has been approved to connect to the network. For mobile end-user devices, MDM type tools can support this process, where appropriate. This inventory includes assets connected to the infrastructure physically, virtually, remotely, and those within cloud environments. Additionally, it includes assets that are regularly connected to the enterprise’s network infrastructure, even if they are not under control of the enterprise. Review and update the inventory of all enterprise assets bi-annually, or more frequently.

Scope

This policy applies to Lehigh-owned assets and information systems containing Lehigh data managed centrally (LTS) or by individual Colleges/Units.

Security Requirements

Lehigh’s Information Security Program (ISP) is built around NIST 800-171 controls and other control frameworks, regulations, and guidance (eg, FERPA, HIPAA, GDPR, PCI, and others). This section should reference which frameworks are relevant to this particular standard.

...

  • 1.1: Establish and Maintain Detailed Enterprise Asset Inventory

    Establish and maintain an accurate, detailed, and up-to-date inventory of all enterprise assets with the potential to store or process data, to include: end-user devices (including portable and mobile), network devices, non-computing/IoT devices, and servers. Ensure the inventory records the network address (if static), hardware address, machine name, enterprise asset owner, department for each asset, and whether the asset has been approved to connect to the network. For mobile end-user devices, MDM type tools can support this process, where appropriate. This inventory includes assets connected to the infrastructure physically, virtually, remotely, and those within cloud environments. Additionally, it includes assets that are regularly connected to the enterprise's network infrastructure, even if they are not under control of the enterprise. Review and update the inventory of all enterprise assets bi-annually, or more frequently.

  • 1.3: Utilize an Active Discovery Tool

    Utilize an active discovery tool to identify assets connected to the enterprise's network. Configure the active discovery tool to execute daily, or more frequently.

  • 1.4: Use Dynamic Host Configuration Protocol (DHCP) Logging to Update Enterprise Asset Inventory

    Use DHCP logging on all DHCP servers or Internet Protocol (IP) address management tools to update the enterprise's asset inventory. Review and use logs to update the enterprise's asset inventory weekly, or more frequently.

  • 1.5: Use a Passive Asset Discovery Tool

    Use a passive discovery tool to identify assets connected to the enterprise's network. Review and use scans to update the enterprise's asset inventory at least weekly, or more frequently.

Minimum Data Required

The following are the minimum data elements which need to be recorded within the Information System Inventory.

...

  • Additional Hostnames

  • Operating System

  • Location

    • Internal: building and room

    • External: hosting provider including contact information

  • Lifecycle Status

Recording Inventory

The inventory will be systematically collected through scanning or agent technologies. If that is not possible, the System Owner is responsible for ensuring the LTS inventory is maintained and updated.

  • Inventory System of Record - Sassfrass (9/16/24)

Definitions

System Owner - Individual accountable for system and data stored within system. Typically the person who purchases and funds the system.

...

Sensitive Data - Data which is regulated or would cause harm to an individual or the University if lost, or if appropriately shared or modified.

Revision History

Date

Version

Description

Approval

0.1

Original Document

Draft

9/16/2024

10.2

Modifications with Steve and Gale

Draft

9/30/2024

1.0

Published - CTO

Approved