The Information Technology Asset Manager should maintain information on each vendor on a separate Approved IT Vendor Data Worksheet Template; this should be kept with the vendor’s file. Information Technology Managers should review the results of the security check and determine the level of vendor access to sensitive information. This security level should be recorded on ITAM103-3 APPROVED IT VENDOR DATA SHEET.
Quality Management should periodically reevaluate Information Technology vendors (to be done at least annually), according to the company’s vendor performance criteria. In the case of critical assets, Quality Management should periodically request a vendor inspection.
Approved IT Vendor Data Worksheet Template Details
All employees should receive a copy of ITSD109-1 COMPANY BYOD POLICY ACKNOWLEDGEMENT. Upon reviewing the document, each employee should sign and date their copy of the acknowledgement and return it to Human Resources. Employees should keep a copy of this document for themselves. The BYOD Policy & Acknowledgement Template covers BYOD and the company, BYOD guidelines, and employee acknowledgment.
At regular intervals (annually, at a minimum), the IT Manager should review the company’s BYOD policy to see if it continues to meet company and other requirements (legal/regulatory, etc.). If the BYOD policy does not adequately address company and other requirements, the IT Managers should convene the Policy Committee for the purpose of implementing revisions to the policy. Where the policy does not meet requirements, the Policy Committee should revise the policy as needed and communicate the revised policy to the IT Manager, who is responsible for its implementation and distribution.
The Company E-Mail Policy Acknowledgement Template covers e-mail and the company, general guidelines, and employee acknowledgement. All employees should receive a copy of ITAD108-1 COMPANY E-MAIL POLICY ACKNOWLEDGEMENT. Upon reviewing the document, each employee should sign and date their copy of the acknowledgement and return it to Human Resources. Employees should keep a copy of this document for themselves.
Upon approval of the email policy by the policy committee, Information Technology Managers should communicate the policy to all department managers. Department managers should, in turn, communicate the policy to all employees in their departments. The Information Technology Security Manager should be responsible for monitoring company email and enforcing the email policy.
Company E-Mail Policy Acknowledgement Template Details
The Computer-Internet Usage Policy Acknowledgement Template covers acceptable use, inappropriate use, internet and e-mail security, and more. All terms and conditions as stated in the policy are applicable to all users of the company network and the Internet. These reflect an agreement of all parties and should be governed and interpreted in accordance with the laws of the country, state, municipality, etc., in which the company is located.
The user signifies his or her understanding of the aforementioned policies and agrees to abide by them. The user also signifies understanding that violating these policies is, at the least, unethical and may even be a criminal offense, punishable by revocation of access privileges, disciplinary action (which may include termination), and/or court action that could result in a fine, imprisonment, or both.
Once the user signs ITAD107-1 COMPANY COMPUTER AND INTERNET USAGE POLICY, they should deliver the signed original to Human Resources and retain or be given a copy for their personal records. Any user violating the policies or applicable local, state, or federal laws while using the company network should be subject to loss of network privileges and any other disciplinary actions deemed appropriate, possibly including termination and criminal/civil prosecution.
This policy applies to all employees with access to Internet and related services through the company network infrastructure. Internet Related services include all services provided with the TCP/IP protocol, including but not limited to Electronic Mail (email), File Transfer Protocol (FTP), and World Wide Web (WWW) access.
Changes typically originate in the user area, though the software design team may initiate changes. A change request should be submitted using a Design Change Request Template. At a minimum, ITSW108-1 DESIGN CHANGE REQUEST FORM should capture the project name, project number, project manager’s name, the name of the requestor, request date, resolution requested by date, description of and reason for change, impact on scope and/or deliverables, impact on time and cost, impact on resources and quality, change accepted or rejected, and sign-off signatures from those in charge.
The Project Manager, Systems Analyst, and Software Designer should review each proposed design change and determine what action to take. Questions to consider include:
Do the benefits of the change outweigh its costs?
Can the change be implemented in an acceptable amount of time?
Is the change functionally necessary?
Can the change be implemented in a subsequent release of the product?
The Software Designer should estimate potential delays caused by the change, add this information to the Design Change Request Form, and forward it to the project’s Systems Analyst. The Project Manager should rework the project schedule and submit the form to User Management for its approval.
The Information Technology Plan Template includes the actual management process and content details, and should be updated by Information Technology Managers. ITAD101-1 INFORMATION TECHNOLOGY PLAN expands the technical details to include seven required sections:
IT Departmental Goals and Objectives
Resource and Budget Estimates
Roles and Responsibilities
Information Technology Plan Distribution List
On an annual basis, the company’s CEO should conduct strategic planning meetings with Top Management before the Information Technology Managers planning process. The CEO is responsible for seeing that strategic objectives for the company are defined and measurable, as they will form the basis for Information Technology strategic objectives. Once the Information Technology Plan is created, Information Technology Managers are responsible for distributing (communicating) the new plan to the appropriate personnel listed on the Information Technology Plan Distribution list and collecting the preceding Information Technology Plan.
Instances of access and use of any Information Technology resource should be automatically logged in the IT Access Control Log Template. ITSD106-3 ACCESS CONTROL LOG should be retained in accordance with legal and regulatory requirements. Access to applications should be limited to authorized users and to normal business hours, with reasonable exceptions.
Access control is defined as the enforcement of specified authorization rules based on positive identification of users and the systems or data they are permitted to access (or, providing access to authorized users while denying access to unauthorized users). The Information Technology Security Manager should periodically (once a week is recommended) review the Access Control Log and present a status report to Information Technology Managers.
