Asset Reporting - What it is, What to do
This document tells you about IT Asset Reporting at UW-Madison. This document is currently under review following approval of the Policy and Implementation Plan.
What it is
- Asset Reporting arose out of a UW System Administration proposed policy and standard, 1035 and 1035.A, respectively, regarding IT asset reporting from both a business and cybersecurity perspective. UW-Madison's Division of Information Technology and Office of Cybersecurity have sponsored a campus effort to meet the needs of the Regents while countenancing the disparate information gathering and reporting capabilities of campus partners.
- To create and maintain a campus data repository where records of IT assets can be compiled and updated on a regular (quarterly to yearly) basis.
- Phase One: High Priorities - 85% of Divisions have reported by [+3-6 months from program start (after planning)].
- Phase Two: Medium Priorities - 75% of Divisions have reported by [+6-12 months from program start].
- Phase Three: Low Priorities - 50% of divisions have reported by [+12-24 months from program start].
- Implementation Calendar - https://kb.wisc.edu/asset-reporting/internal/103647
- High - easy to get, critical systems/equipment/services, high-risk systems (high-risk data), very expensive purchases.
- Medium - research and specialized devices that are on the network (non-traditional “IT” assets), other desktops and laptops (not in the easy to get list), large quantity software licenses.
- Low - inventory information that is extremely difficult to access. Small quantity software licenses.
- Records of IT asset can be used to achieve business, security, and audit goals and requirements.
- The ultimate scope of Asset Reporting is everything on campus that has, or can have, an IP address. There are 3 aspects to Asset Reporting:
- Hardware (Devices, Physical and Virtual)
- This will be an iterative process; therefore, to facilitate participation, the initial scope is best-effort, and is limited to:
- NOTE – Installing Qualys, BigFix, or other vulnerability or endpoint management tools on all servers, desktops, and laptops helps achieve initial scope goals. See Point 4.2 below.
What to do
Risk Executives, i.e., those individuals responsible for each division's IT assets, have already been designated (Risk Management Framework). These people or their designees should coordinate on how to proceed with the inventory. Choose a person to assume responsibility for submission, as well as classification, of the data (see below). The Risk Executive or their designee will be the contact person for their organization's submission to the repository.
Compile your asset data
The tables below outlines the fields in the asset inventory repository, including both those required by UWSA Standard 1035.A as well as additional fields available for use. Those compiling an inventory of their assets should use this as either a template to create a spreadsheet or database, or as a map from one's own existing data source to the repository.
Hardware Assets (Physical & Virtual) Table, with Fields Populated by Qualys and BigFix
Required? Asset Reporting Fields Qualys Fields BigFix Notes RecID System field ActivationID activationID System field Title name The name of the asset. FQDN fqdn X AssetType Based off of UW_Model Proxy for IT Asset Type, non-normalized data. Example: Rackmount, VM, Server, Router, Switch, Desktop, Printer, Phone, Etc. DeviceType Based off of UW_Model Proxy for IT Asset Type, non-normalized data. Example: Tablet, Array, Etc. Portable Based off of UW_Model Proxy for IT Asset Type, non-normalized data. Yes/No X Description Environment PRoxy for Description, non-normalized data. Example: Production, QA, Test, Dev X Lifecycle status Proxy for Provisioning and Decommissioning, non-normalized data. Example: Operational, Staging, Planned, Uninstalled Administrator Proxy for Assigned Owner, non-normalized data AdministratorTeam Proxy for Assigned Owner, non-normalized data RiskExecutive Dean or Designee X SystemOwner activationTitle UW_Owner_or
Proxy for Assigned Owner, non-normalized data PrimaryUser lastLoggedOnUser UW_NetID Proxy for Assigned Owner, non-normalized data X IPAddress address IP Address X MACAddress macaddress UW_MAC
X OperatingSystem operatingSystem OS Example: NetWare 4.11 X OperatingSystem
OS Service Pack 5 Backup Yes/No - Bucky Backup Node managed by DoIT,
or other BU method
X Location UW_Building Example: Computer Sciences LocationCode Proxy for Location, non-normalized data. Example: 155; Canonical FPM codes available at https://map.wisc.edu/buildings/ . Location-Room UW_Room Proxy for Location, non-normalized data. Example: B109 DataCenter Proxy for Location, non-normalized data. Yes/No - Is the asset located in what is considered a data center? X Manufacturer manufacturer UW
X Model model UW
X AssetTagID assetid X SerialNumber UW
X PurchaseDate UW
X LicenseNumber If Applicable X LicenseExpiration If Applicable UDDS Proxy for Assigned Owner, non-normalized data. Populated from SystemOwner Division Populated from SystemOwner, System field X Capital Yes/No - Is the asset considered capital, i.e.,
greater in value than $5000?
SystemCategorization High, Moderate, Low Risk DataClassification Restricted, Sensitive, Internal, Public X LastAudited lastCheckedIn
Required Title Type Notes X Product/Manufacturer Text Example: WordPerfect X Version Text Example: 4.1 X LicenseType Text Example: Lease, Purchase X LastFound Date aka LastAudited
Classify your asset data
- System Categorization - Systems or Services need to be designated High, Moderate, or Low Risk.
- Data Classification - Assets need to be classified by the types of data they hold: Restricted, Sensitive, Internal, or Public.
- Update your asset information accordingly. As Asset Reporting is nascent, asset classification is best-effort at this stage.
Upload Your asset data
There are 3 methods for uploading data to the campus Asset Reporting repository:
- Database View Federation - those on campus that have a database of their assets, or utilize an IT service management tool like Cherwell where a Configuration Management Database (CMDB) is utilized, may federate their information into the Asset Reporting repository. Contact DoIT Configuration Management at email@example.com.
- Endpoint Management or Vulnerability Management Tool Federation - installation of the following software tools will federate information into the repository:
- Qualys (campus users of this tool may wish to supplement information using CSV Import, see #3)
- BigFix (campus users of this tool may wish to standardize their use of fields for reporting purposes, and may wish to supplement information using CSV Import, see #3)
- WorkSpace ONE - In Development.
- CSV Import - Using the field layout above,
- Create a CSV file, using the following templates for each table:
- You may add rows, but not change columns. Please make sure your initial column is populated with values for each row (requirement for generating a key for importation).
- Populate what fields you can.
- Save your 3 csv files in the format laid out. An example file name is "2019-DoIT-vponelis-hardware.csv" . Upper or lower case does not matter.
- Contact firstname.lastname@example.org.
- You will receive an email granting you access to the Asset Reporting Share from Manifest.
- Mount the Asset Repository Share - smb://asset-reporting.drive.wisc.edu/asset-reporting/
- Save your 3 CSV files to the Share. Your data will be imported at the next federation point-in-time.
Review your asset data
You can review your asset data by requesting a report of DoIT's Configuration Manager by emailing email@example.com .
. An export of your data will be emailed to you. In the future, we envision a more user-friendly self-service process.