The objective of this policy is to ensure:
- All IT Assets are documented and identifiable throughout the entire IT Asset lifecycle;
- All IT Assets are maintained and renewed according to the defined asset specifications and expected life;
- IT Asset purchases align with the Flinders Information Technology Standards (FITS) where possible to ensure maximum compatibility with existing systems and the provision of proper support;
- The secure and safe disposal of Information Technology Assets in alignment with other policies defined by the University.
This policy is written to be consistent with Information Security Standards AS/NZS ISO/IEC 27001:2006 and AS/NZS ISO/IEC 27002:2006.
This policy is applicable to all IT Assets purchased with University funds and applies to those involved in management of IT Assets and Asset Users as defined below. IT Assets acquired for private use under the employee benefits program via salary sacrifice are out of the scope of this policy.
- Asset in the context of this policy includes but may not be limited to:
- Fixed computer equipment, e.g. servers, desktop computers;
- Portable computer equipment, e.g. laptops, mobile phones, tablets;
- Processing peripherals, e.g. printers, photocopiers;
- Storage Media, e.g. hard drives, USB storage devices, network attached storage;
- Software, e.g. desktop business applications, operating system, administration software;
- Databases and data stores;
- Audio Visual equipment, e.g. projectors, smart boards, controls systems;
- Network infrastructure, e.g. routers, cabling, telecommunications;
- Data centres, server rooms and supporting infrastructure, e.g. security systems, air conditioners, generators.
- Asset Management is a systematic process to guide the planning, acquisition, operation and maintenance, renewal and disposal of assets;
- Asset Owner is the Faculty, School or Portfolio (or delegated IT function) that purchases IT Assets with University funds and is responsible for ensuring the protection of, and the maintenance of a register of IT assets;
- Asset Custodian is the person responsible for implementing appropriate protection and maintenance of IT Assets. This role is delegated by the Asset Owner to the Asset Custodian;
- Asset User isan individual assigned an IT Asset to perform their assigned job or role (this would exclude users of shared IT Assets such as kiosk and lab computers);
- FITS is the Flinders Information Technology Standards which outlines the ITS supported architecture(s) that must be considered at each stage of the technology life cycle, including system conception, development, implementation, extension, maintenance, replacement or retirement.
4. Asset Acquisition
- Information Technology Services (ITS) is the recommend point of contact for placing orders for IT Assets, such as software and hardware on behalf of the University;
- ITS can leverage existing licencing and purchasing agreements to ensure maximum buying power and value from purchases;
- ITS will maintain a list of standard supported IT Assets which are recommended for use at the University;
- The list of standard supported hardware and software will form the basis of the purchasing contracts managed by ITS;
- Full details of support and maintenance arrangements will be published in the ITS Service Catalogue;
- It is the responsibility of the Asset Owner to ensure assets with an acquisition value of $10,000 or greater are coded against the correct natural account to ensure they are added to the University’s asset register. If unsure, please contact the asset manager in the Financial Services Division (FSD) on the use of designated natural accounts. Please refer to the Property, Plant and Equipment Policy for further details.
5. Asset Identification and Maintenance
Asset Owners are responsible for:
- Managing IT Assets to ensure their effective functioning for their planned lifecycle including planning for the eventual replacement of the asset;
- Effectively accounting for their IT assets by ensuring their identification in accordance with the following procedures:
- All physical IT Assets should be clearly identified and labelled as property of Flinders University;
- All IT Assets should have an assigned asset owner, asset custodian and asset user (where applicable);
- An inventory (or register) should be maintained and include the following details for each asset:
The IT Asset register must be updated when an asset is approved for re-use, disposal or re-sale.
- Asset identifier, e.g. asset tag, serial number;
- The owner, custodian and user of the asset;
- The type of asset;
- The location of the asset;
- The value of each asset (if appropriate).
Asset Custodians are responsible for the maintenance of the assets, including any preventive or scheduled regular maintenance and for ensuring that periodic audits are undertaken to ensure the ongoing accuracy of the asset register/inventory.
6. Security of Assets
Asset Users must protect and use the asset with appropriate care and in the event of theft, loss or damage to Flinders University IT Assets, must immediately report the incident to the ITS Service Desk or their supervisor.
Supervisors have a responsibility to ensure that:
- Asset Users are made aware of their responsibilities to protect and use the asset with appropriate care and to immediately report theft, loss or damage to the asset;
- IT Assets are returned to the Asset Owner at the termination of employment, or at the end of a contract or assignment.
Asset Owners must approve the disposal or resale of IT Assets (and define appropriate cost recovery) in accordance with existing University Asset Disposal Procedures and Sections 4 and 7 of the University’s Records Management Policy. Asset Custodians are responsible for ensuring that IT Assets are disposed of in accordance with the following procedures:
7.1 Disposal of Hardware Assets
- Hardware assets must be checked prior to disposal to ensure that any sensitive data classified as Highly Confidential or Restricted (as per the
Information Classification Framework (PDF 326KB) ) and licensed software has been removed or securely overwritten;
- Hardware assets must be checked prior to disposal to ensure that any University business records have been included in a University recordkeeping system;
- Hardware assets to be disposed of externally must be handled using an approved third party provider. The entity performing the service must certify that each item has been disposed of securely and in compliance with environmental guidelines.
7.2 Disposal of Software Assets
- All software must be removed from hardware prior to disposal in order to avoid being liable for breaches of copyright or software licensing agreements;
- Software assets must be checked prior to disposal to ensure that any University business records, or (meta) data that pertain to University business processes, that are contained and/or managed in the software are checked against the disposal schedules currently in use by the University. In case of records/data that warrant extended retention periods, advice must be sought from Central Records and ITS on how to proceed;
- Where a software license is reassigned for use on another asset, the software must be removed from the original asset.
7.3 Disposal of Media
- Media must be checked prior to disposal to ensure that any University business records have been included in a University recordkeeping system;
- Electronic media must be sanitized before disposal (for example, by overwriting all data). Similar to shredding paper reports, compact discs and other non-rewritable media should either be broken or defaced by scratching before disposal;
- Media that cannot be effectively sanitized before disposal should be destroyed so that data is irrecoverable;
- Where secure destruction of media is undertaken by a third party, the entity performing the service must certify that each item has been disposed of securely and in compliance with environmental guidelines.
7.5 Re-Use of Equipment
- Any re-use of equipment must be authorized by the asset owner and the equipment must be sanitized (for example by overwriting all data) by the asset custodian prior to transfer of custody from its current asset owner, unless specifically approved by the original asset owner;
- Once the asset transfer is completed, the asset register should be updated accordingly.
8. Compliance and Enforcement
- Manager, ITS Security Services is responsible for:
- Ensuring the implementation of supporting controls to ensure the ongoing adherence to the requirements of this policy; and
- Monitoring user compliance and investigating and reporting breaches of this policy.
- Associate Director, Client Services is responsible for:
- Ensuring processes are in place to enable University staff to purchase IT Assets via the Information Technology Services (ITS) Service Desk;
- A list of standard supported IT Assets is maintained.
9. Related Documents
This policy should be read in conjunction with other relevant University policies, including:
Information Security Policy
IT Acceptable Use Policy
Mobile Services Policy
Secure Mobile Computing Policy
Asset Disposal Procedures
Property, Plant and Equipment Policy