HomeMy Public PortalAboutADM-412_Asset Management Policy_Effective 04-26-2021
City of Lebanon
New Hampshire
ADMINISTRATIVE POLICIES & PROCEDURES
CYBER SECURITY
CYBER SERVICES ASSET MANAGEMENT POLICY
Policy Number Effective Date Last Revision Page No.
ADM-412 4/26/21 Page 1 of 5
Approved by:
Section 1.0: Purpose
The purpose of this policy is to outline the asset management process and the way
in which the Cyber Services Department documents the technology equipment
throughout the City. It is critically important to maintain up-to-date inventory and
asset controls to ensure computer equipment locations and dispositions are well
known. Lost or stolen equipment often contains sensitive data. Proper asset
management procedures and protocols provide documentation that aid in recovery
and replacement, criminal investigations, and insurance activities.
Section 2.0: Scope
This policy applies to all City employees and City owned or leased technology.
Section 3.0: Definitions
ASSET OWNER is the responsible person or department in which technology
equipment has been assigned to.
MEMORY DEVICES store data and can be portable. Examples are USB flash drives
(commonly “thumb drives”) and external USB data storage drives.
OPTICAL MEDIA refers to CD-ROMs and DVD-ROMs that have the ability to store
data.
Section 4.0: Policy Detail
4.1 TECHNOLOGY ASSETS
All technology assets must be purchased through the Cyber Services Department.
Any exceptions to be made must be approved by the Director of Cyber Services or
the City Manager.
The following minimal asset classes are subject to tracking and asset tagging:
Desktop workstations
Laptop mobile computers
Tablet devices
Printers, copiers, fax machines, and multi-function print devices
City of Lebanon
New Hampshire
ADMINISTRATIVE POLICIES & PROCEDURES
CYBER SECURITY
CYBER SERVICES ASSET MANAGEMENT POLICY
Policy Number Effective Date Last Revision Page No.
ADM-412 4/26/21 Page 2 of 5
Approved by:
City provisioned cell phones
Scanners
Network Servers
Network appliances (e.g. firewalls, routers, switches, Uninterruptible
Power Supplies (UPS), endpoint network hardware and storage)
Voice over Internet Protocol (VOIP) Telephony Systems and components
Internet Protocol (IP) Enabled Video and Security Devices
Memory devices
Software
Video screens and televisions
Video equipment and video cameras
4.2 ASSET TRACKING REQUIREMENTS
All assets must have an internal City of Lebanon asset number assigned and
mapped to the device’s serial number.
An asset-tracking database shall be maintained by Cyber Services staff to
track assets. It shall minimally include purchase and device information
including:
o Date of purchase
o Make, model, and descriptor
o Serial Number
o Location
o Type of asset
o Owner/Department
o Disposition
o Purchase Order number if applicable
Prior to deployment, the Cyber Services department staff shall assign an ID to the
asset and enter its information in the asset tracking database. All assets
maintained in the asset tracking database inventory shall have an assigned owner.
City of Lebanon
New Hampshire
ADMINISTRATIVE POLICIES & PROCEDURES
CYBER SECURITY
CYBER SERVICES ASSET MANAGEMENT POLICY
Policy Number Effective Date Last Revision Page No.
ADM-412 4/26/21 Page 3 of 5
Approved by:
4.3 ASSET VALUE
Assets which cost less than $500.00 shall generally not be tracked, including
computer components such as smaller peripheral devices, video cards, or
keyboards, or mice. However, assets which store data, regardless of cost, shall be
tracked either as part of a computing device or as a part of network attached
storage. These assets include:
Network Attached Storage (NAS), Storage Area Network (SAN) or other
computer data storage
Temporary storage devices
Optical media with data stored on them including system backup data.
4.4 ASSET DISPOSAL AND REPURPOSING
Procedures governing asset management shall be established by Cyber Services for
secure disposal or repurposing of equipment and resources prior to assignment,
transfer, transport, or surplus.
In order to maintain accurate tracking of assets, all technology assets listed in
section 4.1 above must be disposed of by Cyber Services. Disposal or transfer of
cyber equipment must be done only after approval and under the supervision of
Cyber Services.
When disposing of any asset, sensitive data must be removed prior to disposal.
Cyber Services department support staff shall determine what type of data
destruction protocol should be used for erasure. Minimally, data shall be removed
using low level formatting. For media storing confidential or personally identifiable
information (PII) that is not being repurposed, disks shall be physically destroyed
prior to disposal.
4.5 SOFTWARE
Cyber Services Department will develop and maintain an inventory of its software.
All software must be approved and installed by the Cyber Services Department.
The inventory will include:
o Name of software
City of Lebanon
New Hampshire
ADMINISTRATIVE POLICIES & PROCEDURES
CYBER SECURITY
CYBER SERVICES ASSET MANAGEMENT POLICY
Policy Number Effective Date Last Revision Page No.
ADM-412 4/26/21 Page 4 of 5
Approved by:
o Related License keys
o Installation information
o Department/s that utilize software
o Software As A Service (SAAS) or On-Prem
o Life or term of the software
Section 5.0: Procedures
5.1 Plan
All technology assets will be ordered through the Cyber Services
Department. Departments will submit a Help Desk ticket with the request for
the asset along with the General Ledger (GL) number associated with the request.
Upon receiving the request, Cyber Services along with department stakeholders,
will determine the validity of the need and either approve the purchase or deny it.
5.2 Procurement
Asset is ordered by and delivered to Cyber Services for setup, following standard
setup guidelines for hardware. This includes imaging, inventorying, and any other
tasks needed to be accomplished prior to deployment. Inventory of all assets will be
held within ServiceDesk in the Asset Management module.
5.3 Deployment
Asset is deployed to site and the device is assigned a user. For Cyber Services
equipment the user will be the Cyber Services Department.
5.4 Support and Maintenance
Active assets will be supported and maintained by the Cyber Services Department
through ServiceDesk and routine maintenance. Proper maintenance is observed,
following policy.
5.5 Retirement/Disposal
Asset will have all relevant information backed up and moved to data-at-rest
location. Device will be properly wiped by Cyber Services staff, and if wiping is not
possible storage device will be destroyed. Asset will be removed from active rolls
and disposed of properly.
City of Lebanon
New Hampshire
ADMINISTRATIVE POLICIES & PROCEDURES
CYBER SECURITY
CYBER SERVICES ASSET MANAGEMENT POLICY
Policy Number Effective Date Last Revision Page No.
ADM-412 4/26/21 Page 5 of 5
Approved by:
5.6 Audit Controls and Management
On-demand documented procedures and evidence of practice should be in place for
this operational policy. Satisfactory examples of evidence and compliance include:
Current and historical asset management system checks for various
classes of asset records.
Spot checks of record input and accuracy against tracking database.
Evidence of internal process and procedure supporting this policy for
compliance with general workstation computing policies.
Section 6.0: References (Charter/Code/State Statues)
NIST 800-53
NIST Cybersecurity Framework
Section 7.0: Policy & Procedure Revision History
Section Revisions Date
Original Adoption 4/26/21
Amendment
Amendment
Amendment