IT Asset Management Policy

Purpose 

This policy defines an effective IT Asset Management (ITAM) process and associated responsibilities to ensure that IT assets are well managed throughout the IT asset life cycle. Specifically, IT assets will be: 

  • Managed according to university policy and regulatory requirements from acquisition to disposal. 
  • Procured in line with the university and WashU IT’s strategic plans. 
  • Registered within the ServiceNow Configuration Management Database (CMDB) for tracking and auditing purposes. 
  • Supported and maintained throughout the asset life cycle so that they deliver best value for the investment.  
  • Controlled effectively to protect the data and information that they store or transmit. 
  • Accounted for in risk and business continuity planning. 

The principles underpinning this policy are that we 1) align with industry best practices for monitoring and managing the IT assets on which WashU relies, and 2) ensure the ongoing availability and security of IT assets. 

This policy is managed by the Service Management Office (SMO) and is aligned with the Office of Information Security (OIS) policies, standards, and guidelines. 

Scope 

This policy applies to all IT assets purchased by or on behalf of the university. IT assets include the following:    

  • Hardware: physical devices that connect and interact with the WashU network including computers, servers, network gear, printers, tablets, mobile phones* 
  • Software: systems, applications, utilities* 
  • IT Services: any information technology-based services* 

*The complete list of covered asset types can be found in the IT Asset Management (ITAM) Standard.  

*Guidance related to property accounting and sponsored projects accounting may be viewed on the Financial Services page. 

This policy applies to all members of the WashU Community. The WashU Community includes:  

  • All associates of the university, including faculty, staff, third-party affiliates (e.g., contractors, consultants, advisors, service providers).  
  • Students that possess or manage assets owned by the organization.  
  • Temporary employees and guests who may be given access to university IT assets and/or systems.  

Policy Roles and Responsibilities 

This policy requires the WashU Community to manage IT assets to ensure ongoing and efficient support and development of the information technology environment. Detailed roles and responsibilities are specified in the ITAM Standard

Additional roles may be reviewed per the OIS Roles and Responsibilities Policy.  

Management of IT Asset Life Cycle 

Proper management of WashU IT assets is critical to maintaining the integrity of overall asset life cycle and especially for business decision-making. The following are the stages for the IT asset life cycle. 

Planning and Requesting and IT Asset

Before an IT asset is purchased or deployed, asset owners and managers plan for which assets are needed and why. Once planned for, the asset is requested in accordance with standard procurement processes and procedures

Acquisition 

IT asset requests must pass through an approval process and are issued on a fit-for-purpose basis according to predefined user roles. The IT Support Team assesses the request against available assets to fulfill the need.  

All IT assets purchased with any type of university funds are the property of WashU unless formally transferred to another person or entity. These assets are deployed and used such that they effectively address the university’s needs. For application-specific purchases, please reference the OIS Policy 111: Information Security – Software Development, Management, and Administration. 

This is a university-wide requirement and extends to those organizations which manage their own budgets. 

Inventory Management

Asset owners/managers are responsible for ensuring that the CMDB is maintained and routinely verified throughout the year. 

IT assets must be securely stored and maintained by the asset owner/managing organization when they are not in use. 

Deployment

All IT assets, except consumable hardware, regardless of procurement method, must be recorded by the asset owner/manager into the CMDB before being issued, installed, orused. The ITAM Standard details documentation requirements. 

All IT assets are assigned to individual users or to an organizational area for identification of the party or parties responsible for maintaining IT asset security during use, in storage, and transit.  

Maintenance 

Individual users and/or organizations are responsible for protecting IT assets assigned to them against physical or virtual harm by theft, mishandling, security incident, or accident.  

When in use, IT assets must be monitored to ensure optimal performance and to identify risks. They must be administered, updated, and maintained to ensure they remain fit for purpose and compliant with the licensed conditions of use during their entire life cycle and in accordance with ITAM and OIS policies, standards, and guidelines

To maintain the confidentiality of data, IT assets that are used to process or store any Confidential or Protected information, as classified by the OIS Policy 100: Information Security Program, must be permanently rendered unrecoverable before being reissued and require a reimage and an update to the CMDB (see OIS Standard 200: Information Security Classification, Labeling, and Handling for details). Lost or stolen IT assets are handled per the OIS Policy 109: Information Security Incident Reporting, Response, and Recovery

Any changes to an IT asset’s state must be recorded in the CMDB. 

Retirement

Once an IT asset reaches the end of its intended use, the owner/managing organization must decide how they will retire the asset.  

