Minor/technical revision ofexisting policy Major revision ofexisting policy Reaffirmation of existing policy

Similar documents
IT Standard Operating Environment Policy

Sensitive Data Retention and Destruction Policy

The purpose of this policy is to define standards for hardware, software, and support at

Washington Headquarters Services ADMINISTRATIVE INSTRUCTION

The University oftoledo Medical Center

Oklahoma State University Policy and Procedures

University Systems Desktop Support Service Level Commitment

DePaul University Records Management Manual October 1, 2016

IT Hardware and Software - Procurement of Hardware and Software Procedure

DISASTER PREPAREDNESS Guide & Template

BOWIE STATE UNIVERSITY ASSET MANAGEMENT POLICY & PROCEDURES MANUAL

CANDIDATE DATA PROTECTION STANDARDS

ITS Desktop Computer Support Policy

Standard Statement and Purpose

Identity and Access Management

UNIVERSITY of HOUSTON MANUAL OF ADMINISTRATIVE POLICIES AND PROCEDURES

DAIMLER GROUP NORTH AMERICAN COMPANIES

The Company seeks to comply with both the letter and spirit of the laws and regulations in all jurisdictions in which it operates.

DESKTOP SUPPORT SERVICE LEVEL AGREEMENT

INVENTORY CONTROL POLICIES AND PROCEDURES. PROPERTY CONTROL SYSTEM Departmental Issue

AP 515 PURCHASING. Administrative Procedures Manual AP Purchasing

Electronics Disposition

Policy Outsourcing and Cloud-Based File Sharing

Supplier Security Directives

Palm Beach County Clerk & Comptroller s Office Customer Survey Kiosk Special Review

PRODUCT DESCRIPTIONS AND METRICS

Intuit Supplier Code of Conduct

Use of own devices and applications

r~l Newpolicy proposal X Reaffirmation of existing policy

Policy 13-1 INVENTORY & CONTROL OF FIXED ASSETS. >DISTRIBUTION: ALL Departments < SPAN> > > >SUBJECT: INVENTORY & CONTROL OF FIXED ASSETS< SPAN>

Audit of Shared Services Canada s Information Technology Asset Management

Legal Aspects of Software Agreements with Large Vendors. Robert Scott Scott & Scott, LLP

2012 VIRGINIA INDUSTRIALIZED BUILDING SAFETY REGULATIONS

UTAH VALLEY UNIVERSITY Policies and Procedures

Title: HP OpenView Configuration Management Overview Session #: 87 Speaker: Loic Avenel Company: HP

EMPLOYEE CRIMINAL BACKGROUND CHECK

These guidelines describe how Hamilton College approaches the development, measurement and management of information security. Version 3.03.

BIM Service & Support Terms and Conditions

Acknowledgement of Aramco Overseas Company BV. Supplier Code of Conduct

University of Central Arkansas Inventory Procedures Manual Revised January 2016

Tough Math for Desktop TCO

Safe Harbour Statement

IBM Tivoli Endpoint Manager for Lifecycle Management

New Technology: Mission Impossible?

Master Services Attachment for ServiceElite

ITS Service Level Agreement

CODE OF BUSINESS CONDUCT PENN NATIONAL GAMING, INC.

Information Security Roles and Responsibilities Procedure Page 1

ICT Officer- Customer Support

Basic IT Bundle Service Level Expectation

Asset/Property Management Manual

CODE OF ETHICS/CONDUCT

OCI Mitigation Plan SAMPLE for IDIQ contract

PURPOSE This policy sets forth guidelines for sick leave for eligible employees of the university.

