BYOD Security: Good Inventory Management Lacking At Marshall University.

A legislative audit at Marshall University’s Joan C. Edwards School of Medicine has revealed that not enough effort is going into tracking inventor, which includes over $600,000 worth of computers purchased over the past three years.  While the stories covering the issue center around the potential for asset theft, let’s not forget that there are bearings on the issue of data security as well.  With such lax asset security policies, it might behoove MU to ensure that all computers have proper data security software like AlertBoot.

Inventory Threshold at $5,000

According to auditors, they were unable to “determine how many computers they [MU] have,” per  The school had “purchased $641,366 worth of computers in fiscal years 2009, 2010 and 2011, but none were tracked as inventory.”  Furthermore,

In a spot-check of 45 items of equipment, the audit also found that seven lacked inventory tracking tags, with the untagged items ranging in value from a $5,009 Isotemp refrigerator to a $16,500 pickup truck and a $18,012 copy machine. []

It’s estimated that as much as $1.8 million worth of equipment is untagged.  There are obvious failings here but the $1.8 million tag could be a result of a policy of only inventorying those assets with a price tag of $5,000 or more.

The audit also found that there was improper disposal of computer equipment in dumpsters which violated several state laws, including “West Virginia Purchasing Division laws and, potentially, federal environmental laws.” Assuming that the information in these computers were not properly wiped, there could have been violations of HIPAA PHI security laws as well.

We Do Track It

The response pointed out that Marshall’s information technology office tracks all computers connected to the school’s IT network, noting, “It is possible, although unlikely, for an individual department to order and receive computers without attaching them to the network.”[]

There’s at least one failing here: assuming that overall US trends also apply to MU, there is a very good chance that a significant portion of the computers purchased in the past few years are laptops.

And while university may have a policy forbidding their transportation outside of a secure perimeter, signed paperwork doesn’t always prevent people from taking their work laptops home.  They are, after all, laptops.  This means that not all computers are connected to the school’s IT network, which in turn means that a number of them cannot be tracked.

In the age of BYOD (Bring Your Own Device) and consumerization, it might seem like inventorying assets is “old school” and past its prime.  Nothing could be further from the truth.  Like the accounting concept of double-entry bookkeeping, it’s a perfectly valid, cheap, and effective error detection tool.

Related Articles and Sites:

Comments (0)

Let us know what you think