Whether the district has a dedicated asset management tool, runs inventory through management platform reports, or relies on spreadsheets and tribal memory. The hub-level attention badge for this sub-domain ("Attention · no formal inventory tool") sources directly from the bottom substantive option. Every prior EUC sub-domain references this field for the formal-inventory question — F1 is the upstream concern.
Hard finding · No formal asset inventory tool
Asset inventory lives in spreadsheets and tribal memory rather than a formal tool. The downstream cost compounds across every other operational discipline: reconciliation can't be automated, refresh planning runs on guesswork, lost-device follow-up has no canonical record to check against, and audit response means rebuilding the picture from procurement records each time. A dedicated tool isn't expensive — Snipe-IT is open-source and self-hosted, Asset Panda and Lansweeper have K-12-priced tiers. The lift is the initial inventory walk; the recurring work is much lighter than maintaining a spreadsheet.
Whether assets are physically tagged with a district identifier, and whether the tags follow ownership changes (staff member separates, student graduates) through to retirement. No hard finding — operational gap, not security failure. Districts with strong F1 inventory tooling often have stronger tagging discipline as a byproduct.
How often the recorded inventory is matched against actual deployed state. No hard finding — reconciliation discipline depends on the inventory tool from F1, so the F1 finding implicitly captures the upstream gap. Adding a separate finding here would double-count the same root issue.
Whether IT clearly owns the asset management function. A district can have organizational clarity around "we manage devices" responsibility even at the same time as having weak tooling — F4 max with F1 below max is a coherent posture. Cross-ref SOG-organization-staffing-policy: broader ownership-of-functions concerns live there; this field captures IT-specific ownership of asset management only.
How new assets enter the district. The top option requires F6's documented refresh cycle as a prerequisite; "procurement through standard district purchasing" is the realistic max-tier for a district that doesn't have one. Cross-ref SOG-budget-funding-discipline: this field captures the IT-operational layer (how IT requisitions and accepts new assets); budget/CFO-side decisioning sits in SOG.
How devices and AV are replaced over time. "Refresh on failure" is a fiscal-management and operational-planning gap (the budget shock when a large asset cohort hits end-of-life simultaneously is real) but doesn't rise to a hard finding here — it's not a security failure. Closely coupled to F5 procurement and F7 retirement.
What happens between "this device is no longer in active use" and "this device leaves the district." No hard finding — retirement discipline is operational; the real security risk (data on retired devices) is captured in F8 (sanitization), not double-counted here. Informal retirement is below max but not a finding on its own.
Whether retired devices are wiped to a documented standard before disposal, and whether the district has verification (certificates of destruction from the disposal vendor). Retired staff laptops carry FERPA-relevant data (gradebook caches, student records, OneDrive sync, signed-in email profiles); retired student devices may have less PII but still account credentials and profiles. Disposal-vendor handling varies — districts that don't verify sanitization are trusting the vendor entirely with FERPA-bearing data they should have erased first. Cross-ref legacy-cyber Endpoint Defense (forthcoming) for the broader data-destruction governance.
Hard finding · No data sanitization on device retirement
Retired devices may leave the district without being wiped. Staff laptops carrying gradebook caches, student records in email, and OneDrive sync go to the disposal vendor with that data intact; the district has no record of what actually happened to it once it left the building. Stand up a wipe step before disposal even if vendor verification is the longer-term goal: most management platforms support a remote-wipe action at retirement, and physical media destruction (drive shredding) by a certified vendor with certificates of destruction is the gold-standard for laptops where remote wipe isn't possible.