Asset Reporting - What it is, What to do

This document tells you about IT Asset Reporting at UW-Madison.

What it is

Origin

Asset Reporting arose out of a UW System Administration proposed policy and standard, 1035 and 1035.A, respectively, regarding IT asset reporting from both a business and cybersecurity perspective. UW-Madison's Division of Information Technology and Office of Cybersecurity have sponsored a campus effort to meet the needs of the Regents while countenancing the disparate information gathering and reporting capabilities of campus partners.

Goal

To create and maintain a campus data repository where records of IT assets can be compiled and updated on a regular (quarterly to yearly) basis.

Phase One: High Priorities - 85% of Divisions have reported by [+3-6 months from program start (after planning)].
Phase Two: Medium Priorities - 75% of Divisions have reported by [+6-12 months from program start].
Phase Three: Low Priorities - 50% of divisions have reported by [+12-24 months from program start].
Implementation Calendar - https://kb.wisc.edu/asset-reporting/internal/103647

Priorities

High - easy to get, critical systems/equipment/services, high-risk systems (high-risk data), very expensive purchases.
Medium - research and specialized devices that are on the network (non-traditional “IT” assets), other desktops and laptops (not in the easy to get list), large quantity software licenses.
Low - inventory information that is extremely difficult to access. Small quantity software licenses.

Reason

Records of IT asset can be used to achieve business, security, and audit goals and requirements.

Scope

The ultimate scope of Asset Reporting is everything on campus that has, or can have, an IP address. There are 3 aspects to Asset Reporting:

Hardware (Devices, Physical and Virtual)
Software
Licensing

This will be an iterative process; therefore, to facilitate participation, the initial scope is best-effort, and is limited to:

Servers
Desktops
Laptops

NOTE – Installing Qualys or BigFix on all servers, desktops, and laptops achieves initial scope goals. See Point 4.2 below.

What to do

Review Roles
Risk Executives, i.e., those individuals responsible for each division's IT assets, have already been designated (Risk Management Framework). These people or their designees should coordinate on how to proceed with the inventory. Choose a person to assume responsibility for submission, as well as classification, of the data (see below). The Risk Executive or their designee will be the contact person for their organization's submission to the repository.

Compile your asset data

The tables below outlines the fields in the asset inventory repository, including both those required by UWSA Standard 1035.A as well as additional fields available for use. Those compiling an inventory of their assets should use this as either a template to create a spreadsheet or database, or as a map from one's own existing data source to the repository.

Hardware Assets (Physical & Virtual) Table, with Fields Populated by Qualys and BigFix

Required?	Asset Reporting Fields	Qualys Fields	BigFix	Notes
	RecID
	ActivationID	activationID
	Title	name		The name of the asset.
	FQDN	fqdn
X	ConfigurationItemTypeName		X	Example: Rackmount, VM, Server, Router, Switch, Desktop, Printer, Phone, Etc.
	DeviceType		X	Example: Tablet, Array, Etc.
X	Portable		X	Yes/No
	Description
	Environment			Example: Production, QA, Test, Dev
	Lifecycle	status		Example: Operational, Staging, Planned, Uninstalled/Decommissioned
	Administrator
	AdministratorTeam
	RiskExecutive			Dean or Designee
X	SystemOwner	activationTitle	X
	PrimaryUser	lastLoggedOnUser	X
X	IPAddress	address	X
X	MACAddress	macaddress	X
X	OperatingSystem	operatingSystem	X
X	OperatingSystemVersion	operatingSystemVersion	X
X	Backup			Yes/No - Bucky Backup Node managed by DoIT, or other BU method
X	Location		X	Example: Computer Sciences
	LocationCode			Example: 155; Canonical FPM codes available at https://map.wisc.edu/buildings/ .
	Location-Room		X	Example: B109
X	DataCenter			Yes/No - Is the asset located in what is considered a data center?
X	Manufacturer	manufacturer	X
X	Model	model	X
X	AssetTagID	assetid
X	SerialNumber		X
X	PurchaseDate		X
X	LicenseNumber		X	If Applicable
X	LicenseExpiration		X	If Applicable
X	UDDS			Populated from SystemOwner
	Division			Populated from SystemOwner
X	Capital			Yes/No - Is the asset considered capital, i.e., greater in value than $5000?
	CapitalAccountCode
	SystemCategorization
X	DataClassification
X	Criticality
X	Criticality-Likelihood
X	Criticality-Consequence
X	LastAudited	lastCheckedIn

Software Table

Required	Title	Type	Notes
X	Product	Text	Example: WordPerfect
X	Version	Text	Example: 4.1
X	LicenseType	Text	Example: Lease, Purchase
X	LastFound	Date	aka LastAudited

Licensing Table

Required	Title	Type	Notes
X	Title	Text	aka Name
X	PurchaseDate	Date
X	ExpirationDate	Date
X	SerialNumber	Text

Classify your asset data
- Criticality - Assets need to be classified by a new measure, Criticality. Criticality is a function of the Likelihood that a service interruption will occur, measured against the Consequence of such an interruption.
- Data Classification - Assets need to be classified by the types of data they hold: Restricted, Sensitive, Internal, or Public.
- Update your asset information accordingly. As Asset Reporting is nascent, asset classification is best-effort at this stage.
Upload Your asset data

There are 3 methods for uploading data to the campus Asset Reporting repository:
1. Database View Federation - those on campus that have a database of their assets, or utilize an IT service management tool like Cherwell where a Configuration Management Database (CMDB) is utilized, may federate their information into the Asset Reporting repository. Contact DoIT Configuration Management at asset-reporting@doit.wisc.edu.
2. Endpoint Management or Vulnerability Management Tool Federation - installation of the following software tools will federate information into the repository:
  - Qualys (campus users of this tool may wish to supplement information using CSV Import, see #3)
  - BigFix (campus users of this tool may wish to standardize their use of fields for reporting purposes, and may wish to supplement information using CSV Import, see #3)
3. CSV Import - Using the field layout above,
  1. Create a CSV file, using the following templates for each table:
    - Hardware Template - it-asset-reporting-HardWare-UWMSN-NetID.csv
    - Software Template - it-asset-reporting-SoftWare-UWMSN-NetID.csv
    - Licensing Template - it-asset-reporting-Licensing-UWMSN-NetID.csv
  2. You may add rows, but not change columns. Please make sure your initial column is populated with values for each row (requirement for generating a key for importation).
  3. Populate what fields you can.
  4. Save your 3 csv files in the format laid out. An example file name is "2019-DoIT-vponelis-hardware.csv" . Upper or lower case does not matter.
  5. Contact asset-reporting@doit.wisc.edu.
  6. You will receive an email granting you access to the Asset Reporting Share from Manifest.
  7. Mount the Asset Repository Share - smb://asset-reporting.drive.wisc.edu/asset-reporting/
  8. Save your 3 CSV files to the Share. Your data will be imported at the next federation point-in-time.
Review your asset data

You can review your asset data by requesting a report of DoIT's Configuration Manager by emailing asset-reporting@doit.wisc.edu .
. An export of your data will be emailed to you. In the future, we envision a more user-friendly self-service process.

Keywords:	Field Mapping Asset Inventory Data Import 1035.A 1035 A asset management uw madison network share data import asset management csv data import network share tl dr quick faq Suggest keywords	Doc ID:	93378
Owner:	Victor P.	Group:	IT Asset Reporting
Created:	2019-07-25 15:26 CDT	Updated:	2020-10-30 08:03 CDT
Sites:	IT Asset Reporting
Feedback:	1 0 Comment Suggest a new document