SSAFA Volunteer Knowledgebase

IT Asset Management Policy

Updated on

This IT asset management policy provides a framework for the appropriate and effective management of IT equipment (hardware, software, services and platforms) from procurement to disposal in SSAFA.

Policy

It is SSAFA  policy that all hardware, software (apps), systems, services/platforms (otherwise known as Software as a Service and Platform as a Service) are:

  • Managed appropriately from the point of acquisition to the time of disposal in a way that is compliant with SSAFA's regulatory obligations and general best practice.
  • Procured correctly, with IT (and Data Governance as necessary) leading the procurement process based on requirements documents where necessary. This includes free services or platforms too, as there will always be governance necessary when introducing new digital initiatives into SSAFA.
  • Registered/logged with IT (and Data Governance as necessary) so that a record exists of what is in use, by whom and for what reason(s) because each device/system/service is a potential attack vector for the organisation.
  • Supported and maintained throughout their lifecycle so that they deliver best value for the investment.
  • Controlled/secured effectively to protect the data and information that they store, process or transmit.
  • Administrated for the identification of risk and business continuity planning.

Client/User devices

Client or User devices are typically placed in the trusted care of employees. These typically include laptops, mobile devices and peripherals. As such, these devices must be:

  • Returned to IT no later than the day of termination to be securely cleared of user data, thoroughly checked out and subject to other IT processes.
  • Returned to IT before changing owner/user so they can be digitally cleaned and reset to a supported default.

When it comes to looking for an updated or new solution, the IT team must be informed/involved from the idea inception stage to ensure adequate resource for the change and avoid what is known as Shadow IT.

Scope

This policy applies to all hardware, software, systems, services (otherwise known as Software as a Service and Platform as a Service) utilised by and purchased by SSAFA, regardless of who initially purchased and when.

  • All desktop and laptop computers (including docking stations)
  • All monitors, printers, scanners and portable storage devices
  • All phones and mobile data devices (e.g. smartphones, tablets and other portable computing equipment)
  • All meeting room or shared/open access area IT equipment such as TVs and conferencing systems
  • All networking equipment such as firewalls, routers and switches
  • System software, client applications and associated licences
  • All web based software or platforms (software as a service or platforms as service) with Menti or Canva being two simple examples.
  • Any other physical IT peripheral costing £50 or more

Web based stuff can appear complex. In short, if it requires a username and password to access, it is in scope even if it is only used by one person or department in isolation.

General principles

  • All IT assets purchased by SSAFA or SSAFA funds are the property of SSAFA and will be deployed and utilised in a way that is deemed most effective for addressing the organisation's needs and objectively demonstrates value for money. The budget for IT assets will be centralised and managed by the IT Directorate on behalf of the organisation.
  • The procurement of IT assets must be undertaken in consultation with and carried out by the IT Directorate from inception.
  • The management of IT assets must comply with this policy. Breach of this policy may result in any device/system/service being remotely wiped or blocked from use. A breach may also be considered a disciplinary offence.
  • All physical, client devices purchased (excluding consumable items, e.g. keyboards, mice, etc.) will be registered in the asset management system and be asset tagged before being issued or put into use.
  • Individual users or departments will be held responsible for protecting the IT assets that have been assigned to them against physical or financial loss whether by theft, mishandling or accidental damage by using appropriate physical security measures.
  • End users are not allowed to install unapproved software on devices. Requests should be made to the IT Service Desk to have additional software that is not on the approved hardware and software list installed on to a device. Any software installed must be legitimately purchased and licensed for the use made of it.
  • In order to ensure the confidentiality of information, any IT asset that has been used to process or store  personal or sensitive information will be wiped before being reissued and must go through a physical disposal and destruction process at the end of its useful life.
  • AI capable systems are subject to a much more detailed process involving tighter scrutiny and ethics.

Violations

For example only, this policy is considered violated if:

  • A manager exchanges, or permits the exchange of client devices without IT involvement because, for example, asset lists would then be incorrect.
  • An outgoing member of staff retains SSAFA equipment after their termination date because equipment can only be with people who are under contract.
  • A user or department procures a device without the IT Directorate's knowledge and/or without IT involvement because it might not meet technical or security requirements.
  • A user or department procures or signs up to a cloud based service or website without IT or Data Governance involvement because, for example, the administration of users accessing that service would not be centrally managed or assisted by IT in terms of securing to minimum standards.
  • A user or department begins evaluating alternative solutions before requirements have been documented and IT advice sought, because this often leads to being wedded to a particular solution/product and requirements written with bias.

Exclusions

This policy excludes Information and Data Management as general concepts but not the tools or platforms that might underpin them.

Previous Article Investments Policy
Next Article Mobile Policy