How to Manage IT Assets at the University Level

Inventory Assets

All IT assets should be clearly identified and accounted for in an inventory listing, and should have an assigned owner /custodian responsible for their appropriate protection and usage. The term “owner” identifies an individual or entity that has approved management responsibility for controlling the production, development, maintenance, use and security of the assets. Ownership can be allocated to a person, business process or defined set of data.

The importance of an asset can be measured by its business value and sensitivity classification. The inventory should include all necessary information required for an organization to recover from a disaster. Inventories allow for effective protection of assets, and they also may be required for other business processes, such as accounting, insurance or financial reasons.

An IT inventory system should include:

• Type of asset, including specification of make/model/format, creation/manufacture date and any other information necessary to specify type

• Assigned owner

• Location (logical or physical, range of physical locations if portable)

• Backup information (if appropriate)

• License information (if appropriate)

• Data necessary to allow recovery from a disaster or assure continuity of operations.

Protect Assets

IT assets are attractive targets for thieves. In addition to the loss of the resources, colleges and universities must deal with the loss and possible misuse of confidential student and staff information – a far more devastating consequence.

Keeping close tabs on hardware and information assets can help institutions reduce the incidence of lost or stolen computers. In addition, to counter the rising theft of IT assets, a number of vendors now sell software that silently “phones home” when a computer is eventually reconnected to a network.

Dispose of Assets

At the end of an IT asset's life or lease, an institution may want to:

• Surplus the equipment

• Trade or upgrade the equipment

• Dispose of the equipment

• Transfer the equipment to another department within the institution.

In any of the above scenarios, extra measures must be taken to sanitize the hard drive. After all, the information residing on the equipment may or may not be sensitive, but it is certainly not intended to be in the hands of anyone outside of the college or university.

Sanitizing storage media can be accomplished by:

• Degaussing, which subjects storage media to a powerful magnetic field to alter the magnetic signatures

• Destroying media by physical means, such as drilling, crushing, shredding or burning

• Wiping or overwriting the data.

Managing and securing an institution's assets can be a daunting task. Developing an inventory of assets, defining owners of assets, establishing acceptable use policies, and classifying and labeling information are controls that can be implemented to ensure that information and assets receive appropriate protection and accounting.