Three Reasons ITAM Should be Part of Your Security Strategy (Part 1 of 2)

Several years ago, we purchased a home in the country. The biggest difference I noticed is how dark and quiet it is to live there. When alone in the house at night, I get spooked at the slightest sound, so I am considering a security system. I counted how many windows and doors need to be monitored. I also counted how many ways there were onto the property so I knew where needed to put the CCTV cameras. Knowing how many windows, doors and entry points I have is important information when installing a home security system. The most advanced security system in the world would not be able to protect me if I neglect to secure a single window or door.

It isn’t just your home that could benefit from a security system, but your business can too. CCTV would be perfect for you to control who gets in and out of your premises, and installing commercialized doors can also help with added security. Keeping them in working order should help them to perform better. You can have a look at somewhere similar to the Industrial Door Company website here. It is important that you are safe and secure in your premises at all times, regardless of whether you are at home or at your business.

In the context of IT security, the most technologically advanced security systems available today will not protect your data if a single device goes unnoticed and, as a result, unsecured. Companies spend a lot of money to protect the data on their networks and devices. Penetration testing is a popular solution for finding weaknesses in a company’s network (how much does a pen test cost?). The problem is that not every organization has a good strategy to track the devices holding their sensitive data.

Three reasons IT Asset Management (ITAM) should be a part of your security strategy:

  1. ITAM processes will track devices with sensitive data
  2. ITAM will control inventory by implementing end-of-lifecycle processes
  3. ITAM processes will help you comply with government security requirements

ITAM processes will track devices with sensitive data

In a blog post by Laura Heller, she says “…breaches continue with more shopper data stolen in 2014 than any previous year. It’s a pattern likely to continue in 2015 as long as companies focus on window-dressing IT security solutions that fall short by failing to include a solid foundation of IT asset management (ITAM).”

It is puzzling to me how organizations scramble to make sure they have the latest security patches applied to all their devices when the very meaning of ‘all’ is not completely understood. It’s like adding a home security system without knowing for sure that every window and door is monitored.

Generally, when securing a network, an inventory is taken of all the PCs, laptops, servers, and software prior to applying any security policies and applications. However, without ongoing proper IT Asset Management, IT organizations are at risk of losing track of those devices. This is why many companies take advantage of pam tools. It is important to understand that asset management is not a one-time event. If you lose track of devices, it becomes more difficult to ensure they are secure.

Jaime Kahan from Ernst & Young identified 10 key areas related to cyber-security where companies should focus their efforts. She identified IT Asset Management as one of those key areas. “Firms need to be able to identify who has access and to what physical and electronic assets within the organization. This would include but not be limited to laptops, computers, servers, software, iPads, mobile devices and electronic files.”

The cost of losing a device is minimal compared to the cost of losing data contained on a device. The reason it is so important to track devices, including the person who has access to the device, is to protect your data. This is a task that needs to be considered as another layer of security.

ITAM will control inventory by implementing end-of-lifecycle processes

A challenge many organizations encounter when tracking devices is that the task itself can be overwhelming. The reasons may include a lack of ITAM tools, a lack of ITAM education, and, in many cases, an inefficient disposal process for end of lifecycle.

On May 29, 2013, Frank W. Deffer, United States Assistant Inspector General of the Office of Information Technology Audits, sent a memo to the United State Coast Guard (USCG) after they performed a security audit. The memo stated that the “USCG needs to improve its laptop acquisition and inventory management practices, and strengthen laptop security controls. Specifically, it needs to improve its laptop recapitalization program to eliminate excess quantities of unused laptops.”

I have visited many commercial and government organizations throughout my career. It is not uncommon for employees to have more than one laptop or desktop. In many cases, the additional device is older and has been replaced by a newer one. The additional devices typically add to overhead, since they need to be updated, patched, and managed. Often, organizations simply lose track of the additional older devices.

Older devices that have not been disposed of properly may contain sensitive data. If the device is misplaced, lost, or even stolen by an employee that is aware the device is not properly tracked, then you may run into a problem as Coca-Cola did in December 2013. Coca-Cola reported 74,000 individuals’ information had been compromised. The Wall Street Journal claimed that the “…Laptops were stolen by a former employee who had been assigned to maintain or dispose of equipment.”

Most organizations spend a lot of time evaluating and implementing security solutions; however, when the lifecycle of a device ends, the task of disposing of the device along with the data tends to be minimized or sometimes overlooked. This is probably because most IT employees are focused on upcoming projects and tasks.

In a post, Barb Rembiesa states that “Current trends show ITAM overlapping data security processes and concerns in several ways, especially around end-of-life hardware disposal and data security during the disposal processes.”

Organizations need to consider the disposal process of a device as a security task. The task should be assigned to a person who is properly trained. A method to verify that a device is properly sanitized and recycled should also be put in place. This type of service is offered by several third-party companies.

When a security breach becomes part of the news, those in charge of security will ultimately be held responsible. For this reason alone, those who are accountable for IT security should include ITAM as part of their security strategy.

In my next blog (Part 2), I will continue on this subject by addressing how ITAM processes will help you comply with government security requirements.

About Marcel Shaw 61 Articles
Marcel Shaw is a technology blogger focusing on ITSM, ITAM, and Endpoint Management at Marcel has worked as technical consultant for more than 25 years for industry leading IT companies with a focus on United States government agencies. Marcel's experience also includes working as a legal expert witness for IT management. Marcel writes about industry technology trends and best practices. He incorporates his views and his many years of experience to provide unique technology advice for people that manage and support IT solutions. Marcel Shaw graduated from Brigham Young University in 1991. Marcel has worked in both pre-sales and post-sales roles for companies such as Softsolutions, Novell, Dell, Softricity, Gateway, Landesk, and Ivanti. Marcel’s expertise and experience include networking technologies (LAN, WAN), IP infrastructure. Internet Caching technology, Storage and Fibre technology (SAN), Security Standards and Technologies, Document Management, Directory Services (NDS, AD, LDAP), Federal Security Standards and Requirements (DIACAP, FDCC, USGCB), ITIL, Asset Management (ITAM), endpoint Management, and endpoint security. Marcel has worked extensively with United States federal agencies solving IT problems. These agencies include USDA, NIST, FDA, DEA, DHS, FBI, DHA, Whitehouse Communications, Army, Air Force, Navy, Joint Task Force, NIH, Social Security Administration, IRS, NOAA, and FAA among others. All of Marcel's posts are edited by Carrie Shaw (@carrieshaw). She is not only a very good editor, but a great wife. Thank You