Skip to content

IT Asset Management Policy

Policy Status: Draft

This policy is currently draft.

Purpose

To ensure efficient tracking, management, and accountability of all Acme Corp IT assets throughout their entire lifecycle from acquisition through disposal, while maintaining security, optimizing costs, ensuring compliance, and supporting business operations.

Scope

This policy covers all physical and digital IT assets owned, leased, or managed by Acme Corp, including:

Hardware Assets: - Computers (desktops, laptops, tablets) - Servers and storage devices - Network equipment (routers, switches, firewalls, access points) - Mobile devices (smartphones, tablets) - Peripherals (monitors, keyboards, mice, printers, scanners) - Audio/visual equipment - IoT and specialized devices

Software Assets: - Operating systems and system software - Commercial and enterprise applications - Custom-developed applications - Software licenses and subscriptions - SaaS applications and cloud services - Development tools and utilities - Mobile applications

Digital Assets: - Domain names and DNS records - SSL/TLS certificates - Cloud resource instances - Virtual machines and containers - API keys and service accounts - Intellectual property and source code

Policy Statement

Asset Inventory Management

Acme Corp maintains a comprehensive, centralized inventory of all IT assets:

  • Complete Documentation: All IT assets documented in asset management system (AMS)
  • Real-Time Updates: Inventory updated within 24 hours of any asset acquisition, movement, or disposal
  • Unique Identification: Each asset assigned unique asset ID/tag for tracking
  • Accurate Information: Asset records include all required details (specifications, owner, location, value, etc.)
  • Regular Reconciliation: Physical inventory audits conducted quarterly
  • Integration: Asset inventory integrated with procurement, help desk, and configuration management systems

Asset Identification and Tagging

All physical hardware assets must be properly identified:

  • Asset Tags: Permanent asset tags applied to all company-owned hardware
  • Tag Placement: Tags affixed in visible, consistent location on each device
  • Barcode/QR Codes: Tags include scannable codes for quick inventory updates
  • Unique IDs: Sequential asset IDs that don't duplicate or reuse numbers
  • Tag Durability: Use tamper-evident, durable tags resistant to wear
  • Virtual Assets: Software and digital assets identified through unique license keys or identifiers

Asset Tracking Requirements

Asset records must include comprehensive information:

Required Asset Information: - Asset ID and tag number - Asset type and category - Make, model, and serial number - Purchase date and purchase order number - Purchase price and current value - Vendor and warranty information - Assigned user/department - Physical location - Status (in use, in storage, in repair, retired) - License/subscription details (for software) - End of life/replacement date - Configuration details

Asset Lifecycle Management

All assets managed through complete lifecycle:

Acquisition: - Assets procured through approved procurement process (see OPS-009) - Received assets inspected and recorded in AMS within 24 hours - Asset tags applied before deployment - Initial configuration documented

Deployment: - Assets configured according to security standards - Software licensed and documented - Assigned to user with acknowledgment - User trained on proper use and care

Maintenance: - Regular maintenance scheduled based on manufacturer recommendations - Maintenance activities logged in asset record - Warranty and support renewals tracked - Performance monitoring for critical assets

Monitoring: - Asset location and status regularly verified - License compliance monitored - Usage and performance tracked - Renewal dates monitored for licenses and warranties

Retirement: - Assets retired at end of useful life or when no longer needed - Data securely erased before disposal (see disposal procedures) - Asset record updated to retired status - Physical assets removed from inventory

Disposal: - Secure disposal following documented procedures - Certificates of destruction obtained - Disposal documented in asset record - Financial records updated for asset write-off

Software License Management

All software licenses actively managed:

  • License Tracking: All software licenses documented in AMS
  • Compliance Monitoring: Regular audits ensure license compliance and prevent over/under-licensing
  • Renewal Management: License expiration dates tracked with 60-day renewal reminders
  • Allocation Tracking: License assignments tracked per user/device
  • Vendor Consolidation: Standardize on approved vendors where possible
  • Cost Optimization: Regular review to optimize license costs and eliminate unused licenses
  • Proof of Purchase: Maintain copies of all license agreements and purchase records

