��������

Purpose

The purpose of this policy is to establish information security standards for the IT Asset Management processes relevant to University of Maryland Global Campus ("UMGC" or "University") Information Technology Resources.

Scope and Applicability

This policy applies to all University Information Systems and Information Technology Resources. All Users are responsible for adhering to this policy.

Definitions

Defined terms are capitalized throughout this Policy and can be found in the Information Governance Glossary.

IT Asset Management – Hardware and Software

All Users must adhere to the University's IT Asset Management Policy for all IT hardware and software that is owned by the University to ensure that these IT Assets are properly managed throughout their life cycle.

1. Hardware IT Assets
   1. ��������will employ Asset Management Software to maintain an inventory of hardware assets that:
      1. Accurately reflects the ��������Information System,
      2. Includes all hardware IT Assets within the authorization boundary of the ��������Information System, and
      3. Is at a level of detail necessary for appropriate tracking and status reporting of IT Assets. Includes hardware inventory specifications (e.g., manufacturer, device type, model, serial number, physical location), component owners, machine names, and network addresses.
   2. The following types of hardware IT Assets are included but not limited to:
      1. Desktop Workstations
      2. Laptop Mobile Computers
      3. Tablet Devices
      4. Smartphones
      5. Printers, Copiers, Scanner, Fax Machines, and Other Peripheral Devices
      6. Servers
      7. Network Appliances (e.g., Firewalls, Routers, Switches, Uninterruptible Power Supplies (UPS), Endpoint Network Hardware, and Storage)
      8. Private Branch Exchange (PBX) and Voice over Internet Protocol (VoIP) Telephony
   3. The following types of hardware IT Assets are not included in this policy:
      1. Desktop Monitors
      2. Non-serialized items such as keyboards, mice, external connectors ("dongles") and adapters, USB memory sticks (thumb drives), memory cards, etc.
2. Software IT Assets
   1. ��������will employ an Asset Management Information Software to maintain an inventory of software IT Assets that:
      1. Accurately reflects the ��������IT environment,
      2. Includes all software IT Assets within the authorization boundary of the ��������Information System,
      3. Is at a level of detail necessary for appropriate tracking and status reporting of IT Assets, and
      4. Includes items such as software license number and component owners.
   2. The following types of software IT Assets are included in this policy:
      1. Enterprise-level software
      2. All individually licensed software, both per-seat and concurrent licensing
      3. All software licenses that are acquired when they are bundled with hardware purchases
3. The inventory of IT Assets should be reviewed every 2 years and the Asset Management Software should be updated whenever hardware or software system components are installed, removed, or updated.
4. Notification of Changes
   1. Departments, consultants, and Contractors will be responsible for notifying IT of any changes in the physical location or ownership of IT hardware or software, which includes all IT Asset issuances, moves, and returns of any non-capital IT equipment. ��������will adhere to ��������Policy VIII-1.10 ��������Policy on Capitalization and Inventory Controls for the inventory, tracking, and safeguarding of capital and non-capital IT-related equipment, as defined in that policy.
   2. Departments should not redistribute IT Assets. IT Assets must be returned to IT for proper tracking, assessment, re-issuance, or disposal.
5. Asset Disposal
   1. Replaced or surplus IT Assets must be returned to IT for reallocation or proper disposal.
   2. When reallocating or disposing of any hardware IT Asset, any Confidential Data, including CUI Data, must be removed prior to disposal.

IT Asset Management – Data

All Users should adhere to the ��������Policy X-1.02 Data Classification to ensure that Data, especially those types that are classified as High Risk, are handled properly.

Exceptions

Exceptions to this policy should be submitted to Information Security for review and approval. If an exception is requested a compensating control or safeguard should be documented and approved.

1. Any Employee, Contractor, or third-party performing duties on behalf of the University with knowledge of an alleged violation of this Policy shall notify Information Security as soon as practicable.
2. Any Employee, Contractor, or other third-party performing duties on behalf of the University who violates this Policy may be denied access to Information Resources and may be subject to disciplinary action, up to and including termination of employment or contract or pursuit of legal action.

1. USM IT Security Standards, v.5, dated July 2022
2. NIST SP 800-171r2 “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations,” dated February 2020.
3. Cybersecurity Maturity Model Certification (CMMC), v.2.0, December, 2021

1. ��������VIII-1.10 ��������Policy on Capitalization and Inventory Control
2. ��������X-1.02 Data Classification
3. ��������X-1.04 Information Security
4. ��������X-1.07 Information Security Audit and Accountability
5. ��������X-1.08 IT Resources Configuration Management
6. ��������X-1.12 Acceptable Use
7. ��������X-1.14 Media Protection