O.R.C. 5120.01; 5120.22



Similar documents
This policy applies to all DRC employees, contractors, volunteers, interns and other agents of the state.

STATE OF OHIO I. AUTHORITY

STATE OF OHIO I. AUTHORITY

CAPITAL ASSET AND SUPPLY INVENTORY CONTROL

DOT.Comm Oversight Committee Policy

DEPARTMENT OF REHABILITATION March 2, 2015 AND CORRECTION APPROVED:

Proposal Invitation No Technology Equipment and Supplies, Software, Telecommunications Products, Asset Disposal and Recovery

PCI Data Security and Classification Standards Summary

STCC Hardware & Equipment Policy

Payment Card Industry Compliance

U.S. DEPARTMENT OF THE INTERIOR OFFICE OF SURFACE MINING RECLAMAION AND ENFORCEMENT DIRECTIVES SYSTEM

FIXED ASSET ACCOUNTING POLICY

Dublin City University

IT Asset Management. ProPath. Office of Information and Technology

CITY UNIVERSITY OF HONG KONG. Inventory and Ownership Standard

California State University, Long Beach Research Foundation. Fixed Assets Policy & Procedures

Overview. Responsibility

DRAFT IDAHO STATE UNIVERSITY POLICIES AND PROCEDURES (ISUPP) Asset Management Policy #2430

IMAC/D Service description

Information Security Program Management Standard

STATE OF OHIO. DEPARTMENT OF REHABILITATION September 24, 201 AND CORRECTION I. AUTHORITY

Payment Card Industry (PCI) Policy Manual. Network and Computer Services

Miami University. Payment Card Data Security Policy

E. Custodian - the Vice President for Administrative Services and Finance or designee.

Office Equipment Disposal Policy

Virginia Commonwealth University School of Medicine Information Security Standard

FEDERAL PROPERTY MANAGEMENT PROCEDURE GUIDE

Section IV Property Management

STATE OF OHIO DEPARTMENT OF REHABILITATION AND CORRECTION I. AUTHORITY

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

Policy: Information Technology Refresh Policy

HOWARD UNIVERSITY. I. Policy Statement. II. Rationale. III. Entities Affected by the Policy. IV. Definitions. Policy Number:

Control of Fixed Assets

Department of Youth Services Asset ManagementAudit

Ohio Supercomputer Center

University Enterprises, Inc. Fixed Asset and Intangible Asset Policy

COLUMBUS STATE COMMUNITY COLLEGE POLICY AND PROCEDURES MANUAL

ADMINISTRATION AND FINANCE POLICIES AND PROCEDURES. FIXED & MOVABLE ASSETS ACCOUNTING/INVENTORY CONTROL Revision Date: 01/01/2014 TABLE OF CONTENTS

State of Vermont. Digital Media and Hardware Disposal Standard. Date: Approved by: Policy Number:

RELATED ACA STANDARDS: EFFECTIVE DATE: ` March 18, 2015 DEPARTMENT OF REHABILITATION AND CORRECTION

Publication 805-A Revision: Certification and Accreditation

HIPAA Training for Staff and Volunteers

GEORGIA DEPARTMENT OF CORRECTIONS Standard Operating Procedures IVJ Authority: Effective Date: Page 1 of Wetherington/Ferrero 12/31/01 12

BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO

Ohio Supercomputer Center

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

DAS Statewide Policy. SUBJECT: Information Technology Asset Inventory/Management NUMBER: IRM

INFORMATION TECHNOLOGY SYSTEMS ASSET MANAGEMENT GUIDELINE

REVIEW OF THE INTERNAL CONTROLS OF THE RTA S INFORMATION SYSTEM

Information Resources Security Guidelines

EAA Policy for Accepting and Handling Credit and Debit Card Payments ( Policy )

Cyber Self Assessment

Excerpt of Cyber Security Policy/Standard S Information Security Standards

Equipment Management Guidelines

Computer Security Incident Reporting and Response Policy

INITIAL APPROVAL DATE INITIAL EFFECTIVE DATE

FIXED ASSET AND CAPITAL PURCHASE POLICY

Supplier IT Security Guide

PERSONAL PROPERTY MANAGEMENT

Subject: Information Technology Configuration Management Manual

Agreement Number: F.E.I.D. Number: Procurement Number: D.M.S. Catalog Class Number:

