Duke University departmental policy template: Asset Management
Version 1.0
Authority:
Duke University Chief Information Officer
Duke University Chief Information Security Officer
1. Definitions
Term
Application
Definition
Any software that runs on a computer or other networked device and is used by
end users or other applications or devices, including but not limited to databases,
web applications, client/server applications.
Operating System A program that manages a networked device’s hardware resources.
Any information classified as either Sensitive or Restricted by the Duke standard.
Protected Data
As defined in the Duke University Data Classification Standard.
Sensitive and
Restricted Data
2. Purpose
The purpose of this policy template is to assist Duke University organizations (departments, schools,
institutes, etc.) in creating an internal policy regarding the management of university-owned IT systems.
Filling in this template will enable departmental staff to accurately document their policy and procedures.
Once completed, departments will have a written policy and a document to record the location of their
written procedures. Compliance with this policy does not exempt a department from meeting
University, federal, or state regulations or other required standards.
IT asset management includes activities and business practices relating to the management of software,
hardware, and workstation warranty maintenance for the university. This includes the following:




Management of physical components from acquisition through disposal (including desktops,
laptops, servers, LAN and WLAN electronics, wireless, voice, and communications equipment)
Configuration and change management, including patching and maintenance
Software license management
Standardization of images and contractual compliance
3. Scope
This policy applies to all systems (as defined above) administered or serviced by university staff or by
third parties via contractual agreements with university departments or other organizational groups.
4. Departmental Policy
Acquisition
4.1 List of approved hardware vendors:
4.2 List of approved software vendors:
4.3 Purchase approval process:
4.4 Receiving, configuration, standard image installation process:
4.5 Asset identification process (tagging, database entry):
Disposal
All campus machines with hard drives are required to go through Duke Surplus whose policy is to clean
or destroy hard drives. More information regarding disk wiping can be found at:
http://www.security.duke.edu/media-control-and-disposal.
4.6 Document the tools and processes used to overwrite all data from all hard drives before the disposal
of old equipment:
Configuration and Change Management
4.7 The departmental change request process is (describe below):
4.8 Departmental maintenance windows are:
Scheduled daily
Scheduled monthly
Scheduled as needed
Other (describe below):
4.9 The departmental change management communication process is (describe below):
4.10 The process for making emergency changes is (describe below):
4.11 The process for planning and testing potential changes is (describe below):
4.12 The departmental change committee members are:
4.13 The change approval process is (describe below):
4.14 The documentation process for change management is (describe below):
4.15 Change management documentation is located here:
Patching and Maintenance
4.16 The operating systems of all departmental systems are patched:
Within 2 weeks on systems with Sensitive data, and within 4 weeks on systems with Restricted or
Public data.
Alternative schedule (describe below):
4.17 When it is not possible to install operating system patches, our departmental procedure for
mitigation is:
4.18 By policy, departmental workstations and laptops only use operating systems that are currently
supported by the vendor.
Yes
No
4.19 The departmental process for excepting and mitigating machines from the requirement to run
current operating systems is (describe below):
4.20 All departmental applications are patched:
Within 2 weeks on systems with Sensitive data, and within 4 weeks on systems with Restricted or
Public data.
Alternative schedule (describe below):
4.21 The departmental process for excepting and mitigating devices from the requirement to run current
patch levels on all applications is (describe below):
4.22 The departmental process for testing patches is (describe below):
4.23 New devices must be patched to current patch level (operating system and applications) PRIOR to
the device being connected to the production network.
Yes
No
4.24 The departmental process for mandatory or emergency patches is (describe below):
4.25 By policy, all personal machines used to access Duke resources are required to be at current patch
level.
Yes
No
4.26 The centralized patch management process for our department is (describe below):
4.27 The communications plan for the patching process is (describe below):
4.28 Documentation for any other maintenance or patching processes not included above is located here:
Software License Management
4.29 Software license inventory is located here:
4.30 Software license usage is reviewed every ___ days by ___________________________________
Standardization of Images and Contractual Compliance
4.31 Which systems receive standard images?
Servers
Workstations
Other (describe):
4.32 Who creates and tests standard images?
4.33 What benchmarks are used to test standard images?
Physical Security
Requirements






Systems should be located in physically secure locations, whenever possible. A secure location
would minimally be defined as one that is not routinely accessible to the public, particularly if
authorized personnel are not always available to monitor security.
Secure locations must have physical access controls (card key, door locks, video camera etc.)
that track and prevent unauthorized entry, particularly during periods outside of normal work
hours, or when authorized personnel are not present to monitor security.
Access control systems must be maintained in good working order and records of maintenance,
modification and repair activities should be available.
Wherever technically feasible, access logs that track incoming and outgoing activities should be
reviewed on a periodic basis.
Systems located in public areas require special consideration. Every effort should be made to
limit the amount of Sensitive data that is stored on such systems. Auto logoff, screen savers,
proximity badge, and other device- specific hardware/software measures should be employed to
enhance security.
Maintenance records for physical security devices in OIT and DHTS-managed data centers are
maintained and available from OIT and DHTS.
Physical access control measures
4.34 Building level (door locks, card key, controlled elevator access, etc.):
4.35 Room level (door locks, card key, etc.):
4.36 Device level (if any additional):
4.37 Physical security device maintenance records that are available in addition to OIT or DHTS data
center records:
4.38 Procedures for emergency facility access to support restoration of lost data in a disaster recovery
exercise:
5. Enforcement
It is the responsibility of departmental IT staff to ensure that the controls described in this document are
implemented. IT administrators understand that appropriate asset management procedures are a critical
part of Duke’s overall information security strategy.
Campus departments undergo periodic internal and external audits. These audits typically include an
analysis of the processes and controls used by departments to secure and manage servers. The Office of
Internal Audits carries out internal audits. The initiation of an internal audit is based on a risk analysis,
also performed by the Office of Internal Audits. A requirement for an external audit may be
recommended as a result of the internal audit, or be requested independently by a department's
management. The department is responsible for remediation of any findings of non-compliance with this
standard within the time frame agreed to with the auditors.
Review Frequency: Annually
Updated: 2/13
In Compliance with:
Duke University Data Classification Standard
Duke University Acceptable Use Policy
Duke University Log Standard
References:
University IT Security Office website: http://www.security.duke.edu