IT Asset Management Standard

Description

The purpose of this standard is to establish the minimum required information to be maintained in an IT Inventory for Lehigh IT. Inventories are to be made available to support secure information systems operations, governance, and to meet compliance obligations. Inventories are required to include risk categorization and data classifications.

Scope

This standard applies to all Lehigh IT assets. All users, including, but not limited to, all University staff, faculty, researchers, students, alumni, visitors, guests, vendors, contractors, volunteers, and business partners are responsible for adhering to this standard.

Security Requirements

Lehigh’s Information Security Program (ISP) is built around NIST 800-171 controls and other control frameworks, regulations, and guidance (eg, FERPA, HIPAA, GDPR, PCI, and others). This section should reference which frameworks are relevant to this particular standard.

NIST 800-53 r5 references the following security requirements within the Program Management family:

• PM-3 The organization develops and maintains an inventory of its information systems.

Critical Security Controls V8 references the following security requirements:

• 1.1: Establish and Maintain Detailed Enterprise Asset Inventory

  Establish and maintain an accurate, detailed, and up-to-date inventory of all enterprise assets with the potential to store or process data, to include: end-user devices (including portable and mobile), network devices, non-computing/IoT devices, and servers. Ensure the inventory records the network address (if static), hardware address, machine name, enterprise asset owner, department for each asset, and whether the asset has been approved to connect to the network. For mobile end-user devices, MDM type tools can support this process, where appropriate. This inventory includes assets connected to the infrastructure physically, virtually, remotely, and those within cloud environments. Additionally, it includes assets that are regularly connected to the enterprise's network infrastructure, even if they are not under control of the enterprise. Review and update the inventory of all enterprise assets bi-annually, or more frequently.

• 1.3: Utilize an Active Discovery Tool

  Utilize an active discovery tool to identify assets connected to the enterprise's network. Configure the active discovery tool to execute daily, or more frequently.

• 1.4: Use Dynamic Host Configuration Protocol (DHCP) Logging to Update Enterprise Asset Inventory

  Use DHCP logging on all DHCP servers or Internet Protocol (IP) address management tools to update the enterprise's asset inventory. Review and use logs to update the enterprise's asset inventory weekly, or more frequently.

• 1.5: Use a Passive Asset Discovery Tool

  Use a passive discovery tool to identify assets connected to the enterprise's network. Review and use scans to update the enterprise's asset inventory at least weekly, or more frequently.

IT Asset Management Requirements

[insert]

IT Inventory

The following are the minimum data elements which need to be recorded within the Information System Inventory.

Automatically Generated - Physical Network Equipment

• Network address

• Hardware address (MAC)

• Machine name

• Serial Number

• User

• Date Updated

Manually Collected

• System Owner

• College/Stem & Department

• Technical Owner

• Rating of Criticality of System to University Operations including what service it supports. E.g. Banner Student supports the Registration Process.

• Service or business function supported by the asset or system

• Handle Sensitive Data? (Y/N)

• Brief Description

• Compliance Obligations

Additional data may be required for the purpose of identifying assets in a security event.

• Additional Hostnames

• Operating System

• Location

  • Internal: building and room

  • External: hosting provider including contact information

• Lifecycle Period - How many years the device will be in operation

Recording Inventory

The inventory will be systematically collected through scanning or agent technologies. If that is not possible, the System Owner is responsible for ensuring the LTS inventory is maintained and updated.

• Inventory System of Record - Sassfrass (9/16/24)

IT Asset Lifecycle

The IT Asset Lifecycle consists of the following stages:

• Acquisition: The first stage is governed by Lehigh procurement polices.

• Deployment: This stage is concerned with preparing the asset for the purpose it was acquired for. Required actions prior to deployment include:

  • Ensuring system is properly configured with applicable security software and controls

  • Recording system in inventory including its planned Lifecycle period. E.g. Laptops 5 years.

• Operations and maintenance: Operation stage is governed by Lehigh policies and standards

• Retirement and decommissioning:

  • Identify: Determine which assets are reaching end-of-life, are obsolete, or no longer meet business needs. This might involve:

  • Reviewing the IT asset management system for aging equipment.

  • Assessing the performance and maintenance history of assets.

  • Considering technology upgrades and replacements.

  • Data Security:
    Retired devices need to be physically secured in a locked room or cabinet awaiting the decommissioning process.

    • Sanitization: Ensure complete data sanitization or destruction from all storage media (hard drives, SSDs, etc.) to prevent unauthorized access to sensitive information. Options include:

      • Data wiping: Using software to overwrite the data multiple times.

      • Physical destruction: Shredding, crushing, or degaussing hard drives.

    • Certificate and License Management: Revoke any associated certificates, licenses, or access credentials linked to the asset.

  • Responsible and Sustainable Disposal:The final stage of an asset's life cycle, when the asset is no longer useful. The asset's material and type determine whether it should be recycled or discarded.

    • Environmental Compliance: Adhere to all environmental regulations and Lehigh University policies for e-waste disposal.

    • Reuse and Donation: Explore options for donating or repurposing functional equipment within the university or to external organizations. This could involve:

      • Transferring assets to other departments with needs.

      • Partnering with non-profit organizations for donations.

      • Reselling or recycling components through certified vendors.

    • Documentation: Maintain detailed records of all disposal activities, including:

      • Asset Identifier

      • Date of disposal

      • Method of disposal

      • Name of the vendor or organization handling disposal

      • Certificate of data destruction (if applicable)

    • Updates to IT Asset Management System:

      • Accurate Records: Update the IT asset management system to reflect the asset's retirement status and disposal information. This ensures accurate inventory and reporting.

Definitions

System Owner - Individual accountable for system and data stored within system. Typically the person who purchases and funds the system.

Technical Owner - Individual or team with the responsibility for maintaining and updating the system.

Information System - Any hardware, software, cloud application or network device used to store, process, or transmit information.

Lehigh IT Assets - Information Systems & data used to support of the Lehigh’s operations and mission.

Sensitive Data - Data which is regulated or would cause harm to an individual or the University if lost, or if appropriately shared or modified.

Revision History