| Implementation Details |
Establishing and maintaining a physical inventory of your computing equipment
|
|
|
|
There is a wide range of information that must be captured
to establish an accurate physical inventory of all of your computing equipment.
Procedures need to be installed and executed to keep this information up
to date whenever new equipment is added, when the configuration of equipment
changes, or when equipment is moved, retired, lost, or stolen. It
is important to consider well in advance all of the ways in which
you will use this inventory information including its use in detecting
signs of physical intrusion. |
|
| Establish your initial inventory |
This task includes the steps of defining your inventory
database requirements, designing the database to meet those requirements,
and populates the initial database.
|
 |
Define your inventory database requirements. |
| |
These requirements include:
-
what level of equipment you want to inventory (e.g., only equipment greater
than $1,000 in value)
-
what information you want to be able to retrieve from the database
-
the range of ways in which you want to search for and sort this information.
Ensure that these requirements capture all of your current needs and anticipate
future growth in these needs. |
| |
Design the database. |
| |
Candidate database fields include:
-
unique equipment item tag number; consider using a bar code
-
an old equipment tag number if converting from an older inventory system
or manual records
-
comment field (may include a history of who has had the equipment or, in
the case of lost or stolen equipment, details of what occurred and pointers
to police reports)
-
purchasing information (date, purchase order number - to establish period
of warranty)
-
equipment description (consider a menu with predefined choices to preserve
consistency)
-
equipment category (e.g., desktop computer, laptop computer, printer, etc.)
-
configuration information based on the device (e.g., disk size, memory
size)
-
machine name, if any
-
IP (Internet protocol) name
-
IP address
-
manufacturer
-
manufacturer serial number
-
location code (onsite, offsite)
-
physical location (room number, room history if equipment has moved)
-
user name, if applicable (does not apply for network and multi-user components)
-
user id, if applicable (does not apply for network and multi-user components)
-
organizational affiliation (department, group, unit, etc.)
-
owner history, if applicable
-
usability code/condition (e.g., in current use, ready to reassign, ready
to dispose of, scrapped for parts, retired, lost, stolen)
|
| |
Populate the database with all current equipment. |
|
| Maintain your inventory |
Add a new record whenever a new piece of equipment arrives
at your organization. Do this when the equipment is physically taken
out of the box and before it is delivered to a user.
Verify current equipment information whenever any equipment is sent
out for repair. If you do not receive the same equipment back from
the manufacturer, add a new record for this equipment and link to the old
equipment tag number.
Conduct a periodic audit by randomly selecting a list of equipment from
your database and determining if it can be accurately located based solely
on the information in the database.
Periodically verify your physical inventory by performing a physical
walkthrough of your facilities. We recommend that this be done at
least annually.
Visually examine all physical space (offices, store rooms, laboratories,
supply areas, etc.).
Note all equipment tag numbers.
Compare the captured inventory to your database.
Reconcile your database to address missing or incorrectly characterized
equipment. |
 |
Copyright
1999 Carnegie Mellon University
CERT is registered in the U.S. Patent and Trademark Office. |
Page revised: January 19, 1999
URL: http://www.cert.org/security-improvement/implementations/i043.02.html
|
