30.16 - Technology Hardware Lifecycle Management

Contents:

A. Purpose
B. Scope
C. Definitions
D. Policy
E. Non-Compliance
F. Exceptions
G. Contact Information
H. References

A. Purpose

Technology hardware is used to support instruction, research, outreach, and service missions; administrative functions; and student and campus life activities. This policy addresses the lifecycle management and stewardship of U of I technology hardware to provide quality support; data security; the lowest possible total cost of ownership; and compliance with applicable federal and state laws, Idaho State Board of Education and U of I policies and procedures, and industry best practices.

Each piece of technology hardware connected to University systems represents a use of University resources, including personnel time and operating funds, and can represent a risk to our institution if not managed properly throughout its complete lifecycle from procurement to decommissioning. The Office of Information Technology/Information Technology Services (OIT/ITS), in collaboration with Contracts and Purchasing Services (C/PS), strives to acquire and maintain technology hardware in a manner that:

• Ensures specifications to meet University current and, wherever possible, future technology needs,
• Provides the lowest possible total cost of ownership,
• Supports the secure acquisition, compliant baseline configuration, and appropriate ongoing security posture for University infrastructure, systems, and data, and
• Complies with applicable federal and state regulations as well as Idaho State Board of Education and U of I policies and procedures.

B. Scope

This policy applies to all technology hardware owned, used or operated by the University and its employees and affiliates, regardless of the source of funding, location or intended purpose.

C. Definitions

C-1. Technology Hardware. All University-owned, -leased, or -maintained computing equipment that processes or stores University data .

C-2. Managed Technology Device. Standard technology hardware that is managed by ITS-defined security and management software.

C-3. Security and Management Software. Tools required by the University to maintain continuous, appropriate, and compliant configuration and security management for the University’s technology hardware. This may include but is not limited to antivirus, vulnerability, and configuration management tools defined in the standards for APM 30.11.

C-4. Standard Technology Hardware. Technology hardware as defined and documented by ITS that meets University specifications. Standard technology hardware will be the default hardware purchased and utilized unless it does not meet the needs of the situation and an ITS exception is granted. Standards will be reviewed on a regular basis and documented in the ITS Portal.

C-5. Total Cost of Ownership. The complete lifecycle cost of technology hardware including but not limited to purchase price, delivery costs, installation, updating, warranties, and personnel costs for maintenance, repair, and decommissioning. Purchase price is only a component of total cost of ownership.

D. Policy

D-1. University of Idaho employees shall procure technology hardware, regardless of funding source , through the U of I technology procurement process as documented on the ITS Portal. Whenever feasible purchases shall be limited to Standard Technology Hardware unless an exception request is preapproved pursuant to section F.

D-2. Technology hardware may not be purchased on University issued P-cards except by ITS as a part of the U of I technology procurement process. Personal funds reimbursed by the University may not be used to purchase technology hardware.

D-3. Whenever feasible, technology hardware shall be treated as a managed technology device. Exceptions to this will be at the discretion of ITS.

D-4. All technology hardware shall be tracked in and through central inventory management systems as documented on the ITS Portal.

D-5. Repairs or upgrades of technology hardware shall be coordinated through ITS.

D-6. Security and management software shall not be removed or rendered unusable for any reason on any managed technology device unless preapproved through ITS.

D-7. No hardware or software shall be added, modified, or removed from technology hardware that negatively impacts the performance of security and management software.

D-8. Upon any of the below events, managed devices shall be cleaned of all data through an approved ITS process and reset to meet managed device standards, unless an exception is approved by ITS; in addition, all technology equipment shall be evaluated by ITS to ensure use is still appropriate.

• The end of employment of an employee
• Change of position of an employee
• Reallocation of technology hardware resources
• Receipt of new technology hardware
• Situations deemed necessary to address security or compliance

As part of an employee’s offboarding process, the supervisor is responsible for contacting ITS to secure electronic information that is subject to archival or records management policy.

D-9. Surplus or disposal of technology hardware will be coordinated through ITS as documented on the ITS Portal.

E. Noncompliance

Noncompliance with this policy may result, depending upon the nature of the noncompliance, in the user’s account or access being suspended to U of I technology resources as stated in Section B.3 of APM 30.12 (Acceptable Use of Technology).

If technology hardware is procured in a noncompliant manner or causes interference to any University business process, any or all of the following may occur:

• Technology hardware may be disabled or removed from accessing the University network
• Technology hardware may be blocked from accessing University systems and data
• Technology hardware may be returned to the vendor

Any costs of remedying noncompliance will be the responsibility of the unit in violation of this policy.

F. Exceptions

Exception requests must be preapproved. Technology hardware needs will be considered based on program need. Exceptions to this policy will require prior approval of the Vice President for Information Technology and Chief Information Officer or designee based on a recommendation approved by on the supervising VP/dean/director.

Exception requests to this policy can be submitted for approval on the ITS Portal site. Click here for more information.

G. Contact Information.

ITS can assist with questions regarding sections D-1 through D-5 and D-9 of this policy and related standards . Questions should be submitted through the ITS Portal. The ITS Information Security Office can assist with questions regarding sections D-6 through D-8 of this policy and related standards. General questions can be directed to the Vice President for Information Technology and Chief Information Officer or designee.

H. References.
UI – APM 60.04 – Internal Purchases and Charges
UI – APM 30.11 – University Data Classifications and Standards
Standards for Data Classifications
CIS Critical Security Control #1 (Inventory and Control of Enterprise Assets)
NIST 800-171r2 – 3.4.1 (Configuration Management), 3.8.3 (Media Sanitization)
Critical Security Control #2 (Audit)

Version History

Amended 2022. Comprehensive review and revision. Standardized purchasing process to allow UI to obtain better pricing for new computing resources.

Adopted 2007.