IT asset management involves managing the acquisition, use and disposal of IT assets – as well as the related risks – over the lifecycle of those assets. Without a good IT asset management component, an institution will waste time and resources counting and tracking inventory, buying unnecessary equipment and software, and maintaining software license compliance.
All IT assets should be clearly identified and accounted for in an inventory listing, and should have an assigned owner /custodian responsible for their appropriate protection and usage. The term “owner” identifies an individual or entity that has approved management responsibility for controlling the production, development, maintenance, use and security of the assets. Ownership can be allocated to a person, business process or defined set of data.
The importance of an asset can be measured by its business value and sensitivity classification. The inventory should include all necessary information required for an organization to recover from a disaster. Inventories allow for effective protection of assets, and they also may be required for other business processes, such as accounting, insurance or financial reasons.
An IT inventory system should include:
• Type of asset, including specification of make/model/format, creation/manufacture date and any other information necessary to specify type
• Assigned owner
• Location (logical or physical, range of physical locations if portable)
• Backup information (if appropriate)
• License information (if appropriate)
• Data necessary to allow recovery from a disaster or assure continuity of operations.
IT assets are attractive targets for thieves. In addition to the loss of the resources, colleges and universities must deal with the loss and possible misuse of confidential student and staff information – a far more devastating consequence.
Keeping close tabs on hardware and information assets can help institutions reduce the incidence of lost or stolen computers. In addition, to counter the rising theft of IT assets, a number of vendors now sell software that silently “phones home” when a computer is eventually reconnected to a network.
Dispose of Assets
At the end of an IT asset's life or lease, an institution may want to:
• Surplus the equipment
• Trade or upgrade the equipment
• Dispose of the equipment
• Transfer the equipment to another department within the institution.
In any of the above scenarios, extra measures must be taken to sanitize the hard drive. After all, the information residing on the equipment may or may not be sensitive, but it is certainly not intended to be in the hands of anyone outside of the college or university.
Sanitizing storage media can be accomplished by:
• Degaussing, which subjects storage media to a powerful magnetic field to alter the magnetic signatures
• Destroying media by physical means, such as drilling, crushing, shredding or burning
• Wiping or overwriting the data.
Managing and securing an institution's assets can be a daunting task. Developing an inventory of assets, defining owners of assets, establishing acceptable use policies, and classifying and labeling information are controls that can be implemented to ensure that information and assets receive appropriate protection and accounting.
Stanton Gatewood is chief information security officer at the University of Georgia in Athens and a previous contributor to Ed Tech: Focus on Higher Education. (See “Strategy Setting ” in the August/September 2006 issue.)
Best Practices: Best-in-class IT asset management programs include:
1. A central protected repository that contains detailed financial, contractual and physical information on assets, coupled with discovery/inventory tools that cover all the disparate platforms within the environment (hardware, network, software).
2. Processes, procedures and policies around this information to keep it current, with people assigned responsibility/accountability for this task.
3. A well-structured and measured organization that's enabled to support the ongoing operational management processes and activities of the organization.
4. A software or hardware asset-tracking capability.
5. Buy-in and support of upper management.