IT Asset Management Policy

Policy Number: CS-1514-2021

Policy Title: Information Technology Asset Management Policy

Policy Owner: Chief Information Officer

Effective Date: May 20, 2021

Last Revised:

 

1. Purpose

2. Application and Scope

3. Definitions

4. Principles

5. Accountability and Compliance

6. Roles and Responsibilities

7. Rules

8. Policy Revision Date

9. Attachments

10. Specific Links

Appendix A - Instructions for Reporting Asset Acquisitions or Relocations

 

1. Purpose

The purpose of this policy is to ensure that technology assets are procured and maintained in a way that optimizes their value to the College and ensures the College can operate in a sustainable and safe environment.

2. Application and Scope

This policy applies to all full time and part time employees, contractors, consultants, and other individuals who may procure any component of Mohawk College’s information technology resources regardless of the physical location or department.

3. Definitions

“Enterprise Applications” are applications that serve centralized business functions to the College and are not installed locally on end user computer devices.

“Technology Assets” are technology assets that are owned, controlled, and managed by the College.

4. Principles

This policy provides the College with a common baseline to protect the confidentiality, integrity, and availability of assets.

5. Accountability and Compliance

5.1 Accountability Framework

This policy has been approved by the Senior Leadership Team.

5.2 Compliance

This policy is aligned to the National Institute of Standards and Technologies Cyber Security Framework with ISO 27001 and is enforced by the Chief Information Officer.

6. Roles and Responsibilities

6.1 Managers

Managers and directors are responsible for appropriate procurement of technology assets in compliance with Mohawk College’s Purchasing Policy and the Information Technology Infrastructure Security Policy. Managers and directors are also responsible for ensuring that all assets are inventoried appropriately with Information Technology and assigned a business owner.

6.2 Information Technology Services Department

The Information Technology Services department are responsible for updating inventories when assets arrive to the College, move locations, have changes to attributes, or are disposed of.

7. Rules

7.1 Due Diligence in Procurement or Acquisition of Technology

All technology must be procured in compliance with Mohawk College’s Purchasing Policy and technologies that store or provide access to sensitive information or provide remote access to systems or infrastructure must be reviewed by Information Technology prior to acquisition or procurement in addition to the below additional rules.

7.1.1 Acquisition of Cloud Technology

Cloud technologies must have formal risk assessments completed by IT Security to determine if the selected technology provides adequate security controls. IT Security may waive the process and approve the acquisition based on data classification and inherent risk to the organization.

7.1.2 Acquisition of IoT and OT Devices

Departments leveraging Internet of Things (IoT) devices or Operational Technology (OT) devices must do so using the IoT and OT Guidelines document available on mohawkcollege.ca\its. IT Security is available for consultation and review of any potential projects or products.

7.1.3 Right to Decline

Where a solution does not meet minimum security requirements and mitigating techniques are not applicable, Information Technology Services has the right to decline the implementation to safeguard the College from unintended consequences.

7.2 Inventory of Technology Assets

Technology assets must be inventoried in Information Technologies Service Management tool and that inventory must be maintained and up to date. The following asset types must be inventoried at the time they arrive to the College by the Asset Owner (by following Appendix A) or Information Technology Services staff:

  • End User Computer Devices
  • Mobile Phones
  • Tablets
  • Displays
  • Printers
  • Physical Servers
  • Virtual Servers
  • Databases
  • Enterprise Applications
  • Network Appliances (Firewalls, Routers, Switches, Access Points, etc)

7.2.1 Inventory Attributes

The following attributes should be tracked for each technology asset:

  • Categorization/device type
  • Vendor
  • Model
  • Serial Number
  • Location
  • Asset Owner or assigned user
  • Purchase Order or relevant acquisition details
  • Warranty dates
  • End of life dates

Enterprise Applications, Servers, and Databases must further track:

  • Information classification

7.2.2 Updating Technology Asset Inventories

Acquired or relocated Mohawk College owned technology assets must be reported to Information Technology for tracking purposes via the IT Self Service Portal (its.mohawkcollege.ca) as per Appendix A.

7.3 Review of Asset Inventories

Asset inventories and inventory processes are to be reviewed on an annual basis by Information Technology Services.

7.4 Asset Stewardship and Maintenance

Technology assets must be maintained throughout their life cycle in compliance with the Information Technology Infrastructure Security Policy.

7.5 Asset Disposal

Technology assets must be disposed of in compliance with the College’s Information Security and Classification Policy and the Financial Reporting and Safekeeping of Capital Assets Policy and all inventories must be updated to reflect that the asset has been disposed of.

7.6 Noncompliance

Noncompliance with this policy may result in any one or combination of the following sanctions:

•    Verbal warnings;

•    Written warnings;

•    Restricted access to, or complete withdrawal of access to IT resources;

•    Suspension from work; and/or

•    Termination.

8. Policy Revision Date

8.1 Revision Date

May 2026

8.2 Responsibility

The Chief Information Officer will review this policy every five years or earlier when required.

9. Attachments

Appendix A - Instructions for Reporting Asset Acquisitions or Relocations

10. Specific Links

  • Purchasing Policy
  • Information Technology Infrastructure Security Policy
  • Information Security and Classification Policy
  • Mohawk College’s Financial Reporting and Safekeeping of Capital Assets Policy

Appendix A - Instructions for Reporting Asset Acquisitions or Relocations

Employees are responsible for notifying Information Technology when technology assets as defined in the Information Technology Asset Management Policy are acquired or relocated for the purpose of centralized tracking.

Instructions for Reporting Asset Acquisitions or Relocations

  1. Navigate to its.mohawkcollege.ca
  2. Select “Submit a Request”
  3. Select Computing and Printing Equipment
  4. Select Workstation Relocation
  5. Enter a detailed description indicating:
    1. The request is to update the asset inventory
    2. Provide the following details:
      1. Device Type
      2. Device Model
      3. Device Serial Number
      4. Location
      5. Asset owner or assigned user