Summary

Biola University’s Enterprise Asset Management Policy outlines the standards for managing technology assets that store, process, or transmit data. It ensures that all such assets, whether owned by the university or simply connected to its network, are properly inventoried, monitored, secured, and disposed of. This policy supports Biola’s mission by promoting accountability, data protection, and operational efficiency across the asset lifecycle.

1. Introduction

• This Enterprise Asset Management Policy provides requirements for governing enterprise asset management at Biola University.
• Enterprise asset management is the process of procuring, identifying, tracking, maintaining, and disposing of enterprise assets.
• An enterprise asset is any Biola-managed asset with the potential to store, process, or transmit data. Enterprise assets include end-user devices, network devices, non-computing/Internet of Things (IoT) devices, and servers in virtual, cloud-based, and physical environments.
• Enterprise asset types are documented in Asset Inventory Systems and Owners.
  • Note: Enterprise assets might not be owned by the university, but need to be managed and/or tracked by Biola Enterprise Asset Managers.
  • Note: Some authorized assets may be allowed to access the enterprise network, even if they are not enterprise assets owned by the university.
• Other assets may be tracked and maintained by Information Technology (e.g. monitors or other assets that don’t store, process, or transmit data). While these assets are important to track and monitor in an enterprise, they are beyond the scope of this document.

2. Purpose

• The purpose of this policy is to state how Biola personnel actively manage the enterprise asset lifecycle. 
• An asset inventory must be created and maintained to support Biola’s mission. This includes the following:
  • Maintain an accurate, detailed, and up-to-date inventory of all enterprise assets with the potential to store or process data.
  • Identify unauthorized assets on Biola’s Enterprise network to remove or remediate as requested.
• The security goal for managing assets is to accurately know the totality of assets that need to be monitored and protected within the enterprise.

3. Scope and Authority

• This policy applies to any Biola personnel responsible for inventorying and tracking enterprise assets (“Enterprise Asset Managers”).
• This policy applies to all university-owned enterprise assets and any assets that are regularly connected to the university’s network infrastructure, even if they are not under control of the university.
• Information Technology is responsible for all enterprise asset management functions and for informing users of their responsibilities in the use of any enterprise assets assigned to them.
  • Some departments have Enterprise Asset Managers that work in partnership with Information Technology to maintain their enterprise assets.

 

4. Policy

• 4.1 Acquisition

  • Enterprise Asset Managers will assign unique identifiers to all existing and newly acquired enterprise assets.
  • Each enterprise asset (e.g., desktops, laptops, servers, network equipment, tablets, IoT devices), where applicable, must have an enterprise asset tag affixed to the device with this identifier. 
  • Enterprise Asset Managers must ensure that, at a minimum, the following attributes are tracked in the asset inventory (unless the attribute is inapplicable): 
    • Enterprise asset identifier (e.g. IT Asset number or serial number)
    • Date of purchase 
    • End of Life
    • Purchase price 
    • Item description
    • Manufacturer 
    • Model number
    • Serial number 
    • Name of the enterprise asset owner (e.g., administrator, user), role, or business unit, where applicable. 
    • Physical location of enterprise asset, where applicable 
    • Physical (Media Access Control (MAC) address
    • Internet Protocol (IP) address (if static)
    • Warranty information, including expiration date
    • Any relevant licensing information

• 4.2 Management and Discovery

  • Enterprise Assets are managed and monitored on the enterprise network or when they check in to enterprise-managed systems. 
    • Any enterprise asset that is not a computer and is intended to be used offline must be approved by Information Technology, since IT’s network and asset management tools can only track and manage security updates for assets with an Internet connection.
    • Assets on the Enterprise network not included within the enterprise asset inventory may be investigated, since these assets may be unauthorized. IT may choose to remove an unauthorized asset from the network, deny the asset from connecting to the network, quarantine the asset, or approve the asset and add it to the enterprise inventory.

• 4.3 Responsibility and Use

  • The enterprise asset owner (typically the user assigned to the asset) is responsible to: 
    • Contact IT with any problems such as malfunctions, needed repairs, and underutilized equipment or in the event of equipment loss.
    • Use assets in accordance with best security practices. This includes:
    • Protecting assets against unauthorized access or viewing
    • Only using assets to accomplish their job responsibilities
    • Always use assets in compliance with applicable laws and regulations
  • Enterprise Asset Managers are responsible to:
    • Maintain control over the enterprise asset.
    • Review and update the inventory of their enterprise assets at least upon purchasing and decommissioning.

• 4.4 Controlled Disposal

  • Controlled disposal of assets is necessary for an accurate, up-to-date asset inventory.
  • Enterprise Asset owners must dispose of enterprise assets securely.
    • All IT-managed assets to be decommissioned or retired to Information Technology, in accordance with the Technology Asset Retrieval Policy.
  • IT will make a backup of any data on a disposed enterprise asset, as needed.
  • All enterprise assets must have their data storage securely erased prior to disposal, where applicable.
  • Enterprise Asset Managers are responsible for updating the status of disposed enterprise assets within applicable enterprise management systems.

