Cam Beasley, Chief Information Security Officer | 2012-AUG-07 – rev3
Approved by AIC and BSC IT Governance groups 

Recommendation

All colleges, schools, and units are recommended to require all IT procurements (e.g., primarily hardware and large dollar software) and surplussed computing devices route through their respective IT Systems Custodian (or local IT support contact). Based on evidence from various campus units who have already implemented such a change, this change is expected to represent a positive impact on IT system management, inventory management, the University's risk assessment efforts and overall security posture.

Background

UT Austin administration and UT System have developed a need for campus units to have more thorough knowledge of their inventory of computing devices (e.g., encryption, patch management). The current processes in use for most campus units are inadequate for them to report on such compliance efforts or to effectively manage their inventory (logically or physically). The following changes to the procedures for procuring, inventorying, and surplussing computing devices will improve the University's ability to provide accurate data in response to compliance questions being asked and will dramatically improve overall visibility and system management practices for many units on campus.

Procedural Changes

All units are recommended to have their local IT Systems Custodian(s) process (e.g., inventory, install, secure, etc) all computing devices being purchased. This includes but is not limited to any devices that have the ability to store data or use the wired or wireless networks. Examples of these types of computing devices include but are not limited to: laptops, desktop computers, and tablet computers including iPads. For units where ITS support contracts exist, ITS will be required to provide the local IT Systems Custodian with a complete inventory of computing devices for the contracted unit. The IT Systems Custodian will perform these tasks in a timely manner so as not to delay distribution of the device to the end user.

Procurement, Inventory, and Surplus Procedures

All units creating purchase orders or pro-card transactions for a computing device shall specify the destination for delivery as the address of the local IT support team and note the EID in the purchase order notes for the individual the system is for.
The local IT Systems Custodian(s) will receive the device once shipment is complete. The local IT Systems Custodian(s) will then acquire the UT inventory tag for the device either from UT Inventory or the unit that purchased the device if the unit self-tags equipment. All necessary information about the device will be conveyed to self-tagging units so that the required information about the device can be inputted into UT Inventory. The local IT Systems Custodian(s) will log and track all shipments received.

The local IT Systems Custodian(s) will enter the computing device into the Information Security Office's ISORA service - which been designed to facilitate enterprise risk management for the campus and will configure the device according to the UT Minimum Security Standards for Systems. All University and specific unit procedures for configuration will be applied including but not limited to encryption of laptops.

Campus units are encouraged to implement additional steps necessary to best accommodate this operational procedure change.

Exceptions

Any department head can submit an exception to this operational procedure if they believe it would unnecessarily burden their unit or would not otherwise add value. Exceptions can be submitted via: security.utexas.edu/exception

References