Asset Reporting - What it is, What to do

This document tells you about IT Asset Reporting at UW-Madison.

What it is

Origin

  • Asset Reporting arose out of a UW System Administration proposed policy and standard, 1035 and 1035.A, respectively, regarding IT asset reporting from both a business and cybersecurity perspective.  UW-Madison's Division of Information Technology and Office of Cybersecurity have sponsored a campus effort to meet the needs of the Regents while countenancing the disparate information gathering and reporting capabilities of campus partners.

Goal

  • To create and maintain a campus data repository where records of IT assets can be compiled and updated on a regular (quarterly to yearly) basis.
  • Phase One: High Priorities - 85% of Divisions have reported by [+3-6 months from program start (after planning)].
  • Phase Two: Medium Priorities - 75% of Divisions have reported by [+6-12 months from program start].
  • Phase Three: Low Priorities - 50% of divisions have reported by [+12-24 months from program start].
  • Implementation Calendarhttps://kb.wisc.edu/asset-reporting/internal/103647
  • Priorities
    • High - easy to get, critical systems/equipment/services, high-risk systems (high-risk data), very expensive purchases.
    • Medium - research and specialized devices that are on the network (non-traditional “IT” assets), other desktops and laptops (not in the easy to get list), large quantity software licenses.
    • Low - inventory information that is extremely difficult to access. Small quantity software licenses.

Reason

  • Records of IT asset can be used to achieve business, security, and audit goals and requirements.

Scope

  • The ultimate scope of Asset Reporting is everything on campus that has, or can have, an IP address.  There are 3 aspects to Asset Reporting:
    • Hardware (Devices, Physical and Virtual)
    • Software
    • Licensing
  • This will be an iterative process; therefore, to facilitate participation, the initial scope is best-effort, and is limited to:
    • Servers
    • Desktops
    • Laptops
  • NOTE – Installing Qualys or BigFix on all servers, desktops, and laptops achieves initial scope goals.  See Point 4.2 below.

What to do

  1. Review Roles

    Risk Executives, i.e., those individuals responsible for each division's IT assets, have already been designated (Risk Management Framework).  These people or their designees should coordinate on how to proceed with the inventory.  Choose a person to assume responsibility for submission, as well as classification, of the data (see below).  The Risk Executive or their designee will be the contact person for their organization's submission to the repository.

  2. Compile your asset data

    The tables below outlines the fields in the asset inventory repository, including both those required by UWSA Standard 1035.A as well as additional fields available for use.  Those compiling an inventory of their assets should use this as either a template to create a spreadsheet or database, or as a map from one's own existing data source to the repository.

    Hardware Assets (Physical & Virtual) Table, with Fields Populated by Qualys and BigFix

     Required? Asset Reporting Fields
     Qualys Fields  BigFix  Notes
      RecID   
      ActivationID activationID   
      Title name  The name of the asset.
      FQDN fqdn  
     X ConfigurationItemTypeName  X Example: Rackmount, VM, Server, Router, Switch, Desktop, Printer, Phone, Etc.
      DeviceType  X Example: Tablet, Array, Etc.
     X Portable  X Yes/No
      Description   
      Environment   Example:  Production, QA, Test, Dev
      Lifecycle status  Example: Operational, Staging, Planned, Uninstalled/Decommissioned
      Administrator   
      AdministratorTeam   
      RiskExecutive   Dean or Designee
     X SystemOwner activationTitle X 
      PrimaryUser lastLoggedOnUser X 
     X IPAddress address X 
     X MACAddress macaddress X 
     X OperatingSystem operatingSystem X 
     X OperatingSystemVersion operatingSystemVersion X 
     X Backup    Yes/No - Bucky Backup Node managed by DoIT, or other BU method
     X Location  X Example:  Computer Sciences
      LocationCode   Example:  155; Canonical FPM codes available at https://map.wisc.edu/buildings/ .
      Location-Room  X Example:  B109
     X DataCenter   Yes/No - Is the asset located in what is considered a data center?
     X Manufacturer manufacturer X 
     X Model model X 
     X AssetTagID assetid  
     X SerialNumber  X 
     X PurchaseDate  X 
     X LicenseNumber
      X If Applicable
     X LicenseExpiration  X If Applicable
     X UDDS   Populated from SystemOwner
      Division   Populated from SystemOwner
     X Capital    Yes/No - Is the asset considered capital, i.e., greater in value than $5000?
      CapitalAccountCode    
      SystemCategorization    
     X DataClassification    
     X Criticality   
     X Criticality-Likelihood   
     X Criticality-Consequence    
     X LastAudited  lastCheckedIn  

    Software Table

     Required  Title  Type  Notes
    X  Product  Text  Example: WordPerfect
    X  Version  Text  Example: 4.1
     X LicenseType Text Example:  Lease, Purchase
     X  LastFound  Date  aka LastAudited

    Licensing Table

     Required  Title  Type  Notes
     X  Title  Text  aka Name
     X  PurchaseDate  Date  
     X  ExpirationDate  Date  
     X  SerialNumber  Text  
  3. Classify your asset data

    • Criticality - Assets need to be classified by a new measure, Criticality. Criticality is a function of the Likelihood that a service interruption will occur, measured against the Consequence of such an interruption.

      Criticality Matrix
    • Data Classification - Assets need to be classified by the types of data they hold: Restricted, Sensitive, Internal, or Public.
    • Update your asset information accordingly.  As Asset Reporting is nascent, asset classification is best-effort at this stage.
  4. Upload Your asset data

    There are 3 methods for uploading data to the campus Asset Reporting repository:

    1. Database View Federation - those on campus that have a database of their assets, or utilize an IT service management tool like Cherwell where a Configuration Management Database (CMDB) is utilized, may federate their information into the Asset Reporting repository.  Contact DoIT Configuration Management at asset-reporting@doit.wisc.edu.
    2. Endpoint Management or Vulnerability Management Tool Federation - installation of the following software tools will federate information into the repository:
      • Qualys (campus users of this tool may wish to supplement information using CSV Import, see #3)
      • BigFix (campus users of this tool may wish to standardize their use of fields for reporting purposes, and may wish to supplement information using CSV Import, see #3)
    3. CSV Import - Using the field layout above,
      1. Create a CSV file, using the following  templates for each table:
      2. You may add rows, but not change columns. Please make sure your initial column is populated with values for each row (requirement for generating a key for importation).
      3. Populate what fields you can.
      4. Save your 3 csv files in the format laid out. An example file name is "2019-DoIT-vponelis-hardware.csv" .  Upper or lower case does not matter.
      5. Contact asset-reporting@doit.wisc.edu.
      6. You will receive an email granting you access to the Asset Reporting Share from Manifest.
      7. Mount the Asset Repository Share - smb://asset-reporting.drive.wisc.edu/asset-reporting/
      8. Save your 3 CSV files to the Share.  Your data will be imported at the next federation point-in-time.
  5. Review your asset data

    You can review your asset data by requesting a report of DoIT's Configuration Manager by emailing asset-reporting@doit.wisc.edu .

  6. .  An export of your data will be emailed to you.  In the future, we envision a more user-friendly self-service process.




Keywords:Field Mapping Asset Inventory Data Import 1035.A 1035 A asset management uw madison network share data import asset management csv data import network share tl dr quick faq   Doc ID:93378
Owner:Victor P.Group:IT Asset Reporting
Created:2019-07-25 15:26 CDTUpdated:2020-10-30 08:03 CDT
Sites:IT Asset Reporting
Feedback:  1   0