Asset Reporting - What it is, What to do

This document tells you about IT Asset Reporting at UW-Madison. This document is currently under review following approval of the Policy and Implementation Plan.

What it is

Origin

  • Asset Reporting arose out of a UW System Administration proposed policy and standard, 1035 and 1035.A, respectively, regarding IT asset reporting from both a business and cybersecurity perspective.  UW-Madison's Division of Information Technology and Office of Cybersecurity have sponsored a campus effort to meet the needs of the Regents while countenancing the disparate information gathering and reporting capabilities of campus partners.

Goal

  • To create and maintain a campus data repository where records of IT assets can be compiled and updated on a regular (quarterly to yearly) basis.
  • Phase One: High Priorities - 85% of Divisions have reported by [+3-6 months from program start (after planning)].
  • Phase Two: Medium Priorities - 75% of Divisions have reported by [+6-12 months from program start].
  • Phase Three: Low Priorities - 50% of divisions have reported by [+12-24 months from program start].
  • Implementation Calendarhttps://kb.wisc.edu/asset-reporting/internal/103647
  • Priorities
    • High - easy to get, critical systems/equipment/services, high-risk systems (high-risk data), very expensive purchases.
    • Medium - research and specialized devices that are on the network (non-traditional “IT” assets), other desktops and laptops (not in the easy to get list), large quantity software licenses.
    • Low - inventory information that is extremely difficult to access. Small quantity software licenses.

Reason

  • Records of IT asset can be used to achieve business, security, and audit goals and requirements.

Scope

  • The ultimate scope of Asset Reporting is everything on campus that has, or can have, an IP address.  There are 3 aspects to Asset Reporting:
    • Hardware (Devices, Physical and Virtual)
    • Software
  • This will be an iterative process; therefore, to facilitate participation, the initial scope is best-effort, and is limited to:
    • Servers
    • Desktops
    • Laptops
  • NOTE – Installing Qualys, BigFix, or other vulnerability or endpoint management tools on all servers, desktops, and laptops helps achieve initial scope goals.  See Point 4.2 below.

What to do

  1. Review Roles

    Risk Executives, i.e., those individuals responsible for each division's IT assets, have already been designated (Risk Management Framework).  These people or their designees should coordinate on how to proceed with the inventory.  Choose a person to assume responsibility for submission, as well as classification, of the data (see below).  The Risk Executive or their designee will be the contact person for their organization's submission to the repository.

  2. Compile your asset data

    The tables below outlines the fields in the asset inventory repository, including both those required by UWSA Standard 1035.A as well as additional fields available for use.  Those compiling an inventory of their assets should use this as either a template to create a spreadsheet or database, or as a map from one's own existing data source to the repository.

    Hardware Assets (Physical & Virtual) Table, with Fields Populated by Qualys and BigFix

     Required? Asset Reporting Fields
     Qualys Fields  BigFix  Notes
      RecID   System field
      ActivationID activationID   System field
      Title name  The name of the asset.
      FQDN fqdn  
     X AssetType  Based off of UW_Model Proxy for IT Asset Type, non-normalized data.  Example: Rackmount, VM, Server, Router, Switch, Desktop, Printer, Phone, Etc.
      DeviceType  Based off of UW_Model Proxy for IT Asset Type, non-normalized data.  Example: Tablet, Array, Etc.
      Portable  Based off of UW_Model Proxy for IT Asset Type, non-normalized data.  Yes/No
     X Description   
      Environment   PRoxy for Description, non-normalized data.  Example:  Production, QA, Test, Dev
     X Lifecycle status  Proxy for Provisioning and Decommissioning, non-normalized data.  Example: Operational, Staging, Planned, Uninstalled
      Administrator   Proxy for Assigned Owner, non-normalized data
      AdministratorTeam   Proxy for Assigned Owner, non-normalized data
      RiskExecutive   Dean or Designee
     X SystemOwner activationTitle UW_Owner_or
    _Fiscal_Group
     Proxy for Assigned Owner, non-normalized data
      PrimaryUser lastLoggedOnUser UW_NetID Proxy for Assigned Owner, non-normalized data
     X IPAddress address IP Address 
     X MACAddress macaddress UW_MAC
    _Addresses
     