TECHNICAL VULNERABILITY & PATCH MANAGEMENT

Privacy Impact Assessment. For. Non-GFE for Remote Access. Date: May 26, Point of Contact and Author: Michael Gray

POLICY STATEMENT Commonwealth of Pennsylvania Department of Corrections

FAYETTEVILLE STATE UNIVERSITY

SEC Partner Teleconference September 29, 2010

WHO SHOULD READ THIS POLICY

Index .700 FORMS - SAMPLE INCIDENT RESPONSE FORM.995 HISTORY

HP Hardware Support Onsite Service

McGill University IT Asset Management Regulation

Revision Date: October 16, 2014 Effective Date: March 1, Approved by: BOR Approved on date: October 16, 2014

AGATE FIRE PROTECTION DISTRICT RESOLUTION NO A RESOLUTION OF THE AGATE FIRE PROTECTION DISTRICT BOARD OF

Hickman Mills C-1 School District. Inventory Control Procedures

BERKELEY COLLEGE DATA SECURITY POLICY

ICT budget and staffing trends in the UK

FISH AND WILDLIFE SERVICE INFORMATION RESOURCES MANAGEMENT. Chapter 7 Information Technology (IT) Security Program 270 FW 7 TABLE OF CONTENTS

Department of Homeland Security Management Directive System MD Number: 0565 Issue Date: 12/10/2004 PERSONAL PROPERTY MANAGEMENT DIRECTIVE

Data Management Policies. Sage ERP Online

Asset management policy

FINANCIAL POLICIES & PROCEDURES USER GUIDE SECTION 15

HIPAA Compliance Evaluation Report

BUDGET LETTER PEER-TO-PEER FILE SHARING , , EXECUTIVE ORDER S-16-04

MCOLES Information and Tracking Network. Security Policy. Version 2.0

Management Standards for Information Security Measures for the Central Government Computer Systems

Texas A&M University System. Asset Management Manual

Cloud Hosting For Existing ShopWorks Customers

PROPERTY MANAGEMENT GUIDELINES

TABLE OF CONTENTS INTRODUCTION... 1 OVERVIEW... 1

ADMINISTRATIVE PROCEDURE

SOUTH EASTERN SCHOOL DISTRICT

TREASURER S OFFICE ADMINISTRATIVE STANDARDS FOR THE TREASURER S FISCAL PROCEDURE No MERCHANT DEBIT AND CREDIT CARD RECEIPTS

DEPARTMENTAL DIRECTIVE

UNIVERSITY OF ROCHESTER INFORMATION TECHNOLOGY POLICY

STANDARDIZED SOFTWARE STANDARD BUILD STANDARD PROCEDURES

FDA STAFF MANUAL GUIDES, VOLUME III - GENERAL ADMINISTRATION INFORMATION RESOURCES MANAGEMENT INFORMATION TECHNOLOGY MANAGEMENT

EPA Classification No.: CIO P-09.1 CIO Approval Date: 08/06/2012 CIO Transmittal No.: Review Date: 08/06/2015

THE BUSINESS VALUE OF AN ERP SYSTEM

Keep Your Business Moving with Custom Technology Leasing

Look around any workplace and you see Information Technology (IT) assets. If you are working in an average office environment, you probably have a

Transcription:

STATE OF OHIO SUBJECT: PAGE 1 OF 7 Inventory, Donation, Transfer & Disposal of DRC IT Hardware & NUMBER: 05-OIT-21 Software RULE/CODE REFERENCE: O.R.C. 5120.01; 5120.22 SUPERSEDES: 05-OIT-21 dated 09/13/11 RELATED ACA STANDARDS: EFFECTIVE DATE: DEPARTMENT OF REHABILITATION February 2, 2015 AND CORRECTION APPROVED: I. AUTHORITY This policy is issued in compliance with Ohio Revised Code 5120.01 which delegates to the Director of the Department of Rehabilitation and Correction the authority to manage and direct the total operations of the Department and to establish such rules and regulations as the Director prescribes. II. PURPOSE The purpose of this policy is to establish requirements for the inventory, transfer and disposal of Ohio Department of Rehabilitation and Correction information technology hardware and software. III. APPLICABILITY This policy applies to all employees of the Ohio Department of Rehabilitation and Correction (DRC) and other individuals, such as DRC contractors and DRC volunteers, who by virtue of their job duties, roles, responsibilities or assignments, are issued DRC information technology hardware, including leased or rented hardware, or software. IV. DEFINITIONS Hardware The tangible, material parts of any information technology device or system including desktop computers, laptops, tablet personal computers, keyboards, speakers, printers, central processing units (CPU), disk drives, tape drives, servers, switches, routers, cable, fiber, etc. DRC information technology hardware is subject to the requirements contained in Department Policy 22-BUS-08, Inventory Control of Property, Supplies and Other Assets. Risk Analysis A process, guided by DRC and Department of Administrative Services Office of Information Technology (DAS OIT) information technology security requirements, performed to assess the threats to and the vulnerabilities of information technology hardware, software or systems to determine the potential impact that loss of data, capability or functionality would have on the business operation of an organization. Risk analysis provides a foundation for information technology risk management and the attainment of optimal levels of information technology functionality and security at both the desktop and enterprise levels. DRC 1361 (Rev. 04/08)

