General Description
Policy Summary:
This policy provides a framework for managing the receiving, intake, distribution, and recovery of technology goods and encompasses the processing requirements.
The Asset Management Policy is aligned and complements the University BUSO-0031 Purchasing Policy and Procedures, the ITS-0044 Technology Acquisition Procedure, the FACS-0002 Central Receiving Policy and other related procedures.
Purpose:
Additionally, compliance with the stated policy and supporting procedures helps ensure the confidentiality, integrity, and availability (CIA) of the University system components.
Scope:
- Desktops, laptops, tablets, and servers
- Software running on the devices mentioned above
- Peripheral equipment, such as printers and scanners
- Cables or connectivity-related devices
- Audio-visual equipment, such as projectors and cameras
Exceptions:
Policy Content
ROLES | RESPONSIBILITIES |
Management Commitment | Responsibilities include providing overall direction, guidance, leadership, and support for the entire information systems environment, while also assisting other applicable personnel in their day-to-day operations. The Chief Information Officer CIO is to report to other members of senior management on a regular basis regarding all aspects of the organization’s information systems posture. |
Internal Employees, Academic Community and Users | Responsibilities include adhering to the University’s information security policies, procedures, practices, and not undertaking any measure to alter such standards on any University system components. Additionally, end users are to report instances of non-compliance to senior authorities, specifically those by other users. End users – while undertaking day-to-day operations – may also notice issues that could impede the safety and security of the University system components and are to also report such instance immediately to senior authorities. |
Vendors, Contractors, Workforce | Responsibilities for such individuals and organizations are much like those stated for end users: adhering to the organization’s information security policies, procedures, practices, and not undertaking any measure to alter such standards on any such system components. |
ITS Business Affairs Unit | Responsible for the Software Acquisition / Procurement process. They keep the Software License Inventory Log. |
ITS CORE Infrastructure Team | Support the product vetting as well as the network & security software provisioning process. Owns the implementation of networking and security software. |
ITS Enterprise Applications Team | Support the new applications vetting as well as the major applications provisioning process. Owns the support of business-related applications and the implementation of CORE systems. |
ITS Technical Support Services | TSS supports the users with the installation of software for the workstations, mobile devices, audio visual equipment and other equipment |
All hardware, software, or components purchased with University funds are the property of Trinity University. This also includes all items purchased using any requestor’s Department P-Card and any other Department P-Card, including ITS.
A personal computer may contain a data storage device on which personal, confidential, and legally protected information is stored. To prevent unauthorized access to sensitive data, identity theft, and liability, the University is committed to ensuring that devices on personal computers are properly recycled and stored data is unrecoverable.
All requests should go through the ITSupport@trinity.edu email if asking for the purchase of new equipment.
- Warehouse receiving is not simply a matter of purchasing inventory and having it delivered to the ITS Stockroom or TU Central Receiving Warehouse; rather, it involves several key steps that must be done right to ensure the right items and correct quantity are being delivered and stored correctly. There are 4 major steps that had to be followed to ensure appropriate receiving of technology goods:
-
- Ensure proper documentation and approvals are complete and in order:
- Before inventory is delivered, the ITS Business Affairs organization have gathered the complete documentation, approved by all parties, and have sent all the documentation electronically to the Procurement Office.
- Full technology acquisition / purchasing process is described in the ITS-0044 Technology Acquisition procedure.
- Before inventory is delivered, the ITS Business Affairs organization have gathered the complete documentation, approved by all parties, and have sent all the documentation electronically to the Procurement Office.
- Receive and unload stock:
- TU Central Receiving Warehouse staff meets the shipper at a loading dock and unload the necessary cargo. The ITS Receiving staff should also be standing by to bring their questions or concerns regarding the shipment with the delivery driver and TU Central Receiving personnel.
- Count and Confirm inventory:
- As the cargo is being unloaded, the TU Central Receiving Warehouse staff checks the contents of each delivery, including the quantity, the integrity of seals, the product codes / SKUs, and the overall condition of the cargo to ensure that what’s in the boxes matches what is listed on the receiving sheet and is expected to arrive.
- TU Central Receiving Warehouse staff counts boxes or pallets, rather than individual items.
- It is the responsibility of the ITS receiving personnel to ensure that what is being received is what was ordered.
- Organizing and Storing products:
- Once all inventory is unloaded and inspected, the final step in the warehouse receiving process is organizing and storing new inventory in the warehouse.
- Ensure proper documentation and approvals are complete and in order:
Trinity is to ensure that all applicable users adhere to the following policies for purposes of complying with the mandated organizational security requirements set forth and approved by management:
- Controls for physically securing all media (including but not limited to computers, removable electronic media, paper receipts, paper reports, and faxes) are to be in place for protecting University data.
