IT Asset Management Best Practices to Help You Sleep at Night
In the IT asset management (ITAM) field, we spend a lot of time talking about IT asset management best practices. We all want to know if we are doing ITAM effectively or if we should make course adjustments. Frequently, I hear people asking: What are the IT asset management best practices?
- Where can I get a book to read about them?
- Is there a course I can take to get best-practice certified?
All of these are viable educational options, but the ideal place to learn best practices is from your ITAM peers who are actively working on solving ITAM issues on a daily basis. After all, technology is not standing still, business is always evolving, so best practices are constantly evolving to next practices.
IT Asset Management Best Practices
With this in mind, I asked the Ivanti IT asset management best practices group, comprised of very experienced asset managers, what keeps them up at night.
Here are their thoughts along with my added commentary.
Asset Discovery
- Begin by defining what assets you need to track. For healthcare organizations, determine if you need to include clinical, engineering, bio med, so forth.
- What is the security, data, management risk of not including certain asset classes and device types within the scope of your ITAM program? Communicate that assessment to IT and finance senior managers to keep them informed about the risks.
Security
- Ensure that your IT asset provisioning process includes all security team mandates.
- Locate assets coming in the back door that pose a risk and apply security requirements and credentials to them.
- “Secure the data, not the device,” is the mantra today. As IoT devices become more widespread, the role of hardware asset management will increase and protecting the device will become more critical.
Governance
- We want to believe we have solid processes in place, but our IT organizational structure doesn’t empower any one group within IT to establish a solid process. Having a robust focus on good governance would fix these issues. Senior managers need to recognize that processes fail without governance.
- A big part of this is communication and education, but you also need “buy in” from the top down, which can be quite challenging. This would also include having solid internal audit support so you continually know the processes, people, and technology in place are meeting your needs.
- Establishing specific goals for the program that include defining and managing scope. Leadership and business changes will impact scope and priority. We have to revisit goals, policies, and processes when business priorities shift.
Policy and Process
- When it comes to IT shops, we know what we know from our own data and processes. Unfortunately, we don't have visibility into what is bought outside of the purchasing process, such as ShadowIT. A policy that encourages employees to report on ShadowIT would improve tracking and would be a huge help if the policy were enforced by management.
- We can detect everything that is installed, but knowing if we are compliant takes a ton of effort. If employees adhered to the process, it would be easier to ascertain our compliance position. Consider providing incentives to employees and business units to follow the process. For example, share information such as new models or pricing that they will find valuable.
Metrics and Reporting
- Establish specific goals/issues you want your ITAM program to address. Many times ITAM programs start off without any specific goals or are too broad and don't really address specific needs. Without being able to measure success you typically have a hard time getting buy-in/support from the executive level.
- Don’t forget to measure success for the especially high priority, highly visible initiatives. We are very good at measuring the day-to-day, but might forget the special projects in our zeal to get quick results.
- Don’t underestimate the value of exception reports. They are incredibly useful to illustrate outliers and issues that may just be starting to become problems.
I can’t begin to count how many times I’ve heard the phrase “we don’t know what we don’t know” used to describe an ITAM program. If you follow the sage advice provided by experienced ITAM professionals, it will reduce the level of unknowns happening in your ITAM program. Your senior executives should know that you are doing your part to keep your organization’s hardware and software assets secure. Who knows, maybe this advice will help you sleep better at night. Instead of counting software applications to fall asleep, you can go back to counting sheep.