Skip to main content
Policy

IT Asset Management Policy

Queries

​​For queries on this policy, contact IT Support:

Purpose and scope

​​This policy will ensure a consistent and effective approach to the management and security of IT Assets. It enables the efficient and effective management of IT Assets through the creation and management of an Asset Register against which regular maintenance, assessments of security vulnerability, financial planning, insurance claims, and tracking of asset sanitisation and disposal can be made. It also contributes to the effective management of cybersecurity risk by ensuring all devices owned by the University are appropriately recorded and managed.

​IT Assets are defined as any electronic device, infrastructure component, or software, regardless of where it is located, that is used to create, capture, display, process, transmit, or store university Information Assets (Annex 1 clarifies the scope of this definition).

​This policy applies to all staff, students, and third parties using IT Assets provided or managed by Cardiff University, and/or are used to deliver the academic, research, and administrative activity of the University.​

Related policies and procedures

​​This policy provides the overarching approach to the management of IT Asset lifecycles at Cardiff University. It forms a part of the Information Security Framework and should be read in conjunction with the Information Security Policy and all supporting policies.

​All processes and procedures required to manage IT Assets through their lifecycles shall be consistent with this policy.

​All use of IT Assets by staff, students, and third parties shall comply with the University IT Regulations and IT Acceptable Use Policy.

Policy

​​All IT Assets must be procured in full compliance with the University Procurement Policy and, where applicable, Public Contract Regulations.

  1. ​​All IT Assets must be procured in full compliance with the University Procurement Policy and, where applicable, Public Contract Regulations.
  1. ​All IT Assets must be uniquely identifiable and recorded in an auditable Asset Register, with records maintained throughout the lifecycle of the IT Asset and retained in accordance with the University’s Record Retention Schedule.
  1. ​All newly acquired IT Assets will be captured in the Asset Register at the point the University takes ownership. IT Assets already held by the University will be prioritised for addition to the Asset Register dependent on the information security risk posed by the type of asset (see Annex 2).
  1. Asset Register records will contain sufficient technical, location, user allocation, ownership, lifecycle, and financial information for the type of IT Asset, to support the management and maintenance of the associated asset.
  1. All IT Assets will be configured and secured to a minimum standard specified by University IT.
  1. IT Assets will be managed by University IT throughout their lifecycle in a manner appropriate to their type and function.
  1. ​Elevated user privileges are reserved for staff with a business need to manage the configuration of IT Assets. Therefore, administrative privileges shall be:
    1. ​removed from all IT Assets before their supply to end users.
    2. ​revoked where found to be in place on deployed IT Assets.
  1. ​Handling of information using IT Assets shall comply with the Information Security Classification and Handling Policy.
  1. ​IT Assets not in operational use must be segregated dependent on their status, and stored in secure storage environments with restricted and auditable access.
  1. ​All IT Assets shall be returned to University IT for decommissioning and recovery of software licenses where the asset is:
    1. ​no longer required by its current user, including where it is proposed to be transferred for use by another member of the University.
    2. ​to be transferred from university ownership or management to an external third-party organisation or individual.
    3. ​to be disposed of or recycled.
  1. ​All disposal or recycling of IT Assets shall be managed by University IT. All IT Assets for disposal or recycling must:
    1. ​have any information held sanitised by a contracted and certified service provider in accordance with ADISA ICT Asset Recovery Certification (version 8.0). The service provider will select the appropriate means of sanitisation, such as software overwriting or physical destruction of the asset.
    2. ​not leave the University’s secure premises unless they are being handled by a service provider with whom the University has a current contract to provide secure IT Asset disposal services.
    3. ​have their sanitisation and disposal status reflected in the Asset Register.
  1. ​The Chief Digital and Information Officer or their nominated delegate shall have the authority to agree to exceptions to the requirements of this policy.​

Roles and responsibilities

​​The Chief Digital and Information Officer is the sponsor for this policy, and is responsible for approving the need to develop or substantively amend the policy, for presenting the final draft to the approving body and for ensuring that their policy-making documents comply with and are monitored and reviewed in line with the Cardiff University Policy for the Development of Policy-making Documents. They are also accountable for ensuring that:

  • ​an appropriate IT Asset Management policy is in place and maintained
  • ​authorising exceptions to the requirements of this policy
  • ​the Asset Register is appropriately maintained throughout the lifecycle of each IT Asset

​The Assistant Director (IT Service and Operations) is responsible for:

