1. Building a central IT Repository
Last Revised: February 28, 2012
Background: Maintaining an accurate inventory of major IT assets is an essential requirement of enterprise risk
management (ERM) activity. IT risk management (a subset of ERM) has a focus on IT asset management (i.e. know
what you need to protect), as an underpinning resource to business continuity planning (BCP) and disaster recovery
planning (DRP).
An additional value of the information relates to emergency preparedness, crisis management and incident response;
however the significant distributed/decentralized IT environment (typical of Universities), presents a challenge for
senior management to know “what’s out there”.
Since the infamous ‘Y2K’ contingency planning effort, a basic spreadsheet listing major IT systems and services has
been maintained within the Office of the CIO. In recent years, the listing has been expanded, additional data attributes
have been suggested, and the importance of the information recognized by those charged with risk management and
contingency planning. The enhanced scope of the inventory classifies IT assets as either a) application systems or b)
infrastructure services. A key deliverable is identification of individuals who have either managerial or technical
support responsibility for each asset.
The Office of the CIO’s Systems Assurance unit is charged with transforming the spreadsheet listing into a central on-
line repository of IT information including IT Assets (Applications and Services) and IT Resources (people/service
providers). A web-based application and database has been developed that is currently in ‘beta’ release, targeted for
initial production release later this year.
Value/Deliverables: The primary purpose of the central IT repository is to facilitate risk management. Based upon
data attributes of each asset, overall risk will be determined. Key risk metrics (e.g. performs e-business) will be
identified, communicated, and prioritized in a straight-forward, consistent manner to senior management and relevant
stakeholders.
The identification of individuals, who are ‘related’ to IT assets, enables a focus on accountability and contingency
planning and is the key differentiator with Guelph’s approach, compared to traditional asset management systems.
Additional risk management attributes which the Repository will store include: i) remote hosting and 3rd
party support;
ii) purchased commercial products versus internally developed; iii) centralized versus distributed technical support.
An additional planned feature is highlighting “active” assets reflecting current development/enhancement projects.
Functionality: The Repository is intended to be a ‘high level’ catalog of IT application systems and infrastructure
services. The depth of information (i.e. data attributes) would be limited to the needs of management charged with
risk management. The Repository is NOT a physical hardware inventory with details about assets such as
configurations, models, serial numbers, etc. nor is it a Service Catalog targeted to end-users. Attributes worth tracking
and which provide risk management value include: deployment (i.e. departmental vs. enterprise); service provider (in-
house vs. 3rd
party); stores sensitive/personal information; business process criticality, etc.
In addition to Asset records, the Repository is intended to track the IT-related human resources who either ‘own’ the
applications/services or provide technical support. Each individual who has a relationship with IT (executive sponsor,
system owner, technical support) will be asked to provide emergency contact information that will only be visible on a
“need to know” basis via an emergency contact dashboard within the Repository. This information is collected to
enable improved responsiveness to potential disruptions and security breaches.
IT PMO Page 1 of 1
D. D. Badger