SUBJECT: Inventory, Donation, Transfer & Disposal of DRC IT Hardware & Software PAGE 2 OF 7 Sanitizing Expunging data from information technology hardware or software to prevent unauthorized disclosure or use of confidential or sensitive data. Sanitizing methods include removing, overwriting, demagnetizing, encrypting, disabling and destroying. Software The intangible computer programs, procedures, algorithms, related data and associated documentation stored in an information technology device or system, that could be licensed intellectual property or open source, whose purpose is to provide the instructions for the operation of a data processing program or system. Examples of software include middleware, programming software, system software and operating systems, testware, firmware, freeware, retail software, device drivers, programming tools and application software. DRC information technology software is subject to the requirements contained in Department Policy 22-BUS-08, Inventory Control of Property, Supplies and Other Assets. V. POLICY It is the policy of the Ohio Department of Rehabilitation and Correction to maintain an accurate inventory of all DRC information technology hardware and software and to process the donation, transfer, and disposal of DRC information technology hardware or software in accordance with all applicable DRC and Department of Administrative Services Office of Information Technology (DAS OIT) information technology security requirements. VI. PROCEDURES A. Inventory of DRC Information Technology Hardware and Software 1. Upon receipt of any information technology hardware, including leased or rented hardware, or software acquisition at a DRC worksite, the manager or designee at the worksite responsible for receiving the delivery shall physically count the hardware or software. Discrepancies between the shipping invoice and the physical count shall be noted and reported immediately to the appropriate staff member in the worksite business office. 2. Upon completion of the physical count, the manager or designee shall advise the worksite s designated Agency Asset Processor of receipt of the hardware or software acquisition. a. Pursuant to Department Policy 22-BUS-08, Inventory Control of Property, Supplies and Other Assets, the Agency Asset Processor shall ensure that each piece of hardware or software is affixed with a unique identifying bar code inventory label or electronic medium device or otherwise assigned a unique identifying bar code inventory label, and that all hardware or software is entered into the OAKS Asset Management System within the appropriate time period. b. The Agency Asset Processor shall advise the appropriate information technology employee at the worksite of the hardware or software acquisition. Receipt of hardware or software acquired for the Operation Support Center shall be reported to the Chief of the Bureau of Information Technology Services (BITS) or designee.