Physical Security of Assets

Assets protected from theft, damage, and unauthorized access:

  • Secure Storage: Equipment not in use stored in locked, access-controlled areas
  • Access Control: Physical access to server rooms and equipment areas restricted
  • Portable Devices: Laptops and mobile devices equipped with locks/cables when appropriate
  • Tracking: Missing or stolen assets reported immediately and investigated
  • Insurance: High-value assets appropriately insured
  • Environmental Controls: Critical equipment protected from environmental hazards

Asset Disposal and Sanitization

All assets disposed of securely and responsibly:

  • Data Sanitization: All data-bearing devices sanitized before disposal using NIST 800-88 compliant methods
  • Verification: Data removal verified and documented
  • Physical Destruction: Devices containing sensitive data physically destroyed when appropriate
  • Environmental Responsibility: Disposal through certified e-waste recycling programs
  • Certificates: Obtain and retain certificates of destruction
  • License Decommissioning: Software licenses properly terminated or transferred
  • Documentation: Complete disposal records maintained for 3 years

Roles and Responsibilities

Role Responsibility
Chief Technology Officer Overall accountability for asset management program, approve policies and major purchases
IT Asset Manager Manage AMS, oversee asset lifecycle, coordinate audits, ensure policy compliance
IT Operations Team Track and maintain asset inventory, perform physical audits, handle asset tagging
Procurement Team Coordinate asset purchases, ensure proper documentation, interface with vendors
Finance Team Track asset financial data, manage depreciation, handle asset accounting
Department Heads Identify asset needs for their teams, ensure proper use and care of assigned assets
All Employees Properly care for assigned assets, report loss/damage/issues promptly, return assets when leaving
Security Team Ensure proper data sanitization, investigate missing assets, enforce security controls
Help Desk Document asset issues and repairs, update asset status, track assignments

Procedures

New Asset Acquisition and Registration

  1. Receive Asset: Asset received through procurement process
  2. Inspect: Verify asset matches purchase order and is undamaged
  3. Document: Create asset record in AMS with all required information
  4. Tag: Apply asset tag with unique ID
  5. Configure: Set up asset according to configuration standards
  6. Photograph: Take photo of asset for records
  7. Assign: Assign to user/department and obtain acknowledgment
  8. Update: Update asset status to "In Use" in AMS

Asset Assignment and Transfer

  1. Request: User/manager submits asset assignment request
  2. Availability Check: Verify asset available in inventory
  3. Prepare: Configure asset for new user if needed
  4. Document Transfer: Update AMS with new assignment details
  5. User Acknowledgment: Obtain signed acknowledgment of asset receipt and care responsibilities
  6. Old User: Ensure previous user returns asset and signs transfer form
  7. Location Update: Update physical location in AMS
  8. Notification: Notify relevant parties of asset transfer

Asset Audit and Reconciliation

Quarterly physical inventory audits:

  1. Plan Audit: Schedule audit and assign teams
  2. Prepare: Generate current inventory report from AMS
  3. Physical Verification: Scan/verify each asset tag and confirm:
  4. Asset location matches records
  5. Asset condition documented
  6. Assigned user confirmed
  7. Asset tag intact and readable
  8. Identify Discrepancies: Document any missing, untagged, or mismatched assets
  9. Investigate: Research discrepancies and attempt to locate missing assets
  10. Update Records: Correct inventory records based on findings
  11. Report: Generate audit report with findings and recommendations
  12. Follow-up: Address issues and implement corrective actions

Software License Compliance Review

Monthly review process:

  1. Generate Report: Export current license inventory from AMS
  2. Usage Analysis: Compare licenses purchased vs. licenses in use

1. Identify Issues

  1. Over-licensed software (paying for unused licenses)
  2. Under-licensed software (compliance risk)
  3. Expired licenses needing renewal
  4. Redundant software across different vendors
  5. Cost Optimization: Identify opportunities to reduce license costs
  6. Compliance Actions: Procure additional licenses or remove software as needed
  7. Documentation: Update license records and compliance status
  8. Report: Submit monthly license compliance report to IT management