     X OperatingSystem operatingSystem OS Example:  NetWare 4.11
     X OperatingSystem
    Version
     operatingSystem
    Version
     OS Service Pack 5
      Backup    Yes/No - Bucky Backup Node managed by DoIT,
    or other BU method
     X Location  UW_Building Example:  Computer Sciences
      LocationCode   Proxy for Location, non-normalized data.  Example:  155; Canonical FPM codes available at https://map.wisc.edu/buildings/ .
      Location-Room  UW_Room Proxy for Location, non-normalized data.  Example:  B109
      DataCenter   Proxy for Location, non-normalized data.  Yes/No - Is the asset located in what is considered a data center?
     X Manufacturer manufacturer UW
    _Manufacturer
     
     X Model model UW
    _Model
     
     X AssetTagID assetid  
     X SerialNumber  UW
    _Serial_Number
     
     X PurchaseDate  UW
    _Purchase_Date
     
     X LicenseNumber
       If Applicable
     X LicenseExpiration   If Applicable
      UDDS   Proxy for Assigned Owner, non-normalized data.  Populated from SystemOwner
      Division   Populated from SystemOwner, System field
     X Capital    Correlated data
      SystemCategorization    High, Moderate, Low Risk
      DataClassification    Restricted, Sensitive, Internal, Public
     X LastAudited  lastCheckedIn  

    Software Table

     Required  Title  Type  Notes
    X  Product/Manufacturer  Text  Example: WordPerfect
    X  Version  Text  Example: 4.1
     X LicenseType Text Example:  Lease, Purchase
     X  LastFound  Date  aka LastAudited


  3. Classify your asset data

    • System Categorization - Systems or Services need to be designated High, Moderate, or Low Risk.
    • Data Classification - Assets need to be classified by the types of data they hold: Restricted, Sensitive, Internal, or Public.
    • Update your asset information accordingly.  As Asset Reporting is nascent, asset classification is best-effort at this stage.
  4. Upload Your asset data

    There are 3 methods for uploading data to the campus Asset Reporting repository:

    1. Database View Federation - those on campus that have a database of their assets, or utilize an IT service management tool like Cherwell where a Configuration Management Database (CMDB) is utilized, may federate their information into the Asset Reporting repository.  Contact DoIT Configuration Management at asset-reporting@doit.wisc.edu.
    2. Endpoint Management or Vulnerability Management Tool Federation - installation of the following software tools will federate information into the repository:
      • Qualys (campus users of this tool may wish to supplement information using CSV Import, see #3)
      • BigFix (campus users of this tool may wish to standardize their use of fields for reporting purposes, and may wish to supplement information using CSV Import, see #3)
      • WorkSpace ONE - In Development.
    3. CSV Import - Using the field layout above,
      1. Create a CSV file, using the following  templates for each table:
      2. You may add rows, but not change columns. Please make sure your initial column is populated with values for each row (requirement for generating a key for importation).
      3. Populate what fields you can.
      4. Save your 3 csv files in the format laid out. An example file name is "2019-DoIT-vponelis-hardware.csv" .  Upper or lower case does not matter.
      5. Contact asset-reporting@doit.wisc.edu.
      6. You will receive an email granting you access to the Asset Reporting Share from Manifest.
      7. Mount the Asset Repository Share - smb://asset-reporting.drive.wisc.edu/asset-reporting/
      8. Save your 3 CSV files to the Share.  Your data will be imported at the next federation point-in-time.
  5. Review your asset data

    You can review your asset data by requesting a report of DoIT's Configuration Manager by emailing asset-reporting@doit.wisc.edu .

  6. .  An export of your data will be emailed to you.  In the future, we envision a more user-friendly self-service process.




Keywords:Field Mapping Asset Inventory Data Import 1035.A 1035 A asset management uw madison network share data import asset management csv data import network share tl dr quick faq   Doc ID:93378
Owner:Victor P.Group:IT Asset Reporting
Created:2019-07-25 15:26 CDTUpdated:2021-08-09 11:50 CDT
Sites:IT Asset Reporting
Feedback:  4   2