UW Digital ID - LRA - Inventory Management of OTP Hardware Key Fobs
This document summarizes how LRAs will manage their inventory of OTP Hardware Key Fobs.
The hardware fobs for the Multi-Factor Authentication project have both physical and system level value. The fobs cost approximately $20 each and are a part of the system being used to protect highly sensitive data. This document provides listed requirements for hardware storage and management.
1. There will be two types of inventories, the Master inventory and the LRA (campus) level inventory.
2. The Master inventory of hardware fobs shall be kept at UW -Madison, by the UW Digital ID team. This inventory comes from the manufacturer of the fobs, and will be a central distribution point for all the UW Campuses. The UW Digital ID team will provide inventory control and secure storage for these devices. The definition of a secure location is a location in which access to the devices are physically limited to the UW Digital ID team only. Such a location would be secured, at a minimum, by a locked file cabinet within an office that should be locked whenever unoccupied.
3. The LRA level inventory is defined as hardware fobs in unused inventory, at each individual campus. UW Digital ID recommends each campus have a 10% surplus (e.g. if they distribute 100, then 10 should be the surplus on hand). They will provide inventory control and secure storage for these devices. The definition of secure is a location in which access to the devices are physically limited to the campus LRA(s) only. Such a location would be secured, at a minimum, by a locked file cabinet within an office that should be locked whenever unoccupied.
4. Any time a hardware fob is removed from inventory, its reason for removal should be logged.
5. All hardware fobs in unused inventory must be stored in a location owned by the university. Hardware fobs may not be stored off-site in a private location such as a home.
6. A contingency access procedure must be in place, for situations in which the LRA is unable to physically access the unused hardware fob inventory.
7. All hardware fobs shipped to UW-System campuses, shall be shipped by a carrier which provides chain of custody controls and which provides proof of delivery.
8. All broken hardware fobs should be shipped to the UW Digital ID team at UW-Madison, by a carrier which provides chain of custody controls and which provides proof of delivery.