UW-Madison - IT - IT Asset Inventory Reporting Implementation Plan

Applies to applies to all UW-Madison entities with IT assets.

The IT Asset Reporting Implementation Plan contains the supporting guidelines and procedures for the establishing an IT asset reporting program and are in support of the UW-Madison IT Asset Reporting Policy providing the framework, guidelines, and requirements for reporting accurate IT asset data at UW-Madison.

Frequency of Updates

Divisions and units are minimally responsible for reporting to the common system each calendar quarter. Continuous reporting is desired but not expected or feasible in all situations.

Decision-Making Guidance

Divisions and other units will make IT Asset Inventory Reporting decisions in accordance with the principles in the Policy in addition to the priorities and timeline below. The department or unit is responsible for evaluating the assets and resources available, and applying the priorities as they determine.

Priorities:

High:

Critical systems/equipment/services/software
Devices that store or access high-risk data
Very expensive systems/equipment/services/software
Endpoints whose data can be collected automatically through endpoint, security, or other data sources

Medium:

Non-traditional IT assets (e.g. embedded systems, specialized devices)
Other desktops and laptops that cannot be inventoried via automation
Large quantity software licenses
Medium-risk systems/equipment/services/software

Low:

IT assets not already inventoried
Small quantity software licenses

Timeline

The timeline begins once the policy has been approved. There are two parts of the implementation timeline. The first part of the timeline is planning and development for being able to collect and report IT asset data and development of standards for different types of IT assets. Development of appropriate and feasible standards will take significant effort from IT staff from across campus. DoIT will have to ready the inventory data repository as a supported service. The second part of the timeline coincides with the start of the program.

Policy Approval
Staging and Preparation [6 months after policy approval]:

Common standards, tools, procedures, reports, communication plan, and training are available
Divisional Deans and Directors have established procedures and responsible roles completed within six months after the policy has been approved
CIO identifies governance group for this service/program
CIO consults with IT leaders and approves program start

Program Start
Phase One [6 months after completion of staging and preparation]: High Priorities - Goal: 85% of Divisions have reported
Phase Two [6 months after Phase One completion]: Medium Priorities - Goal: 75% of Divisions have reported
Phase Three [12 months after Phase Two completion]: Low Priorities - Goal: 50% of Divisions have reported

Asset Program Reporting Metrics

During Staging and Preparation the Vice Provost for Information Technology and Chief Information Officer is responsible for identifying and implementing processes and metrics to measure the completion of this implementation plan. Reports elements should include the following.

The number of divisions reporting assets related to each phase (High, Medium and Low).
a. Where applicable, the number of departments and units reporting (per division).
Identify the number of assets by asset class [SEE KB].
Identify the number of assets identified by department or unit.

Stakeholder Metrics/Reports

During Staging and Preparation the Vice Provost for Information Technology and Chief Information Officer is responsible for identifying which governance or stakeholder group should provide input to the type of metrics and reports to be created and managed. A standard operating procedure should be created for receiving additional requests or changes to existing reports. Examples of stakeholder reports, that may inform the data collected in asset reporting, include:

The number of assets identified by the Cybersecurity Operations Center reporting potential incidents that are or are not identified in the asset aggregation database. (Requires list of devices identified by CSOC)
Average “age” of asset
Average cost of asset by asset type (configuration item)
Number of assets sent to SWAP by department
Number of assets with purchase, maintenance, and subscription licenses
List of assets setting to “expire” within 12 months

Data Collection

The IT Asset Reporting project is currently collecting data from several sources;

Vulnerability Management Tools – Qualys
Endpoint Management Tools - BigFix, Workspace ONE, DoIT Configuration Management Database (CMDB), etc.,
CSV Upload as needed or warranted

Additional data sources can be added in the future if determined to be effective.

Data Management Plan

In accordance with The Office of Data Management and Analytic Services and the policy standards (currently in development), the IT Asset Data Custodian and Chief Information Security Officer (CISO), is responsible for identifying and overseeing a data management plan that provides the following requirements:

Identifies how access to the data set is requested, reviewed, approved, and removed
How the data is to be used/not used
Backup/restore requirements
Data lifecycle requirements

Communications Plan

A communications plan will be created and coordinated through DoIT Communications during the Staging and Preparation period.

Outreach and Training

Service and Tool Owners are responsible for creating an outreach and training program that assists IT professionals with the program/service, including:

Onboarding new units for data collections and submission.
Best practices for incorporating additional inventory reporting data in automated tools such as BigFix, Workspace One.
Training on generating standard and custom reports from the repository.