Service Asset and Configuration Process Guidelines

General Guidelines

  • Asset Management for devices with an Operating System should be available for external audit reporting and security incident response
  • Configuration Management works hand in hand with Change Management. Change Management is the process that manages the CIs operationally.
  • No Changes to CIs outlined in Configuration Management can take place without a Change record (excluding workstations or mobile devices).

Scope

Scope refers to the boundaries of what Assets and Configuration Items are included in the Service Asset and Configuration Management process at Emory.

Asset Management is the process of tracking IT assets across the whole life cycle, from the point of acquisition through disposal. The Scope of this process is desktops, laptops, and tablets for participating departments, but Asset Management is also available for other CI types.

The Scope of the Configuration Management process and system is framed by two prevailing principles:

  1. A configuration item is an IT service asset that would normally fall under Change Management for configuration changes.
  2. A configuration item is an IT service asset that can be versioned, providing a historical view of the configuration changes that have occurred.

NOT IN SCOPE – Using these principles to determine the scope of the Configuration Management process, we establish that the following assets are NOT included, and therefore will not be tracked as CIs:

  • Desktops/Laptops/Tablets
  • Accessories/Peripherals
  • Smart Phones/Pagers
  • Telephones
  • Personal Printers

NOT CURRENTLY IN SCOPE – In addition, the following CI Types are not currently in scope, but may be included in the future:

  • Telco/WAN circuits
  • Scripts/Jobs/Scheduled Tasks

Asset Lifecycle

Assets can be managed within ServiceNow from the point of procurement to the point of destruction or disposal. Some important points in the lifecycle that the tool provides tracking for are as follows:

  • Procurement and Purchase Order information
  • Assigned User information
  • Support Group of the Asset
  • Warranty information
  • Asset Status information (e.g. In Use, Retired, In Stock, Disposed, etc.)
  • Certificate of Destruction information
  • Depreciation tracking

Generic CIs

Generic CIs are actually asset categories that can be used when no specific Configuration Item exists. Whenever possible, the specific CI should be used instead of a generic CI.

Managed CI Types

CI types that are currently managed with the Configuration Management System (CMS) and controlled via Change Management:

  • Business Services
  • Technical Services
  • Applications
  • Network Gear (Switches, Routers, Wireless APs, etc.)
  • Data Center - Racks and Enclosures
  • Clusters
  • Storage Arrays and SAN Switches
  • Servers - (Windows, UNIX, Linux, Solaris, ESX)
  • Circuits
  • Applications Servers - (Database Servers, Java Servers, Mail Servers, Web Servers, Directory Servers)
  • UPS

Auditing the CMS

There will be a biannual audit of the CMS performed by the Configuration Manager. The audits will follow the guidelines outlined below. Detailed Audit procedures can be found in the CMS Audit Plan document.

Conduct CMS Audit. Configuration Manager will oversee activities for the collection of information to verify the validity of the CMS records. This may include the following:

  • Examine Change and Incident Records since last audit
  • Conduct physical checks where required
  • Compare information against CMS records
  • Create CMS Audit Analysis report

Identify Exceptions. Using information from the analysis report and other documentation, the Configuration Manager will allocate exceptions in the CMS or the live environment for further action. Exceptions may be one of the following:

  • An unauthorized record with no associated control data.
  • Incorrect CI data / location / label / status / relationship
  • The configuration baseline did not match business environment.
  • The CMS did not match Discovery Management System/physical infrastructure data.

Document Exceptions. To enable appropriate action to be taken for rectification, the Configuration Manager will create Incident records for the exceptions and accurately record details and collate all information regarding the nature of the exceptions.

Analyze Exception. Using collated exception information documented in the Incidents, an analysis is to be made to determine if the exception is infrastructure related or within the Configuration Management process, system or other related process. The analysis will be done by the Configuration Coordinator and/or CI Owner.

Inform Change Management. Non-Compliance exceptions will be escalated to Change Management for action.

Take Corrective Actions. The Configuration Manager is responsible for coordinating the appropriate corrective actions due to exceptions in the CMS or the related processes, to ensure that the CMS corresponds to the authorized infrastructure.