Asset Maintenance and Repair

  1. Schedule Maintenance: Proactive maintenance scheduled based on manufacturer recommendations
  2. Report Issues: Users report asset problems through help desk
  3. Assess: Determine if repair, replacement, or disposal appropriate
  4. Track: Create maintenance ticket and link to asset record
  5. Repair/Replace: Execute repair or replacement
  6. Update Status: Update asset status during repair (mark as "In Repair")
  7. Document: Log all maintenance activities in asset record
  8. Return: Return repaired asset to user and update status to "In Use"
  9. Cost Tracking: Track maintenance costs per asset

Asset Retirement and Disposal

  1. Identify for Retirement: Assets reaching end of life or no longer needed
  2. Approval: Obtain approval from IT Asset Manager
  3. Data Backup: Ensure any needed data backed up

2. Data Sanitization

  1. For storage devices: Use NIST 800-88 compliant wiping tools (minimum 3-pass overwrite)
  2. For highly sensitive devices: Physical destruction (shredding, degaussing)
  3. For other devices: Factory reset and verification
  4. Verification: IT security verifies complete data removal
  5. Decommission: Remove from network, disable accounts, remove from systems
  6. Update Records: Change status to "Retired" with retirement date

3. Disposal Options

  1. Donate to approved charitable organizations
  2. Recycle through certified e-waste vendor
  3. Trade-in to vendor for credit
  4. Physical destruction for sensitive devices
  5. Certificate of Destruction: Obtain and file certificate
  6. Financial Update: Notify finance team for asset write-off
  7. Documentation: Complete disposal record with method, date, and certificate

Lost or Stolen Asset Response

  1. Immediate Report: User reports loss/theft to IT and security immediately
  2. Document: Create incident report with circumstances
  3. Remote Actions: If applicable:
  4. Remotely lock device
  5. Remotely wipe device data
  6. Disable user credentials
  7. Monitor for unauthorized access
  8. Investigation: Security team investigates circumstances
  9. Law Enforcement: File police report for theft if appropriate
  10. Insurance Claim: Submit insurance claim if applicable
  11. Update Records: Mark asset as "Lost" or "Stolen" in AMS
  12. Replacement: Approve and procure replacement asset if needed
  13. Lessons Learned: Review incident and improve security if needed

Exceptions

Exceptions to asset management requirements may be granted for:

  • Personal Devices (BYOD): Employees using personal devices under approved BYOD policy
  • Short-Term Loans: Equipment borrowed temporarily (under 30 days) from partners
  • Pilot Programs: New technology being evaluated before full deployment
  • Vendor-Managed Equipment: Equipment owned and managed by vendors

All exceptions require: - Written request with justification - IT Asset Manager approval - Documentation of alternative tracking method - Quarterly review of continued necessity

Compliance and Enforcement

  • System Enforced: Asset management system configured to enforce policy requirements
  • Quarterly Audits: Physical inventory audits verify compliance
  • Monthly License Reviews: Software license compliance checked monthly
  • Annual Certification: Department heads certify asset accuracy annually
  • Metrics Tracking:
  • Inventory accuracy rate (target: >95%)
  • Asset tagging compliance (target: 100%)
  • License compliance rate (target: 100%)
  • Audit finding resolution time
  • Asset disposal documentation completeness
  • Reporting: Quarterly asset management reports to executive leadership
  • Violations: Non-compliance consequences:
  • Missing assets: Investigation and potential cost recovery from responsible party
  • Improper disposal: Mandatory retraining and corrective action
  • License violations: Immediate purchase of required licenses plus fine
  • Repeated violations: Disciplinary action up to termination

References

  • ISO/IEC 19770: IT Asset Management
  • ITIL Asset Management Best Practices
  • NIST SP 800-88: Guidelines for Media Sanitization
  • SOC 2 Trust Service Criteria: Asset Management
  • HIPAA Security Rule - Device and Media Controls
  • FASB Standards for Asset Accounting

Revision History

Version Date Author Changes
1.0 2025-11-08 IT Team Initial version migrated from Notion

Document Control - Classification: Internal - Distribution: All employees, IT team, finance team, procurement team - Storage: GitHub repository - policy-repository