The URL can be used to link to this page

Home My Public Portal AboutADM-412_Asset Management Policy_Effective 04-26-2021 City of Lebanon New Hampshire ADMINISTRATIVE POLICIES & PROCEDURES CYBER SECURITY CYBER SERVICES ASSET MANAGEMENT POLICY Policy Number Effective Date Last Revision Page No. ADM-412 4/26/21 Page 1 of 5 Approved by: Section 1.0: Purpose The purpose of this policy is to outline the asset management process and the way in which the Cyber Services Department documents the technology equipment throughout the City. It is critically important to maintain up-to-date inventory and asset controls to ensure computer equipment locations and dispositions are well known. Lost or stolen equipment often contains sensitive data. Proper asset management procedures and protocols provide documentation that aid in recovery and replacement, criminal investigations, and insurance activities. Section 2.0: Scope This policy applies to all City employees and City owned or leased technology. Section 3.0: Definitions ASSET OWNER is the responsible person or department in which technology equipment has been assigned to. MEMORY DEVICES store data and can be portable. Examples are USB flash drives (commonly “thumb drives”) and external USB data storage drives. OPTICAL MEDIA refers to CD-ROMs and DVD-ROMs that have the ability to store data. Section 4.0: Policy Detail 4.1 TECHNOLOGY ASSETS All technology assets must be purchased through the Cyber Services Department. Any exceptions to be made must be approved by the Director of Cyber Services or the City Manager. The following minimal asset classes are subject to tracking and asset tagging:  Desktop workstations  Laptop mobile computers  Tablet devices  Printers, copiers, fax machines, and multi-function print devices City of Lebanon New Hampshire ADMINISTRATIVE POLICIES & PROCEDURES CYBER SECURITY CYBER SERVICES ASSET MANAGEMENT POLICY Policy Number Effective Date Last Revision Page No. ADM-412 4/26/21 Page 2 of 5 Approved by:  City provisioned cell phones  Scanners  Network Servers  Network appliances (e.g. firewalls, routers, switches, Uninterruptible Power Supplies (UPS), endpoint network hardware and storage)  Voice over Internet Protocol (VOIP) Telephony Systems and components  Internet Protocol (IP) Enabled Video and Security Devices  Memory devices  Software  Video screens and televisions  Video equipment and video cameras 4.2 ASSET TRACKING REQUIREMENTS  All assets must have an internal City of Lebanon asset number assigned and mapped to the device’s serial number.  An asset-tracking database shall be maintained by Cyber Services staff to track assets. It shall minimally include purchase and device information including: o Date of purchase o Make, model, and descriptor o Serial Number o Location o Type of asset o Owner/Department o Disposition o Purchase Order number if applicable Prior to deployment, the Cyber Services department staff shall assign an ID to the asset and enter its information in the asset tracking database. All assets maintained in the asset tracking database inventory shall have an assigned owner. City of Lebanon New Hampshire ADMINISTRATIVE POLICIES & PROCEDURES CYBER SECURITY CYBER SERVICES ASSET MANAGEMENT POLICY Policy Number Effective Date Last Revision Page No. ADM-412 4/26/21 Page 3 of 5 Approved by: 4.3 ASSET VALUE Assets which cost less than $500.00 shall generally not be tracked, including computer components such as smaller peripheral devices, video cards, or keyboards, or mice. However, assets which store data, regardless of cost, shall be tracked either as part of a computing device or as a part of network attached storage. These assets include:  Network Attached Storage (NAS), Storage Area Network (SAN) or other computer data storage  Temporary storage devices  Optical media with data stored on them including system backup data. 4.4 ASSET DISPOSAL AND REPURPOSING Procedures governing asset management shall be established by Cyber Services for secure disposal or repurposing of equipment and resources prior to assignment, transfer, transport, or surplus. In order to maintain accurate tracking of assets, all technology assets listed in section 4.1 above must be disposed of by Cyber Services. Disposal or transfer of cyber equipment must be done only after approval and under the supervision of Cyber Services. When disposing of any asset, sensitive data must be removed prior to disposal. Cyber Services department support staff shall determine what type of data destruction protocol should be used for erasure. Minimally, data shall be removed using low level formatting. For media storing confidential or personally identifiable information (PII) that is not being repurposed, disks shall be physically destroyed prior to disposal. 4.5 SOFTWARE Cyber Services Department will develop and maintain an inventory of its software. All software must be approved and installed by the Cyber Services Department. The inventory will include: o Name of software City of Lebanon New Hampshire ADMINISTRATIVE POLICIES & PROCEDURES CYBER SECURITY CYBER SERVICES ASSET MANAGEMENT POLICY Policy Number Effective Date Last Revision Page No. ADM-412 4/26/21 Page 4 of 5 Approved by: o Related License keys o Installation information o Department/s that utilize software o Software As A Service (SAAS) or On-Prem o Life or term of the software Section 5.0: Procedures 5.1 Plan All technology assets will be ordered through the Cyber Services Department. Departments will submit a Help Desk ticket with the request for the asset along with the General Ledger (GL) number associated with the request. Upon receiving the request, Cyber Services along with department stakeholders, will determine the validity of the need and either approve the purchase or deny it. 5.2 Procurement Asset is ordered by and delivered to Cyber Services for setup, following standard setup guidelines for hardware. This includes imaging, inventorying, and any other tasks needed to be accomplished prior to deployment. Inventory of all assets will be held within ServiceDesk in the Asset Management module. 5.3 Deployment Asset is deployed to site and the device is assigned a user. For Cyber Services equipment the user will be the Cyber Services Department. 5.4 Support and Maintenance Active assets will be supported and maintained by the Cyber Services Department through ServiceDesk and routine maintenance. Proper maintenance is observed, following policy. 5.5 Retirement/Disposal Asset will have all relevant information backed up and moved to data-at-rest location. Device will be properly wiped by Cyber Services staff, and if wiping is not possible storage device will be destroyed. Asset will be removed from active rolls and disposed of properly. City of Lebanon New Hampshire ADMINISTRATIVE POLICIES & PROCEDURES CYBER SECURITY CYBER SERVICES ASSET MANAGEMENT POLICY Policy Number Effective Date Last Revision Page No. ADM-412 4/26/21 Page 5 of 5 Approved by: 5.6 Audit Controls and Management On-demand documented procedures and evidence of practice should be in place for this operational policy. Satisfactory examples of evidence and compliance include:  Current and historical asset management system checks for various classes of asset records.  Spot checks of record input and accuracy against tracking database.  Evidence of internal process and procedure supporting this policy for compliance with general workstation computing policies. Section 6.0: References (Charter/Code/State Statues) NIST 800-53 NIST Cybersecurity Framework Section 7.0: Policy & Procedure Revision History Section Revisions Date Original Adoption 4/26/21 Amendment Amendment Amendment