Policy Number: CS-1514-2021
Policy Title: Information Technology Asset Management Policy
Policy Owner: Chief Information Officer
Effective Date: May 20, 2021
The purpose of this policy is to ensure that technology assets are procured and maintained in a way that optimizes their value to the College and ensures the College can operate in a sustainable and safe environment.
This policy applies to all full time and part time employees, contractors, consultants, and other individuals who may procure any component of Mohawk College’s information technology resources regardless of the physical location or department.
“Enterprise Applications” are applications that serve centralized business functions to the College and are not installed locally on end user computer devices.
“Technology Assets” are technology assets that are owned, controlled, and managed by the College.
This policy provides the College with a common baseline to protect the confidentiality, integrity, and availability of assets.
5.1 Accountability Framework
This policy has been approved by the Senior Leadership Team.
This policy is aligned to the National Institute of Standards and Technologies Cyber Security Framework with ISO 27001 and is enforced by the Chief Information Officer.
Managers and directors are responsible for appropriate procurement of technology assets in compliance with Mohawk College’s Purchasing Policy and the Information Technology Infrastructure Security Policy. Managers and directors are also responsible for ensuring that all assets are inventoried appropriately with Information Technology and assigned a business owner.
6.2 Information Technology Services Department
The Information Technology Services department are responsible for updating inventories when assets arrive to the College, move locations, have changes to attributes, or are disposed of.
7.1 Due Diligence in Procurement or Acquisition of Technology
All technology must be procured in compliance with Mohawk College’s Purchasing Policy and technologies that store or provide access to sensitive information or provide remote access to systems or infrastructure must be reviewed by Information Technology prior to acquisition or procurement in addition to the below additional rules.
7.1.1 Acquisition of Cloud Technology
Cloud technologies must have formal risk assessments completed by IT Security to determine if the selected technology provides adequate security controls. IT Security may waive the process and approve the acquisition based on data classification and inherent risk to the organization.
7.1.2 Acquisition of IoT and OT Devices
Departments leveraging Internet of Things (IoT) devices or Operational Technology (OT) devices must do so using the IoT and OT Guidelines document available on mohawkcollege.ca\its. IT Security is available for consultation and review of any potential projects or products.
7.1.3 Right to Decline
Where a solution does not meet minimum security requirements and mitigating techniques are not applicable, Information Technology Services has the right to decline the implementation to safeguard the College from unintended consequences.
7.2 Inventory of Technology Assets
Technology assets must be inventoried in Information Technologies Service Management tool and that inventory must be maintained and up to date. The following asset types must be inventoried at the time they arrive to the College by the Asset Owner (by following Appendix A) or Information Technology Services staff:
- End User Computer Devices
- Mobile Phones
- Physical Servers
- Virtual Servers
- Enterprise Applications
- Network Appliances (Firewalls, Routers, Switches, Access Points, etc)
7.2.1 Inventory Attributes
The following attributes should be tracked for each technology asset:
- Categorization/device type
- Serial Number
- Asset Owner or assigned user
- Purchase Order or relevant acquisition details
- Warranty dates
- End of life dates
Enterprise Applications, Servers, and Databases must further track:
- Information classification
7.2.2 Updating Technology Asset Inventories
Acquired or relocated Mohawk College owned technology assets must be reported to Information Technology for tracking purposes via the IT Self Service Portal (its.mohawkcollege.ca) as per Appendix A.
7.3 Review of Asset Inventories
Asset inventories and inventory processes are to be reviewed on an annual basis by Information Technology Services.
7.4 Asset Stewardship and Maintenance
Technology assets must be maintained throughout their life cycle in compliance with the Information Technology Infrastructure Security Policy.
7.5 Asset Disposal
Technology assets must be disposed of in compliance with the College’s Information Security and Classification Policy and the Financial Reporting and Safekeeping of Capital Assets Policy and all inventories must be updated to reflect that the asset has been disposed of.
Noncompliance with this policy may result in any one or combination of the following sanctions:
• Verbal warnings;
• Written warnings;
• Restricted access to, or complete withdrawal of access to IT resources;
• Suspension from work; and/or
8.1 Revision Date
The Chief Information Officer will review this policy every five years or earlier when required.
Appendix A - Instructions for Reporting Asset Acquisitions or Relocations
- Purchasing Policy
- Information Technology Infrastructure Security Policy
- Information Security and Classification Policy
- Mohawk College’s Financial Reporting and Safekeeping of Capital Assets Policy
Employees are responsible for notifying Information Technology when technology assets as defined in the Information Technology Asset Management Policy are acquired or relocated for the purpose of centralized tracking.
Instructions for Reporting Asset Acquisitions or Relocations
- Navigate to its.mohawkcollege.ca
- Select “Submit a Request”
- Select Computing and Printing Equipment
- Select Workstation Relocation
- Enter a detailed description indicating:
- The request is to update the asset inventory
- Provide the following details:
- Device Type
- Device Model
- Device Serial Number
- Asset owner or assigned user