Three Reasons ITAM Should be Part of Your Security Strategy (Part 2 of 2): Government Security Requirements

If you have ever lost your wallet, I am pretty sure you did not worry about the actual wallet. I live about 45 miles away from Washington, D.C. and two miles from my house is a commuter train. I will never forget the first time I took that train into D.C. After boarding, I realized I did not have my wallet. The train was already on its way, so I was stuck.

That day, all I could think about were the contents of my wallet. My driver’s license, government ID, health ID, and credit cards. If that wallet ended up in the wrong hands, I could have a big mess to cleanup. Although I could cancel my credit cards, my heart was racing at the very thought of someone possibly using my license or health ID to steal my identity.

A computer hard drive is much like a wallet. If it gets lost or stolen, you will probably be more concerned about the contents than the actual hard drive. In 2014, it was reported that 68 percent of all healthcare data breaches since 2010 are due to device theft or loss…not hacking.

Security breaches associated with identity theft reported in the media are typically associated with sophisticated hacking programs. In reality, many security breaches come from computers and laptops that have been misplaced, lost, or stolen. Both the financial and healthcare sectors have been hit hard placing the identity of millions of people at risk.

To protect user identity, government agencies have focused on the financial and healthcare industries with security regulations. Organizations that do not meet security requirements can be fined and even prosecuted.

ITAM processes will help you comply with government security requirements

An important part of security regulations relate to the physical security of the device. The National Cybersecurity Center of Excellence (NCCoE) at the U.S. National Institute of Standards and Technology (NIST) is driven by the cybersecurity needs of American businesses. In an effort to address current security issues in the U.S. financial industry, the group worked with representatives from the private sector to address security problems and to provide solutions to these problems.

The organization created a document called IT ASSET MANAGEMENT: Securing Assets for the Financial Services Sector. The motivation for this document states that an effective ITAM system increases security by providing visibility into what assets are present and what they are doing.

The objective of this document states the following:

“To effectively manage, utilize and secure an asset, you first need to know the asset’s location and function. While many financial sector companies label physical assets with bar codes and track them with a database, this approach does not answer questions such as, “What operating systems are our laptops running?” and “Which devices are vulnerable to the latest threat?” The goal of this project is to provide answers to questions like these by tying existing data systems for physical assets, security systems and IT support into a comprehensive IT asset management (ITAM) system.”

It has become evident to most organizations that IT service management (ITSM) and ITAM solutions play an important role in an organization’s overall security solution. ITAM is not just about tracking a device, it is also about tracking the data on that device.

It is not acceptable for any organization holding private identity information to not know exactly WHERE private information is stored, WHO has access to that information, and WHEN that information is accessed.

To protect the data, it is important to track the location of the asset and maintain a list of who has access to the device. That list should also include physical access and it would not be far-fetched to even add a custodian or cleaning crew to an access list. Furthermore, it important to know if the device is moved, reallocated, serviced or disposed. ITAM solutions should also communicate with ITSM solutions so that change requests to configuration items are properly documented.

ITAM Security Flow Chart

Before a device is secured, it has to be discovered and documented in a database. After security configuration, software, and encryption has been added to the device, the ITAM database needs to have the ability to track the device. Tracking the device would need to include processes that would notify the security team if a device goes missing.

The United States Department of Health & Human Services mandates a security standard called HIPAA.

The HIPAA Security Rule establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information.

The penalties for healthcare organizations are severe if they are found to be noncompliant with HIPPA requirements. A large component of these requirements addresses the physical devices that contain private patient data which are listed below in this HIPAA checklist:

164.310(a)(1) Facility Access Controls: Implement policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed.

164.310(c) Have you implemented physical safeguards for all workstations that access Electronic Protected Health Information (EPHI) to restrict access to authorized users?

164.310(d)(1) Device and Media Controls: Implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain EPHI into and out of a facility, and the movement of these items within the facility.

164.310(d)(2)(i) Have you implemented policies and procedures to address final disposition of EPHI, and/or hardware or electronic media on which it is stored?

164.310(d)(2)(ii) Have you implemented procedures for removal of EPHI from electronic media before the media are available for reuse?

164.310(d)(2)(iii) Do you maintain a record of the movements of hardware and electronic media and the person responsible for its movement?

164.310(d)(2)(iv) Do you create a retrievable, exact copy of EPHI, when needed, before movement of equipment?

I am aware of a hospital in Florida that makes the internal PC hard drive the primary IT asset that is tracked. They use the serial number to track the status of all hard drives for HIPAA compliance. They also have a locked room with spare hard drives. If a production hard drive fails, it is replaced and its status is changed to repair or dispose in the ITAM database. They also have a process to ensure those drives are properly disposed. As part of the disposal verification process, alerts are in place to notify security if the serial number of a disposed hard drive reappears on another device in the future.


There is no question that ITAM should play an important role in your overall security strategy. Does your organization protect data by properly managing physical IT assets? Take this self-assessment quiz to see how you are doing.

