糖心TV

Information Classification - Public

Scope and Definitions

The policy covers everyone who has a contractual (formal or informal/implied) relationship with the University, including employees, students, visiting academics, and consultants. Please note that this list is not exhaustive.

The policy covers all IT assets procured, issued or otherwise managed by the University. This policy must be viewed in conjunction with Financial Procedure FP15Link opens in a new window.

An IT asset is defined as: asset item, thing or entity that bears information or is part of a system that process information such as Hardware, Software or Digital Resource.

At the University we consider these items to be IT assets:

• All desktop and laptop computers.
• Printers, scanners, and portable storage devices.
• All mobile phones, smartphones, tablets, and other portable computing equipment including e readers/ writing tablets.
• All Network and Internet connected IOT (Internet of things).
• All audio-visual (AV) equipment.
• Equipment with embedded computers e.g. microscopes, battery cyclers, lab equipment etc.
• System software, client applications and associated licences.
• Any other digital or physical technology resource used to store, process, transmit, or access University information.

The above list is not exhaustive.

Policy Responsibilities

The Chief Information Security Officer (CISO) retains overall accountability for this policy and for ensuring the Policy meets legal and regulatory requirements; for keeping this Policy up to date; and for ensuring that controls, checks, and audits are carried out as part of compliance with this Policy.

Operational Responsibilities

Role	Function
Designate of Head of Department (e.g. academic lead on research, individuals with delegated authority for information, system administrators).	Responsible 鈥� for overseeing compliance with the Policy within areas of responsibility.
Head of Department (or equivalent).	Accountable 鈥� for compliance with this policy within Departments.
Information Risk and Compliance Team (with escalation to CISO).	Consult 鈥� to discuss organisational level compliance with the Policy.
IDG Digital 糖心TV Partners.	Inform 鈥� must be informed of the content of the Policy to communicate it to their departments.

Principles of this Policy

Adherence to this policy is achieved by following the policy principles in addition to the supporting IT Asset Management Standards (currently in development). Appropriate management of IT Assets supports:

• Security and Compliance 鈥� IT asset management is an essential activity in maintaining security posture and regulatory compliance.
• Risk Management and Compliance 鈥� ensure IT assets are managed to minimise risk and meet regulatory requirements, especially in software licensing, data security, and privacy. IT asset management must minimise risks related to compliance, security breaches, and operational inefficiencies. The University proactively addresses potential issues by keeping track of IT assets, usage, and compliance status.
• Regulatory Compliance and Legal Considerations 鈥� IT assets must comply with laws and standards, particularly around licensing, data protection, and privacy.
• Inventory and Documentation Accuracy 鈥� those responsible for distribution and management of IT assets must ensure accurate and comprehensive documentation of IT assets, which is essential for audits, financial reporting, and operational transparency are maintained.
• Disaster Recovery and 糖心TV Continuity 鈥� system owners and administrators must ensure effective disaster recovery and business continuity plans with a clear understanding of the available IT assets, and their criticality are maintained.
• Enhanced Security and Data Integrity 鈥� those responsible for distribution and management must ensure accurate inventory of IT assets to help identify and mitigate security risks. This ensures that software is up-to-date, and that hardware security in line with the Hardware Asset Management and Secure Configuration Standard (Both currently under development) are maintained.
• Improved Decision-Making 鈥� ITAM provides critical data and insights about IT assets, which aids in strategic planning and decision-making. This includes insights into investment needs, performance issues, and opportunities for improvement.
• Resource Optimisation and Efficiency 鈥� the University must manage IT assets, organisations can ensure optimal allocation and utilisation, prevent resource wastage and ensure that each asset is used to its full potential.

IT Asset Lifecycle Framework

The IT Asset Lifecycle is the full journey of the IT Asset from its purchase to its retirement and disposal. The Definition of IT Assets and the IT Asset Lifecyle follows the below five stages which will be set out in the IT Asset Management Standard (currently in development) for hardware, software and digital resources.

