UW-Madison - IT - IT Asset Inventory Reporting Implementation Plan
Text in italics is not part of the official text. Please link to this page when referring to the list of all Cybersecurity Policies.
Applies to applies to all UW-Madison entities with IT assets.
The IT Asset Reporting Implementation Plan contain the supporting guidelines and procedures for the establishing an IT asset reporting program and are in support of the UW-Madison IT Asset Reporting Policy providing the framework, guidelines, and requirements for reporting accurate IT asset data at UW-Madison.
Frequency of Updates
- Critical systems/equipment/services/software
- Devices that store or access high-risk data
- Very expensive systems/equipment/services/software
- Endpoints whose data can be collected automatically through endpoint, security, or other data sources
- Non-traditional IT assets (e.g. embedded systems, specialized devices)
- Other desktops and laptops that cannot be inventoried via automation
- Large quantity software licenses
- Medium-risk systems/equipment/services/software
- IT assets not already inventoried
- Small quantity software licenses
- Policy Approval
- Staging and Preparation [6 months after policy approval]:
- Common standards, tools, procedures, reports, communication plan, and training are available
- Divisional Deans and Directors have established procedures and responsible roles completed within six months after the policy has been approved
- CIO identifies governance group for this service/program
- CIO consults with IT leaders and approves program start
- Program Start
- Phase One [6 months after completion of staging and preparation]: High Priorities - Goal: 85% of Divisions have reported
- Phase Two [6 months after Phase One completion]: Medium Priorities - Goal: 75% of Divisions have reported
- Phase Three [12 months after Phase Two completion]: Low Priorities - Goal: 50% of Divisions have reported
Asset Program Reporting Metrics
- The number of divisions reporting assets related to each phase (High, Medium and Low).
a. Where applicable, the number of departments and units reporting (per division).
- Identify the number of assets by asset class [SEE KB].
- Identify the number of assets identified by department or unit.
- The number of assets identified by the Cybersecurity Operations Center reporting potential incidents that are or are not identified in the asset aggregation database. (Requires list of devices identified by CSOC)
- Average “age” of asset
- Average cost of asset by asset type (configuration item)
- Number of assets sent to SWAP by department
- Number of assets with purchase, maintenance, and subscription licenses
- List of assets setting to “expire” within 12 months
- Vulnerability Management Tools – Qualys
- Endpoint Management Tools - BigFix, Workspace ONE, DoIT Configuration Management Database (CMDB), etc.,
- CSV Upload as needed or warranted
Data Management Plan
- Identifies how access to the data set is requested, reviewed, approved, and removed
- How the data is to be used/not used
- Backup/restore requirements
- Data lifecycle requirements
Outreach and Training
- Onboarding new units for data collections and submission.
- Best practices for incorporating additional inventory reporting data in automated tools such as BigFix, Workspace One.
- Training on generating standard and custom reports from the repository.
Please address questions or comments to firstname.lastname@example.org.
Related UW-Madison Policies
Related UW-Madison Documents