All protected and confidential information must be permanently rendered unrecoverable from all forms of media to prevent recovery of data by unauthorized sources. This includes the removal of all asset tags, labels, logos, markings, university seals, data, software licenses, and activity records. See OIS Standard 200: Information Security Classification, Labeling, and Handling for more information. 

Media on an IT asset will be sanitized prior to:  

  • Release for reuse 
  • Release out of organizational control  
  • Return to the vendor 
  • Disposal 

All retiring IT assets must be removed from the inventory list of the owner/managing organization and recorded in the CMDB in alignment with the ITAM Standard. The CMDB shall additionally retain copies of any related documentation supporting the retirement method. 

Destruction vendors must have a signed HIPAA (Health Insurance Portability and Accountability) Business Associate Agreement (BAA) on file. A BAA establishes a legally binding relationship between HIPAA-covered entities and business associates to ensure complete protection of PHI (Protected Health Information) and overall HIPAA compliance. All destruction certificates are stored within a centralized repository.  

Special Cases and Deviations 

The WashU Community is expected to comply with WashU’s IT Asset Management Policy per this document. However, WashU recognizes that there may be urgent business needs or academic pursuits that require deviations from these established policies, standards, and guidelines. Exceptions must be approved in advance and require submission of specific information to the supporting IT organization and SMO. Refer to the Exception Policy and the ITAM Standard for details. 

Policy Compliance

The IT Asset Management practice owner, as defined in the ITAM Standard will measure compliance with this policy through reports, internal/external audits, and feedback to the policy owner. Exceptions to the policy must be approved by the OIS in advance. Non-compliance will be addressed with management, the Area Specific Compliance Office, Human Resources, or the Office of Student Conduct according to their individual codes of conduct and/or standards. 

Glossary 

A change in state reflects any addition, modification, or removal of service that can have an effect on an IT asset. Examples include product installation or change in location. 

Confidential information is information that has a designated purpose and is shared per need-to-know terms based on an individual’s role and permissions within an organization. It is restricted from most parties. 

Confidentiality refers to protecting information from unauthorized access.  

Consumable hardware refers to physical goods which are eventually discarded because their end-of-life is reached after recurring use. Examples include monitors, headsets, keyboards, and mice. 

The Health Insurance Portability and Accountability Act (HIPAA) specifies requirements for the privacy and security of all individually identifiable patient health information in any form or media, whether electronic, paper, or oral.  

Information security is a combination of practices that protect the availability, confidentiality, and integrity of information resources.  

Integrity means data are trustworthy, complete, and have not been accidentally altered or modified by an unauthorized user.  

An inventory is the process of accounting for and listing IT assets.  

An IT asset is any IT component, including hardware and software, which provides value and contributes to the delivery of an IT product or service. Examples include servers, network switches, point-of-sale devices, software, and certificates.  

A life cycle is the sequence of stages an IT asset goes through during its ownership by an organization. Life cycle stages typically begin at acquisition and end at disposal.  

Protected data is an umbrella term used to represent sensitive information about a person which can be tied back to that individual. This may include confidential information like Social Security numbers, confidential data like student disciplinary records, or general information like a home address. 

Protected health information (PHI) refers to an individual’s health data that is created, kept, or shared by HIPAA-covered entities and their commercial partners in the provision, treatment or payment of healthcare and healthcare operations.  

Useful life is the period over which an IT asset will depreciate or lose value. 

Related Policies, Standards, and Guidelines

IT Asset Management Program at WashU 

ITAM Standard 

What is IT Asset Management (ITAM)? 

OIS Policy 100: Information Security Program 

Procurement of Computers, Software and Services 

IT Procurement Vendor Intake Form 

OIS Policy 111: Information Security Software Development, Management, and Administration 

Software Licensing (PDF)

Computer Use Policy (OIS Policy 112: Acceptable Use) 

OIS Standard 200: Information Security Classification, Labeling, and Handling 

OIS Policy 109: Information Security Incident Reporting, Response, and Recovery 

Data Classification 

Media Reuse and Disposal Policy 

Exception Policy (OIS Policy 114: Information Security Exceptions) 

University Code of Conduct 

Policy Review 

This policy will be reviewed by the SMO every three years.  

Policy Number and Title: IT Asset Management Policy 
Owner: Service Management Office   
Approved By: Chief Information Security Officer 
Original Approval Date: June 30, 2024 
Current Version Publication Date: September 4, 2024