SUBJECT: Inventory, Donation, Transfer & Disposal of DRC IT Hardware & Software PAGE 3 OF 7 3. Information technology hardware and packaged, retail software shall be stored in the worksite storeroom, warehouse or other secured storage area. A perpetual inventory shall be maintained for the hardware and software and a physical inventory of the hardware and software shall be conducted pursuant to the timeframes and manner prescribed by DRC policy. 4. The designated worksite Agency Asset Processor shall update information technology hardware and software inventory information in the OAKS Asset Management System when appropriate and especially when the hardware or software is donated, transferred or disposed of when it reaches the end of its functional DRC lifecycle. 5. The designated worksite Agency Asset Processor shall ensure that all information technology hardware and software at the worksite is included in the physical inventory conducted at least once per biennium pursuant to Department Policy 22-BUS-08, Inventory Control of Property, Supplies and Other Assets. 6. The Chief of BITS shall designate a BITS staff member to serve as the BITS Agency Asset Processor, who shall be responsible for performing all the inventory duties for the software and software licensing assigned to or maintained by BITS including programming software, system software, operating system software, testware, firmware, freeware, retail software, device drivers, programming tools, and application software. B. Donation of DRC Information Technology Hardware and Software to Non-DRC Individuals or Organizations 1. DRC employees, and other individuals such as DRC contractors and DRC volunteers who are issued DRC information technology hardware, including leased or rented hardware, or software, do not have authority to unilaterally donate any DRC information technology hardware or software to non-drc individuals or organizations. 2. The following process shall be followed when a request is made to donate any DRC information technology hardware, excluding leased or rented hardware, or software to a non-drc individual or organization: a. Requests from non-drc individuals or organizations to donate DRC information technology hardware or software shall be referred to the appropriate Managing Officer for review and assessment. b. If the Managing Officer or designee determines that the donation request has merit, the Managing Officer or designee shall formally notify the Chief of Bits and provide the Chief of BITS with all available information about the request, such as the requestor s contact information, a list of the requested hardware or software, the rationale for the request and the timeframes to fulfill the request. c. The Chief of BITS shall assign a DRC information technology employee the task of conducting a risk analysis of the requested hardware or software.

SUBJECT: Inventory, Donation, Transfer & Disposal of DRC IT Hardware & Software PAGE 4 OF 7 d. Within five business days of completing the risk analysis, the DRC information technology employee shall complete a report that contains all information about the risk analysis findings and results and submit it to the Chief of BITS. The report may be in an e-mail format, but in any case a copy of the report shall be submitted to the Managing Officer or designee. e. The Chief of BITS shall review the report and determine whether the donation request will be granted and, if granted, the appropriate course of action to sanitize the hardware or software. The Chief of BITS shall advise the appropriate Managing Officer or designee of the donation decision and advise the appropriate DRC information technology employee of the course of action that must be taken prior to the physical transfer to sanitize the hardware or software. f. Once the donation has been approved and the hardware or software has been sanitized, the Managing Officer or designee shall instruct the worksite s Agency Asset Processor to take the necessary action to comply with state salvage requirements and, upon approval from DAS State Salvage, remove the requested hardware or software from the worksite s inventory in the OAKS Asset Management System. The worksite s Agency Asset Processor shall then proceed with the physical donation of the requested hardware or software to the non-drc individual or organization. g. The appropriate DRC information technology employee shall document the donation in the DRC IT Donation, Maintenance/Repair and Disposal Form (DRC1636). C. Transfer of DRC Information Technology Hardware or Software to an Approved Vendor for Maintenance and Repair 1. The following process shall be followed when the decision has been made to transfer DRC information technology hardware, excluding leased or rented hardware, or software to an approved vendor for maintenance and repair: hardware or software. b. In addition to conducting the risk analysis, the information technology employee shall identify the specific maintenance / repair necessary for the hardware or software, make the appropriate contacts with the vendor to initiate the maintenance / repair process and complete any DRC or vendor maintenance and repair request reports or documents. c. After completing the risk analysis, the information technology employee shall take the action identified during the risk analysis to sanitize the hardware or software. d. After the hardware or software is sanitized, the information technology employee shall provide the hardware or software to the vendor for the maintenance/repair. e. When the maintenance/repair has been completed and the hardware or software returned to the worksite, the information technology employee shall reconfigure the hardware or software and reissue it to the appropriate staff member or return it to storage.