UNIVERSITY STANDARD. Title UNIVERSITY OF NORTH CAROLINA AT CHAPEL HILL STANDARD ON ENTERPRISE DATA GOVERNANCE. Introduction

EU-GDPR and the cloud. Heike Fiedler-Phelps January 13, 2018

Vol. 2 Management RFP No. QTA0015THA A2-2

Guidelines and supervision on the use of IT tools of the University College

FOUNDATION BUILDING MATERIALS, INC. EMPLOYEE CODE OF CONDUCT

ITSM Process/Change Management

CENTRALIZED PURCHASING

VACANCY POSITION GLOBAL FUND COORDINATING UNIT (GFCU)

IBM Tivoli Endpoint Manager for Software Use Analysis

University Internal Audit

External Supplier Control Obligations. Information Security

Systems Coordinator AD Grid 4(b) # hours/week (non-management) Information Systems Manager Ad Grid Level 7(j) # 394

COLUMBIA UNIVERSITY CREDIT CARD ACCEPTANCE AND PROCESSING POLICY

1. an Employee's private interests interfere, or even appear to interfere, with the interests of the Company;

SHRINERS HOSPITALS FOR CHILDREN CORPORATE COMPLIANCE PLAN

GUIDELINES. Corporate Compliance. Kenneth D. Gibbs President & Chief Executive. Martin A. Cammer Senior Vice President & Corporate Compliance Officer

THE UNIVERSITY OF TEXAS-PAN AMERICAN OFFICE OF AUDITS & CONSULTING SERVICES. Department of Communication Report No

ETHICAL CODE OF CONDUCT

UPMC POLICY AND PROCEDURE MANUAL. Links to policies referenced within this policy can be found in Section V.

KRONOS WORLDWIDE, INC. SAFE HARBOR PRIVACY POLICY Effective December 1, 2009 Amended and Restated as of July 20, 2012

License Definitions and Rules

Information Technology Division Service Level Agreement (SLA) Description and Process

DATA SHARING AGREEMENT

Primavera Analytics and Primavera Data Warehouse Security Overview

The SAM Optimization Model. Control. Optimize. Grow SAM SOFTWARE ASSET MANAGEMENT

Management Excluded Job Description

SERVICE EQUIPMENT DISPOSAL POLICY

Supplier Ethical Expectations

VENDORS GUIDE TO DOING BUSINESS PENN STATE MILTON S. HERSHEY MEDICAL CENTER AND PENN STATE COLLEGE OF MEDICINE

CUSTOMER AND SUPPLIER ROLES AND RESPONSIBILITIES FOR 21 CFR 11 COMPLIANCE ASSESSMENT. 21 CFR Part 11 FAQ. (Frequently Asked Questions)

MODA HEALTH CODE OF CONDUCT

Guide for Recycling Electronics

Tampa Bay Information Network TBIN Audit Plan

STATE OF TEXAS DEPARTMENT OF INFORMATION RESOURCES CONTRACT FOR PRODUCTS AND RELATED SERVICES LEXMARK ENTERPRISE SOFTWARE USA, INC.

GUIDELINES FOR IMPLEMENTING A PRIVACY MANAGEMENT PROGRAM For Privacy Accountability in Manitoba s Public Sector

Internal Control Questionnaire and Assessment

Data Privacy Policy for Employees and Employee Candidates in the European Union

CORPORATE POLICIES AND PROCEDURES. GIFTS NO.: (Formerly ADM X 260)

Louisiana State University System

Guidelines for Using RFID Tags in Ontario Public Libraries

General Policies & Procedures. SV 5.0 Clean Harbors Vendor Code of Business Conduct and Ethics


* SAKURA Rules * (Code of Conduct for the Terumo Group)

SAP EHS Regulatory Documentation OnDemand

Global Supplier Code of Business Conduct & Ethics

Transcription:

Name ofpolicy: Technology Asset Management Policy Policy Number: 3364-65-05 TIIK IINIVKIIM I Y C)V TOLEDO Approving Officer: President Responsible Agent: Vice President, CIO/CTO Effective Date: January 12, 2017 Scope: A1 University organizational units New policy proposal Minor/technical revision ofexisting policy Major revision ofexisting policy Reaffirmation of existing policy (A) Policy statement The procurement, deployment, and disposal oftechnology must be conducted in a manner that serves the university's mission and its requirements for quality, cost reduction, durability, serviceability, safety, environmental protection, and security. Technology assets procured outside university approved channels may not be supported by Information Technology and may not be granted access to university resources. (B) Purpose This policy identifies requirements for the acquisition, handling, and disposal of all technology assets in a manner authorized by the vice president, CIO/CTO or designee. The intendedresult ofthis policy is to maintain consistently high standards ofquality, durability, serviceability, and security oftechnology assets, efficient and effective ofuniversity operations, security and privacy of information, proper licensing and use ofsoftware and intellectual property, efficient and effective use ofconsumables and supplies, and the safe handling of hazardous materials in the acquisition, operation, disposal, servicing or transfer of university technology assets. (C) Scope This policy applies to the procurement and acquisition, operation, disposal, servicing, transfer, and disposal ofall university technology assets by university agents and affiliates, including all university acquired, owned, or issued electronic hardware and software assets, such as desktop, laptop, and tablet computers and