- Media backups are to be stored in a secure location, preferably an off-site facility, such as an alternate or backup site, or a commercial storage facility. Review the location’s security at least annually.
- All media is to be appropriately classified so the sensitivity of the data can be.
- All media is to be sent by secured courier or other delivery method, so that it can be accurately tracked.
- Management is to approve any and all media that is moved from a secured area (including when media is distributed to individuals).
- Strict control is to be maintained over the storage and accessibility of media.
- Inventory logs of all media are to be maintained, with media inventory procedures undertaken at least annually.
- A facility with a valid Certificate of Occupancy (CO) issued.
- Stored in an isolated room or area that is not shared with another client of the offsite location facility.
- Access granted by traditional lock and key and/or electronic access control systems (ACS).
- 24x7 security monitoring, either by an alarm system or security guard.
- Handicap-accessible.
- Adequate lighting at night.
- Appropriate maintenance of grounds and landscaping so as to prevent intruders from concealing themselves.
- Appropriate fire monitoring, detection, and suppression controls.
- Appropriate water monitoring and detection controls.
Additionally, any hardcopy and electronic media kept in a storage repository will be protected by encryption for media containing data information, thus allowing only authorized personnel to decrypt media as needed.
Data backup process is described in the ITS-0038 Backup Strategy Procedure.
- Public Information
- Protected Information
- Restricted Information
Important to understand that for documents or data types that are not explicitly addressed within the ITS-0013 Information Security Policy, each Trinity University department should classify by considering the potential for harm to individuals or the University in the event of unintended disclosure, modification, or loss.
Specifically, only the authorized personnel may send, retrieve, and receive media from the offsite location and from other entities such as third-party vendors, clients, or governmental bodies (local, federal, and state). The procedure for gaining permission to send, retrieve and receive media calls for one to submit a request to be added to the media distribution list, which will be reviewed by management or personnel authorized to grant this approval.
The software license management process doesn't work in a vacuum. It mainly interfaces with the asset management process. Under asset management, the University knows who is using what machine, whether the machine is under warranty or not and other necessary details like the software licensees installed on the machine.
- The ITS Business Affairs Unit owns the Software Acquisition / Procurement process, and the ITS technical groups support the product vetting as well as the software provisioning process.
- The ITS Business Affairs Unit also keeps the Software License Inventory Log updated.
- Get up today KACE System report of Software license inventory (available or installed).
- Validate that the number of application installations, with either named or limited licensees, do not exceed the number of purchased / owned licensees.
- Check the usage status of the software licenses to make sure that the number of software licenses is optimal and there is no violation or surplus.
- Validate the total number of existing licenses and remaining licenses for each managed software
- Ensure that the application owner resolves any Software License violation by taking an appropriate action, such as requiring the application owner to purchase additional software licenses or asking them to remove unused licensees from users.
The ITS Manager of Technical Support & Client Services is responsible to register the software license and managed-software information into the KACE Asset Management Module, as described in the ITS-0037 Asset Receiving Procedure – Receiving new Software License into KACE system.
The ITS Manager of Technical Support & Client Services will also:
- Assign the software installation ticket to the technicians after validating license availability.
- Make purchase request for additional licensees.
- Check whether Trinity has any surplus licenses. If it does, will assign the surplus licenses to the appropriate computers to maximize the license usage.
- Take inventory of software licenses.
- Discard software licenses. Will collect the software that is no longer in use from workplaces, to discard it following the appropriate / approved Asset Disposition process.
- ITS TSS will export a list of software license information from KACE / K1000.
- Create a list of software license information for physical inventory count.
- Export the software license information including the License number, Last Tracked Date, License Name, Total Licenses, and License Type.
- Perform a physical inventory count based on the list of software license information.
- ITS TSS, with support from the ITS Business Affairs Unit, will check the Media and software license certificate (Purchase and sale contract)
- ITS TSS, with support from the ITS Business Affairs Unit, will check the software license certificates and the software media against the list of software license information to make sure that the software licenses exist.
- University ITS users will not have admin or super user privileges. Exceptions will be approved in advanced by the University CIO after justified by the user’s organization.
- ITS will provide an alternate plan in mind for maintaining stakeholders’ productivity, where the Stakeholder will contact the ITS Technical Support Services team – Client Experience. All requests should go through the ITSupport@trinity.edu email.
Asset Rationalization involves:
- Retiring unused assets
- Eliminating assets with redundant functionality
- Validating the value of assets’ investment
- Standardizing on common asset vendors
- Creating synergy within the asset’s ecosystem
- Targeting university goals with the asset’s portfolio
- Reduced ITS costs:
- licenses, maintenance, integration, training, vendor management.
- Reduced ITS complexity:
- less integrations, less dependencies, less change impact, less things to worry about when you need to decide on an application fast.
