UIS.201 IT Hardware Assets Management Policy

200. Information Systems Security

Purpose 

Georgetown University Information Services (UIS) has developed and implemented the Hardware Assets Management policy and procedures to protect critical resources and data from threats, intrusions, and misuse in order to ensure business continuity and to minimize risk to the University’s information systems, data, and its faculty, staff, and students. Directed by the Chief Information Security Officer (CISO), these policies set the information security standards for hardware asset management, which include servers, workstations, and network devices. 

Scope 

The Hardware Assets Management policy and supporting requirements apply to all information technology assets, systems, networks, and data hosts that are owned by, managed by and/or sponsored by Georgetown. This policy is also applicable to the faculty, staff, researchers, affiliates, suppliers, and students who own, operate, or maintain these systems for University business, academia, and research. 

Policy 

Georgetown University has adopted the security audit and accountability principles established in NIST SP 1800-5 “IT Asset Management” control guidelines as the official policy for this security domain. Each system administrator and system owner must adhere to the guidelines and procedures associated with this policy in order to support and be compliant with the University information security framework. 

Technology asset management spans traditional physical asset tracking, asset information, physical security, as well as vulnerability and compliance information. The hardware management policy provides requirements for the information systems procurement, inventory, and management processes which are required to assure that information systems meet the controls sufficient to protect assets critical to University operations. 

Any hardware asset that is in operation to collect, transmit, process, store or host University data must be inventoried and managed to ensure that it is not susceptible to unauthorized access, distribution, or misuse. The higher the value of the asset to the University, or the more it is viewed to be susceptible to risk or exploit, the higher the level of protection required for its management. 

Only authorized devices are given access to the University network, its data, and its users. Unauthorized and unmanaged devices are detected and prevented from gaining access or granted limited access as defined by UIS.