  • ​nominating Type Owners for IT Asset Types.
  • ​ensuring that appropriate contracts are in place that describe the arrangements for auditing, inventory management and information sanitisation for service providers that deliver IT Asset sanitisation, disposal and recycling services, and that these providers are audited annually to ensure compliance with their contracts.
  • ​ensuring that records within the Asset Register are audited for accuracy
  • ​ensuring that exceptions to this policy are reviewed
  • ​ensuring appropriate processes and procedures are in place to manage all types of IT Assets

​The Head of IT Service Support is responsible for ensuring that:

  • ​asset records are captured in the Asset Register, and that they remain current and accurate
  • ​sanitisation and disposal standards required by this policy are reviewed at least annually to ensure they remain appropriate
  • ​appropriate procedural and process documents are in place and applied to manage assets through their lifecycle
  • ​that IT Assets are configured, secured and managed appropriately based on their type and function

​All members of University IT are responsible for:

  • ​identifying IT Assets and reporting them for capture in the Asset Register
  • ​managing the lifecycle of IT Assets in accordance with the processes and procedures defined for their IT Asset Type

​All staff, students, and third parties using IT Assets are responsible for:

  • ​using them in accordance with the Acceptable Use policy, Licence, and Warranty agreements
  • ​returning all IT Assets to University IT for recommissioning (removal/reassignment of assigned software and removal of data) before passing the IT Asset to another member of the University for use
  • ​following procedures and advice from University IT relating to the maintenance, update, and security of IT Assets
  • ​returning all IT Assets allocated when the asset is no longer required to them for decommissioning, including before transfer from university ownership

​Any member of staff or student procuring IT Assets using university funding (whether funded by revenue budgets or research grant funding) is responsible for:

  • ​procuring IT Assets in full compliance with the University Procurement Policy, Public Contract Regulations, and/or the grant issuing bodies' stipulated requirements
  • ​following procedures defined by University IT to assign accountability for the IT Assets to an individual or specified role
  • ​notifying University IT on the delivery of the IT Assets to enable them to be recorded in the Asset Register

Monitoring and review

​​This policy shall be reviewed every three years, or as and when required.

​Exceptions to this policy shall be reviewed annually to ensure that they remain applicable and appropriate.

​An audit of the IT Asset Register shall be undertaken at least annually to ensure that it remains current, accurate, and that agreed management processes and procedures are being applied appropriately.

​An annual audit of any third-party providers provisioning IT Asset disposal and sanitisation will be undertaken to ensure they meet the requirements of this policy.

​Breaches of this policy may be treated as a disciplinary matter, dealt with under the University’s staff disciplinary procedure or the student disciplinary procedure as appropriate.​

Annex 1 - IT Asset definition and scope

​​IT Assets are defined as any electronic device, infrastructure component, or software, regardless of where it is located, that is used to create, capture, display, process, transmit, or store university Information Assets.

​This includes, but is not limited to:

  • ​network and data centre infrastructure components
  • ​specific hardware devices used to support research and teaching activities that contain an IT component
  • ​virtualised components and environments
  • ​cloud-hosted platforms and software
  • ​physical servers
  • ​portable devices, arrays, and online services used for storage
  • ​desktop and laptop equipment
  • ​mobile phones and tablet devices
  • ​multi-function devices, printers, and scanners
  • ​audiovisual equipment used to deliver teaching and hybrid meetings
  • ​commercially licensed, cloud resident (managed via Software As A Service), or open-source software, used for managing University operations
  • ​custom software written by the University, used for managing University operations

​The following are excluded from the scope of this policy:

  • ​bespoke software written to support specific teaching and research activity
  • ​consumable items used with IT Assets, such as batteries, cables, and printer cartridges
  • ​optical consumable media such as CDs and DVDs

​SD Cards and USB sticks are considered consumables but are in scope of this policy for the decommissioning and disposal requirements outlined in policy statements 8 and 9.​

Annex 2 - IT Asset Security Risk Classification

​​Types of IT Asset (see examples in Annex 1) are classified dependent on the information security risk they pose to the University as follows:

High risk

IT Assets that may store or create university-owned data classified as Highly Confidential (C1) or Confidential (C2) and are categorised as mobile or are not located on university premises.

Medium risk

​IT Assets that store or create university-owned data classified as Highly Confidential (C1) or Confidential (C2), or are used to transmit such data, and are categorised as static and resident on university premises.

Low risk

​All other categories of IT Assets that do not store or create University-owned data are classified as Highly Confidential (C1) or Confidential (C2), regardless of location.

Document control table

Document title:IT Asset Management Policy
Author(s):Owen Hadall, Director of IT, University IT.
Version number:1.0
Arrow upBack to top