Purpose

In order for UTHSC leadership to make informed, business-driven decisions regarding computing assets, they must first know what assets exist, and the status of those assets. This information provides UTHSC visibility into license utilization, software support costs, unauthorized devices, vulnerabilities, threats, and compliance posture. This Standard establishes requirements for the management of UTHSC IT Resources.

Scope

This Standard applies to all UTHSC IT Resources, regardless of physical location.

Definitions

Center for Internet Security (CIS) Critical Control #1 – Actively manage (inventory, track, and correct) all enterprise assets (end-user devices, including portable and mobile; network devices; non-computing/Internet of Things (IoT) devices; and servers) connected to the infrastructure physically, virtually, remotely, and those within cloud environments, to accurately know the totality of assets that need to be monitored and protected within the enterprise. This will also support identifying unauthorized and unmanaged assets to remove or remediate.

Center for Internet Security (CIS) Critical Control #2 – Actively manage (inventory, track, and correct) all software (operating systems and applications) on the network so that only authorized software is installed and can execute, and that unauthorized and unmanaged software is found and prevented from installation or execution.

Enterprise assets – assets with the potential to store or process data. Enterprise assets include end-user devices, network devices, non-computing/Internet of Things (IoT) devices, and servers, in virtual, cloud-based, and physical environments.

Information Technology (IT) Resources – The collection of data and technology that support the achievement of organizational goals. IT Resources include hardware, software, vendors, users, facilities, data systems, and data.

Software assets – programs and other operating information used within an enterprise asset. Software assets include operating systems and application.

Responsibilities

Chief Information Officer (CIO) or designee is responsible for the development of an asset management program that incorporates the fundamentals of the Center for Internet Security (CIS) Critical Controls 1 and 2.

Chief Information Security Office (CISO) or designee is responsible for consulting with the CIO on security controls required as part of the asset management program.

UTHSC End User is responsible for maintaining the IT Resources assigned to them. This includes keeping devices powered on and available to receive updates in a timely manner and following the University of Tennessee’s Acceptable Use Policy and UTHSC’s GP-004-Acceptable Use of IT Resources.

Standard

UTHSC Inventory and Controls of Enterprise Assets (CIS 1)

Information Technology Services (ITS) will establish and maintain an accurate, detailed, and up-to-date inventory of all enterprise assets.
At a minimum, the inventory should record:
- network address (if static)
- hardware address
- machine name
- asset owner
- department for each asset
- approval to connect to the network (Y/N)
This inventory includes assets connected to the infrastructure physically, virtually, remotely, and those within cloud environments.
It also includes assets that are regularly connected to UTHSC’s network infrastructure, even if they are vendor or 3^rd party managed.
This inventory is updated whenever an asset is installed, removed or the system is updated.
Unauthorized assets must be detected and evaluated. Network access is disable for these devices.

UTHSC Inventory and Controls of Software Assets (CIS 2)

ITS will establish and maintain a detailed inventory of all licensed software installed on enterprise assets.
At a minimum, the inventory will document the title, publisher, initial install/use date, and business purpose for each entry.
- Where appropriate, include the Uniform Resource Locator (URL), app store(s), version(s), deployment mechanism, and decommission date.
This inventory is updated whenever an asset is installed, removed or the system is updated.
Unauthorized software and firmware must be detected and evaluated.

As UTHSC IT Resources inclusive of data and information are the property of the University of Tennessee and their use is intended for authorized use for the University of Tennessee only, the UTHSC possesses the exclusive right to manage and direct actions regarding those UTHSC IT Resources in accordance with UTHSC and University of Tennessee policies and procedures so long as asserting and exercising this right does not conflict with federal or state law or regulations.

UTHSC IT Resources are classified in terms of their value, legal requirements, sensitivity, and criticality to the UTHSC. Data and systems are classified in accordance with GP-002 Data & System Classification.