UW-Madison - IT - IT Asset Inventory Reporting Implementation Plan

Text in italics is not part of the official text. Please link to this page when referring to the list of all Cybersecurity Policies.

Applies to applies to all UW-Madison entities with IT assets.

The IT Asset Reporting Implementation Plan contains the supporting guidelines and procedures for the establishing an IT asset reporting program and are in support of the UW-Madison IT Asset Reporting Policy providing the framework, guidelines, and requirements for reporting accurate IT asset data at UW-Madison.



Frequency of Updates

Divisions and units are minimally responsible for reporting to the common system each calendar quarter. Continuous reporting is desired but not expected or feasible in all situations.

Decision-Making Guidance

Divisions and other units will make IT Asset Inventory Reporting decisions in accordance with the principles in the Policy in addition to the priorities and timeline below. The department or unit is responsible for evaluating the assets and resources available, and applying the priorities as they determine.

Priorities:

    • High:
      • Critical systems/equipment/services/software
      • Devices that store or access high-risk data
      • Very expensive systems/equipment/services/software
      • Endpoints whose data can be collected automatically through endpoint, security, or other data sources
    • Medium:
      • Non-traditional IT assets (e.g. embedded systems, specialized devices)
      • Other desktops and laptops that cannot be inventoried via automation
      • Large quantity software licenses
      • Medium-risk systems/equipment/services/software
    • Low:
      • IT assets not already inventoried
      • Small quantity software licenses

Timeline

The timeline begins once the policy has been approved. There are two parts of the implementation timeline. The first part of the timeline is planning and development for being able to collect and report IT asset data and development of standards for different types of IT assets. Development of appropriate and feasible standards will take significant effort from IT staff from across campus. DoIT will have to ready the inventory data repository as a supported service. The second part of the timeline coincides with the start of the program.

  • Policy Approval
  • Staging and Preparation [6 months after policy approval]:
    • Common standards, tools, procedures, reports, communication plan, and training are available
    • Divisional Deans and Directors have established procedures and responsible roles completed within six months after the policy has been approved
    • CIO identifies governance group for this service/program
    • CIO consults with IT leaders and approves program start
  • Program Start
  • Phase One [6 months after completion of staging and preparation]: High Priorities - Goal: 85% of Divisions have reported
  • Phase Two [6 months after Phase One completion]: Medium Priorities - Goal: 75% of Divisions have reported
  • Phase Three [12 months after Phase Two completion]: Low Priorities - Goal: 50% of Divisions have reported

Asset Program Reporting Metrics

During Staging and Preparation the Vice Provost for Information Technology and Chief Information Officer is responsible for identifying and implementing processes and metrics to measure the completion of this implementation plan. Reports elements should include the following.
  1. The number of divisions reporting assets related to each phase (High, Medium and Low).
    a. Where applicable, the number of departments and units reporting (per division).
  2. Identify the number of assets by asset class [SEE KB].
  3. Identify the number of assets identified by department or unit.

Stakeholder Metrics/Reports

During Staging and Preparation the Vice Provost for Information Technology and Chief Information Officer is responsible for identifying which governance or stakeholder group should provide input to the type of metrics and reports to be created and managed. A standard operating procedure should be created for receiving additional requests or changes to existing reports. Examples of stakeholder reports, that may inform the data collected in asset reporting, include:

  1. The number of assets identified by the Cybersecurity Operations Center reporting potential incidents that are or are not identified in the asset aggregation database. (Requires list of devices identified by CSOC)
  2. Average “age” of asset
  3. Average cost of asset by asset type (configuration item)
  4. Number of assets sent to SWAP by department
  5. Number of assets with purchase, maintenance, and subscription licenses
  6. List of assets setting to “expire” within 12 months

Data Collection

The IT Asset Reporting project is currently collecting data from several sources;
  1. Vulnerability Management Tools – Qualys
  2. Endpoint Management Tools - BigFix, Workspace ONE, DoIT Configuration Management Database (CMDB), etc.,
  3. CSV Upload as needed or warranted
Additional data sources can be added in the future if determined to be effective.

Data Management Plan

In accordance with The Office of Data Management and Analytic Services and the policy standards (currently in development), the IT Asset Data Custodian and Chief Information Security Officer (CISO), is responsible for identifying and overseeing a data management plan that provides the following requirements:
  • Identifies how access to the data set is requested, reviewed, approved, and removed
  • How the data is to be used/not used
  • Backup/restore requirements
  • Data lifecycle requirements

Communications Plan

A communications plan will be created and coordinated through DoIT Communications during the Staging and Preparation period.

Outreach and Training

Service and Tool Owners are responsible for creating an outreach and training program that assists IT professionals with the program/service, including:
  • Onboarding new units for data collections and submission.
  • Best practices for incorporating additional inventory reporting data in automated tools such as BigFix, Workspace One.
  • Training on generating standard and custom reports from the repository.

Contact

Please address questions or comments to itpolicy@cio.wisc.edu.

Related UW-Madison Policies

UW-Madison IT Policies
UW-Madison IT Asset Inventory Reporting Policy        
Cybersecurity Risk Management Policy 
UW-Madison – IT – Electronic Devices Connected to the Network Policy 
UW-Madison – IT – Data Classification Policy 
UW-Madison Administrative Policy – UW-3008 Capital Equipment
UW-Madison Institutional Data Policy 

Related UW-Madison Documents

UW-Madison IT Asset Inventory Reporting Standards - In Development
Data Stewards - UW-Madison Office of Data Management and Analytic Services 

External References including University of Wisconsin System Administration (UWSA) Policies

UW System Board of Regents Policy 25.3 Acceptable Use of Information Resources 
UW System Administrative Policy 1035 Information Security: IT Asset Management 
UW System Administrative Procedure 1035.A Information Security: IT Asset Management Standard 

Text in italics is not part of the official text. Please link to this page when referring to the list of all IT Policies.



Keywords:
IT Policy Asset Reporting 
Doc ID:
110105
Owned by:
Heather J. in IT Policy
Created:
2021-04-05
Updated:
2024-08-01
Sites:
IT Policy