PURPOSE:
This Asset Management Policy outlines the standards and procedures for identifying, classifying, controlling, and managing the lifecycle of Idaho College of Osteopathic Medicine (ICOM) assets. The purpose of this policy is to ensure accountabilities for all institutional assets, protect institutional investments, optimize resource utilization, and support effective security management. This policy is crucial for maintaining accurate records of assets, mitigating risks associated with asset loss, theft, or misuse, and supporting regulatory compliance and audit requirements.
SCOPE:
This policy applies to all assets owned, leased, or managed by ICOM, including but not limited to:
- Information Assets:
- Data and information in all formats (electronic, physical, intellectual property)
- Databases
- Applications (including SaaS applications)
- Software licenses
- Digital content
- Documentation
- Physical Assets:
- Computer hardware (desktops, laptops, servers, mobile devices, peripherals)
- Network equipment (routers, switches, firewalls)
- Physical servers and data center infrastructure (if applicable)
- Telecommunications equipment
- Furniture and office equipment (if deemed critical assets for management purposes)
This policy applies to all individuals who are responsible for managing, using, or have custody of institutional assets, including but not limited to:
- Faculty
- Staff
- Administrators
- Students (for institutionally provided assets)
- Affiliates
- Contractors
- Vendors
DEFINITIONS:
- Asset: Anything of value that is owned, leased, or managed by ICOM. Assets can be tangible (physical items) or intangible (information, software). In this policy, "Asset" broadly refers to resources that need to be tracked, managed, and protected.
- IAM (Identity and Access Management): The framework and processes for managing digital identities and controlling user access to IT resources and applications. IAM systems manage user authentication (proving who you are) and authorization (what you are allowed to access).
POLICY:
Asset Inventory: A comprehensive and up-to-date inventory of all assets within the scope of this policy must be maintained. The inventory will include, at a minimum, the following information for each asset:
- Asset Name/Description
- Asset Type and Category
- Unique Asset Identifier (Asset Tag or Serial Number where applicable)
- Location
- Owner/Custodian (Department or Individual Responsible)
- Acquisition Date and Cost
- Current Status (e.g., Active, Decommissioned, Loaned)
- For Software: Security Classification (e.g., Public, Confidential, Restricted - based on data sensitivity)
- For Software: License Information (License type, expiry date, number of licenses)
- For SaaS Applications: Vendor Name, Application URL, Purpose, Data Stored, Renewal Date, Contract Information
Asset Classification and Valuation: Assets will be classified based on their type, value, and criticality to the institution's operations. A consistent asset valuation methodology may be established and used to determine the financial and operational value of assets for risk management and resource allocation purposes.
Asset Ownership and Custodianship: Clear ownership and custodianship will be assigned for each asset. Owners are responsible for defining asset requirements, classification, and security. Custodians are responsible for the day-to-day physical security, maintenance, and proper use of the asset.
Asset Acquisition: All asset acquisitions must be formally approved and documented according to institutional procurement procedures. Acquisition processes must include consideration of security requirements, compatibility, lifecycle costs, and proper inventorying upon receipt. For SaaS applications, acquisition must include security due diligence, contract review, and integration with institutional IAM systems where applicable.
Asset Deployment and Use: Assets must be deployed and used in accordance with institutional policies and procedures. Security configurations must be implemented according to established security standards. Users are responsible for the appropriate and authorized use of assigned assets.
Asset Maintenance: Regular maintenance must be performed on assets to ensure their continued functionality, security, and reliability. This includes software updates, patching, hardware maintenance, and regular inspections.
Asset Security: Appropriate security controls must be implemented and maintained for all assets based on their classification and value. Security controls will include physical security, access control, anti-malware protection, data encryption (where applicable), and regular security assessments.
Asset Tracking and Monitoring: Asset location and status will be tracked and monitored regularly. Automated asset discovery and inventory tools should be used where feasible. Discrepancies in asset inventory must be investigated and resolved promptly.
Asset Disposal and Decommissioning: Assets must be properly disposed of or decommissioned when they are no longer needed or reach the end of their useful life. Disposal procedures must ensure secure data sanitization, proper documentation of disposal, and compliance with environmental regulations. For SaaS applications, decommissioning must include data migration or secure data deletion by the vendor, and contract termination.
Physical Asset Security: Physical security measures must be in place to protect physical assets from theft, damage, and unauthorized access. This includes secure storage, physical access controls (e.g., locked rooms, access badges), and environmental controls (where applicable).
Software and License Management: Software assets should be managed to ensure license compliance and utilization. A central repository of software licenses and license agreements will be maintained. For SaaS applications, license usage and subscription management will be actively monitored.
Asset Management Roles and Responsibilities: Clear roles and responsibilities for asset management activities will be defined and assigned across relevant departments. The Information Technology Office is responsible for overseeing the security aspects of asset management.
POLICY EXCEPTIONS:
Exceptions to this policy may be granted in limited circumstances by designated authorization authorities (e.g., Chief Information Officer, System Administrator), with appropriate justification and compensating controls documented.
ENFORCEMENT:
Enforcement of this Asset Management Policy is the responsibility of all managers, supervisors, and asset custodians, under the overall direction of the Chief Information Officer and designated System Administrator (if applicable). Violations of this policy may result in disciplinary actions, up to and including termination of employment or access privileges, and potential financial or legal consequences. Regular audits of asset inventory and management practices will be conducted to ensure policy compliance.
POLICY REVIEW AND UPDATES:
This Asset Management Policy will be reviewed and updated at least annually, or as needed to reflect changes in technology, regulations, institutional risk assessments, business needs, or best practices in asset management. The Chief Information Officer or designated System Administrator is responsible for coordinating policy reviews and updates.
PRIMARY POLICY OWNER:
Chief Information Officer
APPROVAL:
Effective: 7/8/25
Last Reviewed: 7/8/25
Review Requirement: Annual