The Information Technology Security Manager should determine the company’s current state of access control, to develop a baseline for the IT Access Control Plan Template. After it is developed, ITSD106-1 IT ACCESS CONTROL PLAN should be submitted to Information Technology Managers for review and possible revision. The IT Access Control Plan Template should contain the following, at a minimum:
Business requirements for access regulation;
Rules for managing user access;
User responsibility guidelines;
Access control and operating systems;
Access control and applications; and
Monitoring user access.
The Information Technology Security Manager should monitor the IT Access Control Plan (are systems, databases, etc., being used appropriately by the right people) by reviewing access logs, security logs, etc., on a periodic basis (once a week is recommended). Findings of such reviews should be reported to the Security Review Committee for its review and possible action.
The Information Technology Asset Manager should maintain the IT Approved Vendor List Template, listing vendors with which it has done business over the last five years, for reference purposes. ITAM103-4 IT VENDOR LIST includes vendor ID, contract number, asset class, and more.
If a vendor is found to be out of compliance, Quality Management should submit a Corrective Action Request, in accordance with the IT Incident Handling procedures. The Information Technology Asset Manager should update the disqualified vendor’s entry in the IT Vendor List. Disqualified vendors should be prohibited from doing business with the company for one year from date of disqualification.
The IT Asset Acquisition List Template should be be submitted to Information Technology Managers and Finance for budget approval. ITAM102-2 IT ASSET ACQUISITION LIST includes asset description, quantity, unit price, extension, and more. The IT Asset Acquisition List Template should be prepared after the review of each IT Asset Requisition/Disposal Form.
Information Technology Managers are responsible for approving acquisition or disposal of Information Technology assets and for reviewing the IT Asset Management procedure with the Information Technology Asset Manager on a regular basis, to ensure its continued conformance to the Information Technology Plan.
The IT Asset Assessment Checklist Template should be used by the Tech Support Manager as a guide to conducting Information Technology asset assessments. Prior to an assessment, the Information Technology Asset Manager should review ITAM104-1 IT ASSET ASSESSMENT CHECKLIST for possible modifications. Assessments should be conducted annually, at a minimum.
Information Technology asset assessments should also be conducted whenever a large turnover of assets (for example, a large number of PC leases expires in a short time frame) occurs. The Information Technology Asset Manager should ensure that the Tech Support Manager has the current version of the IT Asset Assessment Checklist Template on hand prior to conducting a network scan.
When configuring Information Technology assets for company use, Tech Support should record (or update) each Information Technology asset’s configuration on the IT Asset Configuration Worksheet Template. ITAM101-2 IT ASSET CONFIGURATION WORKSHEET covers system identification, hardware components, hardware configuration, and more.
Tech Support should install, configure, repair, and replace Information Technology assets. In the course of performing such services, Tech Support should ensure that the company’s Information Technology Asset Standards are met. The Information Technology Asset Manager should conduct a periodic Information Technology asset scan to determine if all assets on the company Information Technology network conform to standards.
The Tech Support Manager should record the user’s responses to the installation on the IT Asset Installation Follow-Up Report Template and forward this report to the Information Technology Asset Manager. The IT Asset Manager should collect ITAM105-1 IT ASSET INSTALLATION FOLLOW-UP REPORT forms and add the information to an Installation Satisfaction Report file (or database).
The IT Asset Manager should review the contents of the Installation Satisfaction Report file, analyze the information (identifying trends, anomalies, etc.), and report its findings to Information Technology Managers. IT Managers should review the Asset Manager’s findings and may make recommendations regarding the findings (which may include corrective or preventive actions).
IT Asset Installation Follow-Up Report Template Details
The IT Asset Inventory Database Log Template keeps track of asset ID, asset class, asset description, model number, and more. Tech Support should update the ITAM102-5 IT ASSET INVENTORY DATABASE after installing assets. Asset Management should update the IT Asset Inventory Database after the disposal of assets.
The Information Technology Asset Manager should conduct a periodic assessment of Information Technology assets to verify their status (i.e., in use/not in use), in accordance with the IT Asset Assessment Procedures.
Certain activities/events may trigger acquisition and/or disposition of Information Technology assets, such as receiving an IT Asset Requisition/Disposal Form due to an unplanned event. Company personnel should use ITAM102-1 IT ASSET REQUISITION/DISPOSAL FORM to request new or replacement Information Technology assets. This form should be approved by the appropriate department manager before being submitted to the Information Technology Asset Manager.
The Information Technology Asset Manager should review the IT Asset Requisition-Disposal Request Template for correctness and completeness and should ensure the requested assets are within the Information Technology asset budget. If the value of the Information Technology asset being requested is less than $500, the Information Technology Asset Manager should order the requested asset(s) without requiring further approval.
IT Asset Requisition-Disposal Request Template Details
The Tech Support Manager should consolidate and summarize asset scan results on the IT Asset Scan Summary Report Template. The Tech Support Manager should prepare and submit their findings – including ITAM104-2 IT ASSET SCAN SUMMARY – to the Information Technology Asset Manager.
The Tech Support Manager should run a scan on the company’s Information Technology network to determine the status of all Information Technology assets on the network and compare the results, looking for information such as:
What Information Technology hardware is on the network and who are the registered “owners”;
Whether hardware is in use or not;
What software is installed on each computer, whether it is the correct version, and whether it is a licensed copy; and/or
Whether unapproved/unauthorized software has been installed on any PC.