Asset Reporting - What it is, What to do
This document tells you about IT Asset Reporting at UW-Madison.
What it is
Origin
- Asset Reporting arose out of a UW System Administration proposed policy and standard, 1035 and 1035.A, respectively, regarding IT asset reporting from both a business and cybersecurity perspective. UW-Madison's Division of Information Technology and Office of Cybersecurity have sponsored a campus effort to meet the needs of the Regents while countenancing the disparate information gathering and reporting capabilities of campus partners.
Goal
- To create and maintain a campus data repository where records of IT assets can be compiled and updated on a regular (quarterly to yearly) basis.
- Phase One: High Priorities - 85% of Divisions have reported by [+3-6 months from program start (after planning)].
- Phase Two: Medium Priorities - 75% of Divisions have reported by [+6-12 months from program start].
- Phase Three: Low Priorities - 50% of divisions have reported by [+12-24 months from program start].
- Implementation Calendar - https://kb.wisc.edu/asset-reporting/internal/103647
- Priorities
- High - easy to get, critical systems/equipment/services, high-risk systems (high-risk data), very expensive purchases.
- Medium - research and specialized devices that are on the network (non-traditional “IT” assets), other desktops and laptops (not in the easy to get list), large quantity software licenses.
- Low - inventory information that is extremely difficult to access. Small quantity software licenses.
Reason
- Records of IT asset can be used to achieve business, security, and audit goals and requirements.
Scope
- The ultimate scope of Asset Reporting is everything on campus that has, or can have, an IP address. There are 3 aspects to Asset Reporting:
- Hardware (Devices, Physical and Virtual)
- Software
- Licensing
- This will be an iterative process; therefore, to facilitate participation, the initial scope is best-effort, and is limited to:
- Servers
- Desktops
- Laptops
- NOTE – Installing Qualys or BigFix on all servers, desktops, and laptops achieves initial scope goals. See Point 4.2 below.
What to do
Review Roles
Risk Executives, i.e., those individuals responsible for each division's IT assets, have already been designated (Risk Management Framework). These people or their designees should coordinate on how to proceed with the inventory. Choose a person to assume responsibility for submission, as well as classification, of the data (see below). The Risk Executive or their designee will be the contact person for their organization's submission to the repository.
Compile your asset data
The tables below outlines the fields in the asset inventory repository, including both those required by UWSA Standard 1035.A as well as additional fields available for use. Those compiling an inventory of their assets should use this as either a template to create a spreadsheet or database, or as a map from one's own existing data source to the repository.
Hardware Assets (Physical & Virtual) Table, with Fields Populated by Qualys and BigFix
Required? Asset Reporting Fields Qualys Fields BigFix Notes RecID ActivationID activationID Title name The name of the asset. FQDN fqdn X ConfigurationItemTypeName X Example: Rackmount, VM, Server, Router, Switch, Desktop, Printer, Phone, Etc. DeviceType X Example: Tablet, Array, Etc. X Portable X Yes/No Description Environment Example: Production, QA, Test, Dev Lifecycle status Example: Operational, Staging, Planned, Uninstalled/Decommissioned Administrator AdministratorTeam RiskExecutive Dean or Designee X SystemOwner activationTitle X PrimaryUser lastLoggedOnUser X X IPAddress address X X MACAddress macaddress X X OperatingSystem operatingSystem X X OperatingSystemVersion operatingSystemVersion X X Backup Yes/No - Bucky Backup Node managed by DoIT, or other BU method X Location X Example: Computer Sciences LocationCode Example: 155; Canonical FPM codes available at https://map.wisc.edu/buildings/ . Location-Room X Example: B109 X DataCenter Yes/No - Is the asset located in what is considered a data center? X Manufacturer manufacturer X X Model model X X AssetTagID assetid X SerialNumber X X PurchaseDate X X LicenseNumber X If Applicable X LicenseExpiration X If Applicable X UDDS Populated from SystemOwner Division Populated from SystemOwner X Capital Yes/No - Is the asset considered capital, i.e., greater in value than $5000? CapitalAccountCode SystemCategorization X DataClassification X Criticality X Criticality-Likelihood X Criticality-Consequence X LastAudited lastCheckedIn Software Table
Required Title Type Notes X Product Text Example: WordPerfect X Version Text Example: 4.1 X LicenseType Text Example: Lease, Purchase X LastFound Date aka LastAudited Licensing Table
Required Title Type Notes X Title Text aka Name X PurchaseDate Date X ExpirationDate Date X SerialNumber Text Classify your asset data
Criticality - Assets need to be classified by a new measure, Criticality. Criticality is a function of the Likelihood that a service interruption will occur, measured against the Consequence of such an interruption.
- Data Classification - Assets need to be classified by the types of data they hold: Restricted, Sensitive, Internal, or Public.
- Update your asset information accordingly. As Asset Reporting is nascent, asset classification is best-effort at this stage.
Upload Your asset data
There are 3 methods for uploading data to the campus Asset Reporting repository:
- Database View Federation - those on campus that have a database of their assets, or utilize an IT service management tool like Cherwell where a Configuration Management Database (CMDB) is utilized, may federate their information into the Asset Reporting repository. Contact DoIT Configuration Management at asset-reporting@doit.wisc.edu.
- Endpoint Management or Vulnerability Management Tool Federation - installation of the following software tools will federate information into the repository:
- Qualys (campus users of this tool may wish to supplement information using CSV Import, see #3)
- BigFix (campus users of this tool may wish to standardize their use of fields for reporting purposes, and may wish to supplement information using CSV Import, see #3)
- CSV Import - Using the field layout above,
- Create a CSV file, using the following templates for each table:
- Hardware Template - it-asset-reporting-HardWare-UWMSN-NetID.csv
- Software Template - it-asset-reporting-SoftWare-UWMSN-NetID.csv
- Licensing Template - it-asset-reporting-Licensing-UWMSN-NetID.csv
- You may add rows, but not change columns. Please make sure your initial column is populated with values for each row (requirement for generating a key for importation).
- Populate what fields you can.
- Save your 3 csv files in the format laid out. An example file name is "2019-DoIT-vponelis-hardware.csv" . Upper or lower case does not matter.
- Contact asset-reporting@doit.wisc.edu.
- You will receive an email granting you access to the Asset Reporting Share from Manifest.
- Mount the Asset Repository Share - smb://asset-reporting.drive.wisc.edu/asset-reporting/
- Save your 3 CSV files to the Share. Your data will be imported at the next federation point-in-time.
- Create a CSV file, using the following templates for each table:
Review your asset data
You can review your asset data by requesting a report of DoIT's Configuration Manager by emailing asset-reporting@doit.wisc.edu .
. An export of your data will be emailed to you. In the future, we envision a more user-friendly self-service process.