201.1 Technology Hardware Acquisition and Documentation Guidelines

In support of UIS.201 IT Hardware Assets Management Policy

Georgetown University has adopted the security audit and accountability principles established in NIST SP 1800-5 “IT Asset Management” control guidelines as the official policy for this security domain. Each system administrator and system owner must adhere to the guidelines and procedures associated with this policy in order to support and be compliant with the University information security framework. 

Hardware assets purchased, granted, gifted or otherwise acquired for use in University academic, research, operations, or other business must be authorized and approved for implementation through the designated procurement and technical review process. 

Hardware Acquisition Requirements 

  1. Information systems hardware must be approved for purchase through the University procurement process. Technology assets acquired by other means must be authorized through the appropriate University office (i.e Office of Sponsored Research, Office of Research Integrity, University Information Services) and submitted for UIS technical assessment prior to operational deployment. 
     
  2. All information systems hardware must be reviewed and authorized for operation by University Information Services (UIS), vetted for minimum security requirements, fitness for the infrastructure, and compliance with applicable regulations. 
     
  3. Hardware provider (vendor or supplier) must meet University vendor management requirements and be willing to engage with University financial, legal, and or technical representatives as required.

Hardware Documentation Requirements 

Hardware assets purchased, granted, gifted or otherwise acquired for use in University academic, research, operations, or other business must provide detailed documentation relevant to its purpose, components and applications/services, integrations and connections, as well as the security and support profile. 

Documentation must include, but is not limited to: 

  1. Secure configuration, installation, and operation of the system, component, or service in accordance with UIS Information Systems Security policies and guidelines 
     
  2. Effective deployment and maintenance of authorized security functions/mechanisms  
     
  3. Vulnerability remediation schedule 
     
  4. Data flow and/or network diagram depicting the system’s connectivity, integrations, and dependencies 

Hardware introduced into the University infrastructure or environment without adherence to this process may result in the hardware and any of its related systems or applications and services being blocked from accessing the University network and its resources.  


Supporting Documents

Technology Hardware Assets Management Policy 

Third-party Supplier Security Policy