Local governments and schools should maintain detailed, up-to-date inventory records for all computer hardware, software and data. The information maintained for each piece of computer hardware should include a description of the item including the make, model and serial number; the name of the employee or other user to whom the equipment is assigned, if applicable; the physical location of the asset; and relevant purchase or lease information including the acquisition date. Software inventory records should include a description of the item including the version and serial number, a description of the computer(s) on which the software is installed and any pertinent licensing information.

In addition to hardware and software inventories, local governments and schools should maintain an inventory of information assets (i.e., data) that classifies the data according to its sensitivity and identifies where the data resides (e.g., servers, desktops, laptops, USB flash drives and cloud or other third-party storage locations). Because different kinds of information require different levels of protection, the nature of the data has to be evaluated so that appropriate internal controls can be established and monitored. Data classification is the process of assigning data to a category that will help determine the level of internal controls over that data. In some instances, laws, regulations or a local government’s or school’s policies predefine the classification of each data type. Here is an example of a data classification scheme:

• Public – Information that is widely available to the public through publications, pamphlets, web content and other distribution methods.
• Internal Use – Routine operational information that is not approved for general circulation and where unauthorized access, modifications or disclosure would be inconvenient but not result in financial loss or damage to public credibility. Examples include routine correspondence, employee newsletters, internal phone directories and internal policies and procedures.
• Confidential – Confidential data is information that, in the event of unauthorized access, modifications or disclosure, could result in significant adverse impacts on a local government’s or school’s ability to perform critical work or compromise the integrity of the local government or school, its employees, its customers or third parties. Examples include data used to produce payroll or vendor payments, preliminary drafts of bid specifications and employee system passwords. It also includes any information concerning a person that can be used to identify or assume the identity of the individual. Examples include Social Security numbers and the combination of name, address and date of birth.
• Restricted Confidential – Information where loss, unauthorized modification or disclosure is likely to result in the most serious impacts to a local government’s or school’s ability to fulfill its responsibilities. Examples include the local government’s or school’s strategy for defending lawsuits, preliminary investigation results and assessments of security vulnerabilities.

Local governments and schools cannot properly protect their IT resources, including data, if they do not know what resources they have and where those resources reside. The failure to maintain detailed, up-to-date hardware, software and data inventory records exposes these valuable assets to an increased risk of loss, theft or misuse. For example, State Education Law and Regulations require⁹ that no student data be shared with third parties without an agreement that complies with federal and State laws. Without awareness of the student data that exists, schools cannot guarantee compliance with the law’s requirements.

Similarly, without proper identification of all computer hardware on a network, unauthorized devices and software could be introduced without timely detection, putting local government or school data at risk. A single compromised computer could become a launching point for further network attacks, quickly turning one compromised computer into many. Furthermore, accurate inventory records are essential for effective patch management (see Area #6 – Patch Management) and software licensing compliance.¹⁰ Incomplete or outdated records make it unlikely that software patches necessary to address known security vulnerabilities can be applied in a timely manner, if at all. In addition, insufficient records increase the likelihood that you may inadvertently violate copyright laws by having more software users than licenses for a particular application and incur penalties as a result. The accuracy of inventory records should be verified through periodic physical inventories.

⁹ Education Law Sections 2-d(5)(e), (f); 8 NYCRR 121.2(c)

¹⁰ Software typically comes with a license that grants end-users permission to use one or more copies of the product. Local governments and schools should closely track their license usage to help ensure they do not inadvertently utilize software in a manner that might constitute copyright infringement. The illegal use or distribution of software, known as software piracy, can result in considerable penalties.

The Information Technology Governance LGMG can be downloaded at https://www.osc.ny.gov/files/local-government/publications/pdf/information-technology-governance.pdf