any computingsystems purchasedto be used as a server or network device, whether purchased by the university, procured through a grant, donated to the university. (D) Definitions (1) Technology asset. Technology assets are the hardware and software acquired by, owned by, controlled by, or in the custody of the university. (2) Information technology asset. Information technology assets ("IT assets") are the subset oftechnology assets that consist of computer workstations and other general computing assets and their peripherals. University mobile computing devices, and network and storage infrastructure equipment used to carry out university business or to access, store, or transmit, or receive university data. (3) Device. Device means any electronic computing technology asset with associated equipment, peripherals or storage media, regardless of ownership or control, such as a personal Microsoft Windows or Apple Mac OS-based desktop, laptop, or tablet computer ("PC"), a personal mobile device such as a tablet, e- reader, or smartphone, or any other such equipment used for university business or to access, store, or transmit, or receive university data. Devices may be owned by the university, by an individual, or by a third party (such as home PC's and personally owned tablets or smartphones). In addition to the requirements established by this policy. Devices are technology assets subject to the additional conditions specified in the "Device and Workstation Policy". (4) Sanitization. Sanitization refers to the process by which information is rendered reasonably unrecoverable or removed from a technology asset, such as by overwriting information with meaningless data. (5) Sensitive data. Sensitive data is data for which the university has an obligation to maintain confidentiality, integrity, or availability.

(6) Workstation. Workstations are the subset ofdevices acquired by, owned by, controlled by, or in the custody ofthe university, whether leased or purchased directly by the university, procured or issued through a grant, donated to the university, or provided to the university by private funding. In addition to the requirements established by this policy, Workstations are technology assets subject to the additional conditions specified in the "Device and Workstation Policy". (E) Policy The Information Technology department coordinates the procurement of information technology assets through the university purchasing department. Other university organizations must obtain Information Technology approval for all information technology asset purchases. Purchases may be made from the preapproved sources identified on Information Technology's computer equipment purchase website: http://www.utoledo.edu/it/ns/computer Purchases.html University organizational units must comply with the following general requirements in the acquisition, handling, and disposal of technology assets: (1) Procurement management. The following requirements must be met for all acquisitions oftechnology assets: (a) (b) Information technology assets. Except as otherwise directed by the vice president, CIO/CTO or delegate, the selection, approval, procurement, coordination, and disposal of information technology assets for all university offices, departments, and colleges is the responsibility of university's information technology office. Other technology assets. The procurement of all other technology assets must follow all applicable academic, research, administration, and clinical policies and procedures. (2) Maintenance contracts. All hardware and software purchases will include an appropriate maintenance or warranty agreement to cover the expected useful life of the asset. Additionally, computer

systems may be taken out ofservice or replaced prematurely to prevent the continued maintenance ofequipment that has been determined to be beyond its useful lifespan or unserviceable. (3) Licensing. Where available, accompanying licensing for software, firmware, or other intellectual property components ofa technology asset must be secured for as long as the asset is in use by the university. Except as agreed by the vice president, CIO/CTO and otherwise allowed by law, software licensed to the university may not be transferredto an outside entity. (4) Disposition, custody and control oftechnology assets. (a) The disposition, custody and control ofuniversity technology assets must be reasonably known until disposed ofor permanently transferred outside the university. The university Information Technology department maintains inventory data for information technology assets ensures that each procured asset is assigned to a university organizational unit. The disposition, custody, and control oftechnology assets procured by other university organizational units must be reasonably maintained by the procuring organizational unit. (b) Risk assessment. Prior to relinquishing ownership, custody, or control oftechnology assets, university organizations must conduct an assessment ofthe information stored on such equipment to determine the relative risk ofunwanted disclosure ofsensitive data from improper disposal. Ifa reasonable risk ofunwanted disclosure exists, the technology asset must be sanitized of the sensitive data prior to relinquishing custody ofthe asset. (5) Servicing. Prior to servicing technology assets in situations where the asset leaves the custody ofthe university, university organizations shall secure information in a manner consistent with the nature ofthe data stored on the device to prevent the unauthorized disclosure or use ofthe data, up to and including temporary removal or permanent sanitization ofthe device or associated storage media.