- Reduce ITS risks:
- fewer vulnerable elements.
Assets are categorized and the fields for each type are build out in KACE to follow the format as described on the ITS-0037 Asset Receiving Procedure. The following categories were defined in KACE including the models approved by ITS or in use (when applies) and the asset field description;
- Audio Visual Equipment
- Computers
- Docking Station
- Monitors
- Network Equipment
- Peripherals
- UPS
- Tablet models
Performance Evaluation
Consequences of Policy Violation:
- Loss of university computing, email and/or voice mail privileges.
- Disconnection from the residential hall internet network.
- University judicial sanctions as prescribed by the student code of conduct.
- Reassignment or removal from university housing and/or suspension or expulsion from the university.
- Prosecution under applicable civil or criminal laws.
Terms & Definitions
Terms and Definitions:
Term: |
Definition: |
---|---|
Commodities | Supplies, materials, equipment, furniture, contractual services, and any other goods required by the University. |
Contract | Legal agreement between Trinity University and a vendor or supplier |
Emergency | An unexpected situation or sudden occurrence of a serious and urgent nature that demands immediate action, otherwise, it would endanger life, property or adversely affect essential University operations. |
Invoice | An itemized bill for goods purchased or services contracted, containing individual prices, the total charge and payment terms. |
Media in Electronic Format | Electronic media are the bits and bytes contained in hard drives, Random Access Memory (RAM), Read-Only Memory (ROM), disks, memory devices, phones, mobile computing devices, networking equipment and various others |
Media in Hardcopy Format | Hardcopy media are physical representations of information. Paper printouts, printer and facsimile ribbons, drums and platens are all examples of hardcopy media |
Non-Public Information | Non-Public Information includes both Protected and Restricted Information. |
OPEX | Operating Expenditure |
Packing or Delivery Slip | Proof of delivery from vendor |
Performance Specification | Based upon the specific needs. Total ownership cost for operating and maintaining the product should be included as an element of the specification. |
Protected Information |
Protected information includes all private data, records, documents, or files that contain information that is not to be shared publicly but also not restricted legally and might be provided upon reasonable request as long as the Data Owner is consulted about its responsible use and approves its release. Trinity employees must protect Trinity business-related data, whether on a Trinity-issued device or on a personal device used for business purposes and delete or preserve Trinity data as required. Employees must wipe Trinity data from their phones (personal or Trinity-issued) when they are no longer actively using that data for their current Trinity role, e.g., when they leave the University, switch devices, give their phones away, turn in phones to Verizon/AT&T, etc. If a phone (personal or Trinity-issued) that contains Trinity data (including email) is lost or stolen, the owner must immediately notify the Helpdesk so that the device can be remotely wiped if university-owned or wiped by an employee if personally owned. Department Chairs or equivalent officers are responsible for ensuring that local units abide by this policy. |
Public Information | Information that the University has made available or published for the explicit use of the general public with no restrictions on access, use, or disclosure under University policy or contract, or local, national, or international statute, regulation, or law. |
Purchase |
Acquiring a commodity in exchange of money or other valuable consideration. The basic types of purchases that can be made may include but are not limited to:
|
Purchase Order | Form, generated by the Procurement unit that documents the purchase agreement or contract. |
Quotation | An official document received from vendors that includes prices, availability of requested goods, payment, and delivery terms. |
Requestor or Requesting Party | Person that is requesting the contracting or purchase of a commodity |
Restricted Information |
Sensitive information that must be safeguarded at the highest priority levels in order to protect the privacy of individuals and the security and integrity of University systems. This information must be limited to authorized University faculty, staff, students, or others with a legitimate need. This information may not be transferred without mandatory security precautions or made vulnerable to unauthorized access, use, or disclosure. Restricted information is categorized as such due to legal protection or privilege, University policy, contract obligation, or important privacy considerations. Restricted Information includes but is not limited to “Sensitive Personal Information” as defined by Texas S.B. 122 § 48.002.2 (Identity Theft Enforcement & Protection Act). |
Specification | A concise statement explaining the type of product or service, the quality level, special requirements in design, performance, delivery, and usage. Specifications must not be restrictive (locking in a specific vendor and limiting competition) or be vague (allowing a vendor to provide a lower than acceptable quality level product or service). |
Vendor | Any supplier who has business with Trinity University. |
Related Documents
Related Content:
Revision Management
Revision History Log:
Revision #: |
Date: |
Recorded By: |
---|---|---|
v2.0 | 4/27/2022 11:29 AM | Ben Lim |
v1.0 | 2/1/2022 1:16 PM | Dan Carson |
Vice President Approval:
Name: |
Title: |
---|---|
Ben Lim | Chief Information Officer |