SUBJECT: Inventory, Donation, Transfer & Disposal of DRC IT Hardware & Software PAGE 5 OF 7 f. The information technology employee shall document the maintenance and repair in the DRC IT Donation, Maintenance/Repair and Disposal Form (DRC1636) 2. The following process shall be followed when the decision has been made to transfer DRC leased or rented information technology hardware to an approved vendor for maintenance and repair: hardware. b. In addition to conducting the risk analysis, the information technology employee shall identify the specific maintenance / repair necessary for the hardware, as specified by the hardware vendor, make the appropriate contacts with the vendor to initiate the maintenance / repair process and complete any DRC or vendor maintenance and repair request reports or documents. c. After completing the risk analysis, the information technology employee shall consult with the vendor and take the action identified during the risk analysis, in consultation to sanitize the hardware. d. After the hardware is sanitized, the information technology employee shall provide the hardware to the vendor for the maintenance/repair. e. When the maintenance/repair has been completed and the hardware returned to the worksite, the information technology employee shall reconfigure the hardware and reissue it to the appropriate staff member or return it to storage. f. The information technology employee shall document the hardware maintenance and repair in the DRC IT Donation, Maintenance/Repair and Disposal Form (DRC1636). D. Disposal of DRC Information Technology Hardware or Software 1. The following process shall be followed when DRC information technology hardware, excluding leased or rented hardware, or software is at the end of its functional lifecycle and the decision has been made to dispose of the hardware or software. The appropriate information technology employee shall conduct a risk analysis of the hardware or software. hardware or software. b. After completing the risk analysis, the information technology employee shall take the action identified during the risk analysis to sanitize the hardware or software. c. When the hardware or software has been sanitized, the information technology employee shall contact the worksite Agency Asset Processor, who shall take the necessary steps to remove the hardware or software from the OAKS Asset Management System and, if appropriate, process the hardware or software as state salvage, pursuant to all applicable DRC and DAS State Salvage rules and regulations.

SUBJECT: Inventory, Donation, Transfer & Disposal of DRC IT Hardware & Software PAGE 6 OF 7 d. The information technology employee shall document the disposal in the DRC IT Donation, Maintenance/Repair and Disposal Form (DRC1636). 2. The following process shall be followed when a decision is made to contract with a vendor to dispose of DRC information technology hardware, excluding leased or rented hardware, or software that is at the end of its functional lifecycle: a. The vendor must provide a written, signed statement agreeing to use a sanitizing method that completely destroys all data on the hardware or software. b. The appropriate information technology employee shall advise the Chief of BITS or designee of the decision to contract with a vendor and shall, if requested, provide the Chief of BITS or designee with the vendor s written, signed statement. c. The information technology employee shall conduct a risk analysis of the hardware or software. d. The information technology employee shall contact the worksite Agency Asset Processor who shall take the necessary steps to remove the hardware or software from the OAKS Asset Management System. e. The information technology employee shall contact the vendor to make the necessary arrangements to provide the hardware or software to the vendor. f. The information technology employee shall document the disposal on the DRC IT Donation, Maintenance/Repair and Disposal Form (DRC1636). 3. The following process shall be followed when leased or rented DRC information technology hardware is at the end of its functional lifecycle and the decision has been made to dispose of the hardware. hardware. b. After completing the risk analysis, the information technology employee shall consult with the vendor and take the action identified during the risk analysis to sanitize the hardware. c. When the hardware has been sanitized, the information technology employee shall contact the worksite Agency Asset Processor, who shall take the necessary steps to remove the hardware from the OAKS Asset Management System. d. Upon removal of the hardware form the OAKS Asset Management System, the information technology employee shall provide the hardware to the vendor. e. The information technology employee shall document the disposal in the DRC IT Donation, Maintenance/Repair and Disposal Form (DRC1636).

SUBJECT: Inventory, Donation, Transfer & Disposal of DRC IT Hardware & Software PAGE 7 OF 7 E. DRC Risk Analysis 1. A DRC risk analysis of DRC information technology or software must be performed by a DRC information technology employee approved by the Chief of Bits. 2. At a minimum, a DRC risk analysis of DRC information technology hardware, including leased or rented hardware, or software completed pursuant to this policy, must include the following steps: a. Verification of the inventory status of the hardware or software via a search of the OAKS Asset Management System. b. Identification of the type of data that resides on the hardware or software and whether any or all of the data is confidential or sensitive. c. Identification of any active intellectual property licenses residing on or associated with the requested hardware or software. d. Identification of the most appropriate course of action to sanitize the hardware or software. 3. The DRC information technology employee performing the risk analysis must consult with the Chief of BITS or designee at the Operation Support Center when there are questions or concerns about the most appropriate course of action to sanitize DRC hardware or software. F. Maintaining DRC IT Donation, Maintenance/Repair and Disposal Forms (DRC1636) At the end of each quarter of the fiscal year, the DRC IT Donation, Maintenance/Repair and Disposal Forms (DRC1636) completed during the quarter shall be provided to the worksite Agency Asset Processor who, in turn, shall maintain the form with other OAKS Asset Management System inventory documentation. Related Department Forms: DRC IT Donation, Maintenance/Repair and Disposal Forms (DRC1636)

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information