Technology assets which access, store, process, transmit, or receive sensitive data may only be sent to maintenance and repair service providers who have agreed in writing to: (a) (b) (c) maintain the confidentiality of university information; access information only if it is necessary for maintenance or servicing purposes; and destroy, sanitize or return any equipment or components that are still capable of storing information, in accordance with university policy. (6) Disposal and transfer oftechnology assets. Except as directed by the vice president, CIO/CTO, university organizations must ensure that technology assets are sanitized of all sensitive data prior to a temporary or permanent transfer of ownership, custody, or control, such as by loan, sale, donation, transfer to another organization, transferring equipment to the university surplus program, or disposing ofthe asset. (a) Short-Term loans and transfers. (i) (ii) To other university organizational units. Prior to lending technology assets among organizational units within the university. University organizations must secure the asset in a manner consistent with the nature ofthe information stored on the asset. If the asset contains sensitive information, the organization must either sanitize the asset or encrypt the information before transferring the asset. To organizations external to the university. Prior to lending technology assets to organizations extemal to the university, university organizations must sanitize any sensitive data stored on the asset to prevent the unauthorized disclosure ofinformation. Any software that by the terms ofits license is

limited to use by the university must be removed prior to transfer. Technology assets on short term loan to external organizations are university property and the custody and control ofthe asset must be reasonably known until returned to the university. (b) Long-Term loans and transfers. (i) (ii) To other university organizational units. Prior to long-term loan or reassignment ofcomputing equipment among organizational units within the university, the asset must be wiped and restored to a default configuration by operating system reinstallation, restore procedure, or similar mechanism. To organizations external to the university. Prior to the long-term loan, reassignment, or donation of computing equipment to organizations outside the university, the asset must be sanitized and must not contain any software licensed to the university. (c) Disposal. (i) (ii) UT disposal. Ifdisposed ofby the university, technology assets must be sanitized prior to disposal. The disposal oftechnology assets containing hazardous materials or other electronic waste must be conducted in accordance with all federal, state, and locals concerning the disposal of such waste. Vendor disposal. Technology assets which access, store, process, transmit, or receive sensitive data may only be sent to sanitization, disposal or destruction service providers who have agreed in writing to:

(a) maintain the confidentiality ofuniversity information; (b) destroy, sanitize or return any equipment or components that are still capable of storing information, in accordance with university policy; (c) account for each asset to the point of sanitization or destruction and disposal; and (d) certify that it has disposed ofthe asset in accordance with the requirements ofthis policy. (7) Sanitization. Sanitization oftechnology assets must be conducted in a manner that assures that sensitive information stored on the asset cannot be recovered, such as by physical destruction, shredding, or overwritingof stored data. For the purposesofthis policy, destruction or deletion ofan encryption key by university personnel such that data on an asset is rendered unrecoverable is sufficient to comply with the sanitization requirement. (8) Violations. Violations ofthis policy will be subject to the university's disciplinary process and may result in disciplinary action up to and including termination. Criminal activity subject to applicable state and federal criminal penalties may be referred to law enforcement as appropriate.

Approved by: Policies superseded by this policy: r C-N / 3364-65-06 Disposal, servicing and transfer ofitequipment, effective date /A^ August 1, 2012 Dr. Sharon Gaber, PhD 3364-65-17 Computer Purchases, President effective date October 19, 2011 3364-65-18 Server Policy, effective date September 21, 2012 January 12. 2017 Date Initial effective date: January 12,2017 Review/Revision Date: Review/Revision Completed by: Next review date: January 12, 2020 Senior Leadership Team Vice President, CIO/CTO

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback