UW-Madison - IT - IT Asset Inventory Reporting Implementation Plan
Text in italics is not part of the official text. Please link to this page when referring to the list of all Cybersecurity Policies.
Applies to applies to all UW-Madison entities with IT assets.
The IT Asset Reporting Implementation Plan contains the supporting guidelines and procedures for the establishing an IT asset reporting program and are in support of the UW-Madison IT Asset Reporting Policy providing the framework, guidelines, and requirements for reporting accurate IT asset data at UW-Madison.
Surrounding text in italics is not part of the official document.
Frequency of Updates
Divisions and units are minimally responsible for reporting to the common system each calendar quarter. Continuous reporting is desired but not expected or feasible in all situations.
Decision-Making Guidance
Divisions and other units will make IT Asset Inventory Reporting decisions in accordance with the principles in the Policy in addition to the priorities and timeline below. The department or unit is responsible for evaluating the assets and resources available, and applying the priorities as they determine.
Priorities:
- High:
- Critical systems/equipment/services/software
- Devices that store or access high-risk data
- Very expensive systems/equipment/services/software
- Endpoints whose data can be collected automatically through endpoint, security, or other data sources
- Medium:
- Non-traditional IT assets (e.g. embedded systems, specialized devices)
- Other desktops and laptops that cannot be inventoried via automation
- Large quantity software licenses
- Medium-risk systems/equipment/services/software
- Low:
- IT assets not already inventoried
- Small quantity software licenses
Timeline
The timeline begins once the policy has been approved. There are two parts of the implementation timeline. The first part of the timeline is planning and development for being able to collect and report IT asset data and development of standards for different types of IT assets. Development of appropriate and feasible standards will take significant effort from IT staff from across campus. DoIT will have to ready the inventory data repository as a supported service. The second part of the timeline coincides with the start of the program.
- Policy Approval
- Staging and Preparation [6 months after policy approval]:
- Common standards, tools, procedures, reports, communication plan, and training are available
- Divisional Deans and Directors have established procedures and responsible roles completed within six months after the policy has been approved
- CIO identifies governance group for this service/program
- CIO consults with IT leaders and approves program start
- Program Start
- Phase One [6 months after completion of staging and preparation]: High Priorities - Goal: 85% of Divisions have reported
- Phase Two [6 months after Phase One completion]: Medium Priorities - Goal: 75% of Divisions have reported
- Phase Three [12 months after Phase Two completion]: Low Priorities - Goal: 50% of Divisions have reported
Asset Program Reporting Metrics
During Staging and Preparation the Vice Provost for Information Technology and Chief Information Officer is responsible for identifying and implementing processes and metrics to measure the completion of this implementation plan. Reports elements should include the following.
- The number of divisions reporting assets related to each phase (High, Medium and Low).
a. Where applicable, the number of departments and units reporting (per division). - Identify the number of assets by asset class [SEE KB].
- Identify the number of assets identified by department or unit.
Stakeholder Metrics/Reports
During Staging and Preparation the Vice Provost for Information Technology and Chief Information Officer is responsible for identifying which governance or stakeholder group should provide input to the type of metrics and reports to be created and managed. A standard operating procedure should be created for receiving additional requests or changes to existing reports. Examples of stakeholder reports, that may inform the data collected in asset reporting, include:
- The number of assets identified by the Cybersecurity Operations Center reporting potential incidents that are or are not identified in the asset aggregation database. (Requires list of devices identified by CSOC)
- Average “age” of asset
- Average cost of asset by asset type (configuration item)
- Number of assets sent to SWAP by department
- Number of assets with purchase, maintenance, and subscription licenses
- List of assets setting to “expire” within 12 months
Data Collection
The IT Asset Reporting project is currently collecting data from several sources;
- Vulnerability Management Tools – Qualys
- Endpoint Management Tools - BigFix, Workspace ONE, DoIT Configuration Management Database (CMDB), etc.,
- CSV Upload as needed or warranted
Additional data sources can be added in the future if determined to be effective.
Data Management Plan
In accordance with The Office of Data Management and Analytic Services and the policy standards (currently in development), the IT Asset Data Custodian and Chief Information Security Officer (CISO), is responsible for identifying and overseeing a data management plan that provides the following requirements:
- Identifies how access to the data set is requested, reviewed, approved, and removed
- How the data is to be used/not used
- Backup/restore requirements
- Data lifecycle requirements
Communications Plan
A communications plan will be created and coordinated through DoIT Communications during the Staging and Preparation period.
Outreach and Training
Service and Tool Owners are responsible for creating an outreach and training program that assists IT professionals with the program/service, including:
- Onboarding new units for data collections and submission.
- Best practices for incorporating additional inventory reporting data in automated tools such as BigFix, Workspace One.
- Training on generating standard and custom reports from the repository.
Contact
Please address questions or comments to itpolicy@cio.wisc.edu.
Related UW-Madison Policies
UW-Madison IT Policies
UW-Madison IT Asset Inventory Reporting Policy
Cybersecurity Risk Management Policy
UW-Madison – IT – Electronic Devices Connected to the Network Policy
UW-Madison – IT – Data Classification Policy
UW-Madison Administrative Policy – UW-3008 Capital Equipment
UW-Madison Institutional Data Policy
Related UW-Madison Documents
UW-Madison IT Asset Inventory Reporting Standards - In Development
IT Policy Glossary
https://kb.wisc.edu/itpolicy/glossary
https://kb.wisc.edu/itpolicy/glossary
Data Stewards - UW-Madison Office of Data Management and Analytic Services
External References including University of Wisconsin System Administration (UWSA) Policies
UW System Board of Regents Policy 25.3 Acceptable Use of Information Resources
UW System Administrative Policy 1035 Information Security: IT Asset Management
UW System Administrative Procedure 1035.A Information Security: IT Asset Management Standard
Text in italics is not part of the official text. Please link to this page when referring to the list of all IT Policies.