SSAFA Volunteer Knowledgebase

SSAFA Volunteer Knowledgebase  /  SSAFA Policies & Guidance  /  SSAFA Policies

IT Asset Management Policy

Updated on

This IT asset management policy provides a framework for the appropriate and effective management of IT equipment (hardware, software, services and platforms) from procurement to disposal in SSAFA.

Policy

It is SSAFA  policy that all hardware, software (apps), systems, services (otherwise known as Software as a Service and Platform as a Service) are:

  • Managed appropriately from the point of acquisition to the time of disposal in a way that is compliant with the SSAFA's regulatory obligations
  • Procured correctly, with IT (and Data Governance as necessary) leading the procurement process based on requirements documents where necessary.
  • Registered/logged with IT (and Data Governance as necessary) so that a record exists of what is in use, by whom and for what reason(s) because each device/system/service is a potential attack vector for the organisation.
  • Supported and maintained throughout their lifecycle so that they deliver best value for the investment.
  • Controlled/secured effectively to protect the data and information that they store, process or transmit.
  • Administrated for the identification of risk and business continuity planning.

Client/User devices

Client or User devices are typically placed in the trusted care of employees. These would include laptops, mobile devices and peripherals. As such, these devices must be:

  • Returned to IT no later than the day of termination to be securely cleared of user data, thoroughly checked out and subject to other IT processes.
  • Returned to IT before changing owner/user.

When it comes to looking for an updated or new solution, the IT team must be informed/involved from the idea inception stage to ensure adequate resource for the change and avoid what is known as Shadow IT.

Scope

This policy applies to all hardware, software, systems, services (otherwise known as Software as a Service and Platform as a Service) utilised by and purchased by SSAFA, regardless of who purchased and when.

  • All desktop and laptop computers (including docking stations)
  • All monitors, printers, scanners and portable storage devices
  • All phones and mobile data devices (e.g. smartphones, tablets and other portable computing equipment)
  • All meeting room or shared/open access area IT equipment such as TVs and conferencing systems
  • All networking equipment such as firewalls, routers and switches
  • System software, client applications and associated licences
  • All web software (software as a service or platforms as service)
  • Any other IT peripheral costing £50 or more

Web based stuff can appear complex. In short, if it requires a username and password to access, it is in scope even if it is only used by one directorate in isolation.

General principles

  • All IT assets purchased by SSAFA or SSAFA funds are the property of SSAFA and will be deployed and utilised in a way that is deemed most effective for addressing the organisation's needs and objectively demonstrates value for money. The budget for IT assets will be centralised and managed by the IT Directorate on behalf of the organisation.
  • The procurement of IT assets must be undertaken in consultation with and carried out by the IT Directorate from inception.
  • The management of IT assets must comply with this policy. Breach of this policy may result in any device/system/service being remotely wiped or blocked from use. A breach may also be considered a disciplinary offence.
  • All physical, client devices purchased (excluding consumable items, e.g. keyboards, mice, etc.) will be registered in the asset management system and be asset tagged before being issued or put into use.
  • Individual users or departments will be held responsible for protecting the IT assets that have been assigned to them against physical or financial loss whether by theft, mishandling or accidental damage by using appropriate physical security measures.
  • End users are not allowed to install unapproved software on devices. Requests should be made to the IT Service Desk to have additional software that is not on the approved hardware and software list installed on to a device. Any software installed must be legitimately purchased and licensed for the use made of it.
  • In order to ensure the confidentiality of information, any IT asset that has been used to process or store  personal or sensitive information will be wiped before being reissued and must go through a physical disposal and destruction process at the end of its useful life.
  • AI capable systems are subject to a much more detailed process.

Violations

For example only, this policy is considered violated if:

  • A manager exchanges, or permits the exchange of client devices without IT involvement because, for example, asset lists would then be incorrect.
  • An outgoing member of staff retains SSAFA equipment after their termination date because equipment can only be with people who are under contract.
  • A user or department procures a device without the IT Directorate's knowledge and/or without IT involvement because it might not meet technical or security requirements.
  • A user or department procures or signs up to a cloud based service or website without IT involvement because, for example, the administration of users accessing that service would not be controlled or assisted by IT.
  • A user or department begins evaluating alternative solutions before requirements have been documented and IT advice sought, because this often leads to being wedded to a particular solution/product and requirements written with bias.

Exclusions

This policy excludes Information and Data Management

AI procurement policy

IT policy

Previous Article Investments Policy
Next Article Mobile Policy

SSAFA Policies & Guidance

SSAFA Policies 33
Vetting Guidance 2
Volunteer Policies 8

Other Resources

Print Article