| |
|
| Issued Under Authority of |
UM Information Security Policy |
| Responsible Office |
UM Information Security Office |
| Category |
Asset and Acquisition Management |
IN PLAIN LANGUAGE
The University is responsible for knowing what technology it owns, who is using it, and what happens to it when it's no longer needed — both as a matter of good security practice and as a requirement of State of Montana property rules. This standard requires that all IT assets be inventoried, assigned to a responsible owner, maintained in a supported state, and properly disposed of when retired. Assets that store or process sensitive University data must meet additional security requirements. If an asset isn't in the inventory, it can't be protected, patched, or properly decommissioned.
1. Purpose
The purpose of this Standard is to establish consistent, operational requirements for the identification, inventory, stewardship, and lifecycle management of Information Technology (IT) assets used by the University of Montana. As a public institution, the University is responsible for managing IT assets as State of Montana property, ensuring appropriate accountability, stewardship, and lawful use throughout the asset lifecycle.
This Standard supports effective operations, fiscal accountability, and risk management. It integrates with the University's Information Security Program to ensure that assets supporting University Data and services are known, managed, and retired appropriately.
2. Scope
This Standard applies to:
- IT assets owned, leased, or otherwise managed by the University of Montana
- IT assets considered State of Montana property or subject to State asset management requirements
- IT assets that store, process, or transmit digital University Data
- IT assets that connect to University networks or integrate with University identity systems
- Centrally managed and distributed IT environments across all University of Montana System campuses
This Standard applies regardless of funding source or acquisition method. Financial accounting, depreciation, and surplus disposition requirements are governed by applicable State of Montana and University administrative policies.
3. Asset Categories
For purposes of this Standard, IT assets include, but are not limited to:
Endpoint Devices — Desktops, laptops, tablets, and mobile devices.
Servers and Infrastructure — Physical and virtual servers, storage systems, and network equipment.
Software Assets — Operating systems, installed applications, and licensed software.
Cloud and Hosted Services — Approved SaaS, PaaS, and IaaS services used for University operations.
Specialty and IoT Devices — Research equipment, laboratory systems, audiovisual systems, and facilities-connected devices.
Assets are considered in scope when they support University business functions, academic programs, research activities, or administrative operations.
4. Asset Lifecycle Management
IT assets must be managed throughout their operational lifecycle:
- Acquisition and Onboarding — Assets are approved, acquired, and registered for University use
- Inventory and Assignment — Assets are recorded and assigned to responsible units and individuals
- Operation and Maintenance — Assets are maintained in a supported and functional state
- Change and Reassignment — Changes in ownership, location, or use are documented
- Retirement and Disposal — Assets are retired, transferred, or disposed of in accordance with University and State requirements
5. Asset Inventory and Records
5.1 Inventory Requirement
- All in-scope IT assets must be recorded in a University-approved authoritative inventory or asset management system
- Assets must be recorded prior to or immediately upon being placed into service
- Asset records must be kept accurate and current throughout the lifecycle
5.2 Required Asset Information
At a minimum, asset records must identify:
- Asset type and category
- Assigned owner or responsible unit
- Physical or logical location
- Operational purpose
- Whether the asset handles Restricted or Confidential University Data
Additional information may be required to meet State, University, audit, or operational needs.
6. Ownership and Stewardship
- Each IT asset must have an identified Asset Owner responsible for its appropriate use and stewardship
- Each asset must have an identified Technical Custodian responsible for technical operation and maintenance
- Ownership and stewardship assignments must be reviewed periodically and updated as necessary
7. Integration with Security and Risk Management
While this Standard is operational in nature, asset management directly supports security and risk management activities.
- Assets handling University Data must comply with applicable Information Security Standards
- Asset inventory information must be available to support vulnerability management, incident response, and audit activities
- Assets that are not recorded or maintained may be subject to operational or access restrictions
8. Asset Retirement and Disposal
- IT assets must not be retired, transferred, or disposed of without appropriate authorization
- Assets containing digital University Data must be sanitized prior to reuse, transfer, or disposal
- Disposal activities must comply with the IT Data Disposal & Media Sanitization Standard and applicable State requirements
- Asset records must be updated to reflect retirement or disposal actions
9. Exceptions
Exceptions to this Standard must:
- Be documented with justification
- Identify compensating operational or administrative controls where applicable
- Be approved by the CISO or designee
- Be reviewed periodically
10. Enforcement
Failure to comply with this Standard may result in:
- Required corrective action to bring assets into compliance
- Restriction of asset connectivity or use
- Administrative action consistent with University and State policy
11. Review and Maintenance
This Standard must be reviewed at least annually and updated as necessary to reflect changes in State requirements, University operations, technology, or risk posture.
12. References
- UM Information Security Policy
- UM IT Data Security Standard
- UM IT Data Disposal & Media Sanitization Standard
- UM Endpoint Management & Configuration Standard
- UM Network Security Standard
- UM Cloud Computing Security Standard
- UM Vulnerability Management Standard
- UM Audit Log Management Standard
- NIST Cybersecurity Framework (CSF) 2.0