• 4.5 Uncontrolled Disposal

  • All lost or stolen enterprise assets must be immediately reported via the IT Report Lost or Stolen Asset Form.
  • IT will follow the appropriate procedure for addressing lost or stolen assets and notify the necessary parties (i.e., Campus Safety or Corporate Legal).
  • Lost and stolen enterprise assets must have their access to enterprise data revoked as soon as possible.
    • The enterprise assets must also be marked appropriately within the asset inventory.

5. Policy Compliance

• 5.1 Enforcement

  • The IT Information Security team will verify compliance with this policy through various methods, including but not limited to:
  • Blocking unauthorized or out-of-date assets from accessing the Enterprise Network.
  • Addressing enterprise assets that have not been returned  (see “Controlled Disposal”) in accordance with the Technology Asset Retrieval Policy).

• 5.2 Violation 

  • Failure to comply with this policy may result in a report to the CIO and escalation to an Enterprise Asset Manager’s supervisor, up to Board-of-Trustees level.
  • Failure to comply repeatedly may result in a report to the Human Resources department for corrective action.

• 5.3 Accountability

  • Any violations of this policy will be reported to the CIO of Information Technology.

6. Definitions 

• Asset inventory: A register, repository or comprehensive list of an enterprise’s assets and specific information about those assets.
• Asset owner: The department, business unit, or individual responsible for an enterprise asset.
• Authorized asset: Assets allowed on the enterprise network. Will include all enterprise assets, as well as assets given permanent or temporary access. Ideally, all Authorized Assets will be tracked by the university at minimum (though they may not be "managed" by the university).
• Enterprise asset: Biola-managed assets with the potential to store, process, or transmit data. Enterprise assets include end-user devices, network devices, non-computing/Internet of Things (IoT) devices, and servers, in virtual, cloud-based, and physical environments. 
• Enterprise asset management: The process of procuring, identifying, tracking, maintaining, and disposing of enterprise assets. 
• Enterprise asset manager: An individual responsible for the ongoing maintenance of an enterprise asset cataloging system as part of Biola’s asset inventory.
• Enterprise network: The wired and wireless network(s) used primarily for fulfilling business purposes, currently Biola-NetID. The Enterprise network is distinct from guest or student-only networks.  University operations and infrastructure that handle University Data must only be connected to the Enterprise network. 
• Network device: An electronic device required for communication and interaction between devices on a computer network. Network devices include wireless access points, firewalls, physical/virtual gateways, routers, and switches. These devices consist of physical hardware as well as virtual and cloud-based devices. For the purpose of this document, network devices are a subset of enterprise assets.
• Non-computing/Internet of Things (IoT) device: A device embedded with sensors, software, and other technologies for the purpose of connecting, storing, and exchanging data with other devices and systems over the Internet. While these devices are not used for computational processes, they support an enterprise’s ability to conduct business processes. Examples of these devices include printers, smart screens, physical security sensors, industrial control systems, and information technology sensors. For the purpose of this document, non-computing/IoT devices are a subset of enterprise assets.
• Portable end-user device: A transportable, end-user device that has the capability to connect to a network via a wireless connection. For the purpose of this document, portable end-user devices can include laptops and mobile devices such as mobile phones and tablets, all of which are a subset of enterprise assets.
• Remote device: Any enterprise asset capable of connecting to a network remotely, usually from the public Internet over VPN. This can include enterprise assets such as end-user devices, network devices, non-computing/Internet of Things (IoT) devices, and servers.
• Server: A device or system that provides resources, data, services, or programs to other devices on either a local area network or wide area network. Servers can provide resources and use them from another system at the same time. Examples include web servers, application servers, mail servers, and file servers.
• Systems: Any physical or virtual computing and/or communications component that is used in the acquisition, storage, manipulation, display, and/or movement of data.
• Unauthorized asset: An unauthorized asset refers to any device not authorized to access the enterprise network. If discovered on the enterprise network, unauthorized assets must be either (1) inventoried as enterprise assets, (2) removed from the enterprise network, or (3) granted temporary authorization to the network.
  • If the device should be allowed on the enterprise network, it must be inventoried, tracked, and managed by an Enterprise Asset Manager.
  • If the device should not be allowed on the enterprise network, it should be removed from the enterprise network as soon as possible.
• User: An employee (both on-site and remote), third-party vendor, contractor, service provider, consultant, or any other user that operates an enterprise asset.

7. History and Updates

• October 2023 policy created.
• July 2025 - Minor updates.

8. Review Period and Accountability 

• October 2023 policy reviewed by the Biola IT Architecture Team.
• Approved in November 2023 by Biola’s CIO of Information Technology.