  1. Does your organization track the name of the person receiving, disposing, reassigning, or moving physical IT assets? YES/NO
  2. Does your organization have policies that limit physical access to IT assets containing sensitive company data? YES/NO
  3. Does your organization enforce policies to track the removal of hardware-containing sensitive data in and out of our facility? YES/NO
  4. Does your organization have policies to sanitize and dispose of end-of-life IT assets? YES/NO
  5. Does your organization have policies to VERIFY that IT assets have been properly disposed? YES/NO
  6. Does your organization sanitize and physically secure IT assets that are currently not in use? YES/NO
  7. Does your organization have policies in place to be alerted in a timely fashion if an IT device is stolen or lost? YES/NO

If you said no to any of these questions, it’s time to make ITAM a part of your security strategy.

-follow me on Twitter @marcelshaw

Three Reasons ITAM Should be Part of Your Security Strategy (Part 1 of 2)

Several years ago, we purchased a home in the country. The biggest difference I noticed is how dark and quiet it is to live there. When alone in the house at night, I get spooked at the slightest sound, so I am considering a security system. I counted how many windows and doors need to be monitored. Knowing how many windows and doors I have is important information when installing a home security system. The most advanced security system in the world would not be able to protect me if I neglect to secure a single window or door.

In the context of IT security, the most technologically advanced security systems available today will not protect your data if a single device goes unnoticed and, as a result, unsecured. Companies spend a lot of money to protect the data on their networks and devices. The problem is that not every organization has a good strategy to track the devices holding their sensitive data.

Three reasons IT Asset Management (ITAM) should be a part of your security strategy:

  1. ITAM processes will track devices with sensitive data
  2. ITAM will control inventory by implementing end-of-lifecycle processes
  3. ITAM processes will help you comply with government security requirements

ITAM processes will track devices with sensitive data

In a blog post by Laura Heller, she says “…breaches continue with more shopper data stolen in 2014 than any previous year. It’s a pattern likely to continue in 2015 as long as companies focus on window-dressing IT security solutions that fall short by failing to include a solid foundation of IT asset management (ITAM).”

It is puzzling to me how organizations scramble to make sure they have the latest security patches applied to all their devices when the very meaning of ‘all’ is not completely understood. It’s like adding a home security system without knowing for sure that every window and door is monitored.

Generally, when securing a network, an inventory is taken of all the PCs, laptops, servers, and software prior to applying any security policies and applications. However, without ongoing proper IT Asset Management, IT organizations are at risk of losing track of those devices. It is important to understand that asset management is not a one-time event. If you lose track of devices, it becomes more difficult to ensure they are secure.

Jaime Kahan from Ernst & Young identified 10 key areas related to cyber-security where companies should focus their efforts. She identified IT Asset Management as one of those key areas. “Firms need to be able to identify who has access and to what physical and electronic assets within the organization. This would include but not be limited to laptops, computers, servers, software, iPads, mobile devices and electronic files.”

The cost of losing a device is minimal compared to the cost of losing data contained on a device. The reason it is so important to track devices, including the person who has access to the device, is to protect your data. This is a task that needs to be considered as another layer of security.

ITAM will control inventory by implementing end-of-lifecycle processes

A challenge many organizations encounter when tracking devices is that the task itself can be overwhelming. The reasons may include a lack of ITAM tools, a lack of ITAM education, and, in many cases, an inefficient disposal process for end of lifecycle.

On May 29, 2013, Frank W. Deffer, United States Assistant Inspector General of the Office of Information Technology Audits, sent a memo to the United State Coast Guard (USCG) after they performed a security audit. The memo stated that the “USCG needs to improve its laptop acquisition and inventory management practices, and strengthen laptop security controls. Specifically, it needs to improve its laptop recapitalization program to eliminate excess quantities of unused laptops.”

I have visited many commercial and government organizations throughout my career. It is not uncommon for employees to have more than one laptop or desktop. In many cases, the additional device is older and has been replaced by a newer one. The additional devices typically add to overhead, since they need to be updated, patched, and managed. Often, organizations simply lose track of the additional older devices.

Older devices that have not been disposed of properly may contain sensitive data. If the device is misplaced, lost, or even stolen by an employee that is aware the device is not properly tracked, then you may run into a problem as Coca-Cola did in December 2013. Coca-Cola reported 74,000 individuals’ information had been compromised. The Wall Street Journal claimed that the “…Laptops were stolen by a former employee who had been assigned to maintain or dispose of equipment.”

Most organizations spend a lot of time evaluating and implementing security solutions; however, when the lifecycle of a device ends, the task of disposing of the device along with the data tends to be minimized or sometimes overlooked. This is probably because most IT employees are focused on upcoming projects and tasks.

In a post, Barb Rembiesa states that “Current trends show ITAM overlapping data security processes and concerns in several ways, especially around end-of-life hardware disposal and data security during the disposal processes.”

Organizations need to consider the disposal process of a device as a security task. The task should be assigned to a person who is properly trained. A method to verify that a device is properly sanitized and recycled should also be put in place. This type of service is offered by several third-party companies.

When a security breach becomes part of the news, those in charge of security will ultimately be held responsible. For this reason alone, those who are accountable for IT security should include ITAM as part of their security strategy.

In my next blog (Part 2), I will continue on this subject by addressing how ITAM processes will help you comply with government security requirements.