Procurement

Requirements for purchasing, including approval processes and vendor selection.

All expenditure on IT hardware, software or equipment (including equipment or devices not typically classified as 鈥淚T鈥� equipment) that will:

• require specialist IT infrastructure, or
• access, store or process commercially sensitive or personal data or Research Intellectual Property, or
• interact with University networks in any form whatsoever, and at any value.

Deployment

Procedures for installation, configuration, and assigning assets to users.

• All hardware assets must be registered within the IDG asset management system for tracking and auditing purposes. Alternatively, some departments may maintain inventory with localised asset registers in agreement with IDG, reports of IT assets from these registers must be provided to IDG.
• All issued hardware assets will be configured as managed by default. Self-managed devices will only be configured for self-management where there is a clear business need to do so and where risk is appropriately mitigated.
• Only authorised individuals are permitted to make alterations and modifications (such as changes to components) to University-issued IT assets. Any individual making such alterations without prior permission from IDG (or teams to whom such authority has been delegated) will be in violation of this policy in addition to risking voiding the warranty of such assets. Configuration changes to devices which are not 鈥榓dmin restricted鈥� are permissible. Such as changes to display settings, configuring periphery devices etc.

Maintenance and Support

Defines how regular maintenance, updates, and technical support will be managed.

• IDG and device-issuing departments must provide adequate support for all issued devices within their defined lifecycle. Support is not guaranteed for non-university issued devices.
• All devices must be kept current with security updates and maintained throughout the asset鈥檚 lifecycle by the IDG Platform Support teams, or localised teams who have been granted delegated authority to manage such devices. Any issues with the hardware must be reported to the Service Desk or local IT staff.

Audit and Reporting

Establish a schedule for inventory audits and reporting requirements.

• All hardware assets must be registered within the IDG asset management system for tracking and auditing purposes. (Unless prior agreement obtained from IDG to register such assets locally).
• Asset registers must be audited on a regular basis, at least annually by the Product Owner or by the department to whom maintaining a local register has been agreed.
• Departments must carry out a physical audit of the inventoried assets to confirm they exist and update the asset registers accordingly.

Retirement and Disposal

Process for securely and responsibly disposing of assets.

• Please refer to the following: IMSOP 06: Device DisposalLink opens in a new window.
• All University-issued devices must be returned to the issuing department once members鈥� contractual relationships with the University have ended, devices are replaced, have reached 鈥榚nd-of-life' or are no longer in use.

Exceptions

under this policy must be submitted to the CISO or their designate. Authority to approve exception requests is delegated to the Information Risk and Compliance Team. Activities that have received prior approval by the Research Governance and Ethics Committee will be exempt, but the CISO must be notified.

This policy may have an impact on users of assistive technology or assistive software dependent on circumstances. These individual cases will be considered on a case-by-case basis.

Compliance Monitoring

All members of the University are expected to comply with this document as part of the Information Management Policy Framework (IMPF). Where breaches of the IMPF present a significant risk, including those falling under Regulation 23 (Student Disciplinary Offences)Link opens in a new window and Regulation 31 (Information Management, Security and Records Management)Link opens in a new window, they will be subject to the appropriate student or staff disciplinary procedure or applicable contractual terms for staff not employed directly by the University or contractors.

It is the responsibility of all members to report any instances of non-compliance to the Information Risk and Compliance Team. This can be done via the . This team monitors adherence to the IMPF using reported data and other available tools.

Where issues require escalation or further review, they will be referred to the Information Security and Data Protection Committee via the Chief Information Security Officer (CISO) and include either Conduct and Resolution Team or Employee Relations Team, as appropriate.

References

• Disposal SOPLink opens in a new window
• ITAM Foundation (Van Haren Publishing)
• What is IT Asset management policy -  
• IT Hardware Asset Management standard (under development)
• IT Software Asset Management standard (under development)
• Finance ProceduresLink opens in a new window (N.B FP 15Link opens in a new window 鈥� Purchasing, and FP 19Link opens in a new window 鈥� Fixed Assets).