Tag Archives: Asset Management

I.T. ASSET MANAGEMENT, NOT A ONE TIME EVENT

A government agency in Washington, D.C. was informed of a hard drive recall because a certain type of hard drive in their new PCs’ could overheat and potentially start a fire. The PC vendor had three hard drive suppliers and only one of them reported hard drive issues. As a result, the government agency had to open 3,000 PCs to replace 1,000 hard drives.

If you figure it took 10 minutes every time a PC was opened to verify the type of hard drive being used, then 20,000 minutes (333 hours) was wasted opening PCs that did not actually have a hard drive issue. With asset management tools in place, the agency could have created a report that displayed the names of all the PCs with the defected hard drive.

2014-12-03_0-06-40

After replacing all hard drives, asset discovery tools would also have discovered the new hard drives as soon as they connected to the network. Remember, just because an asset was added to the management database does not mean it is being tracked. An ongoing asset inventory process is needed to track an asset.

Asset discovery should not be a one-time event. It should be a continuing process that runs on your network. Asset discovery tools provide details about your IT assets by taking inventory of all the asset components on a regular basis, then reports the information back to a central database. Without tracking, assets are easily misplaced or lost.

In one study, laptops were reported to have a 5-10 percent chance of going missing during their lifecycle. Theft accounted for 25-40 percent of those missing laptops. The rest were simply missing. Ongoing inventory processes with most asset management systems will flag assets that stop communicating on the network.

IT Asset Management starts with choosing the right asset discovery tools. To make sure you have a tool that can discover and track the asset for its entire lifecycle in your organization, use the following checklist to define your IT Asset Discovery tool requirements.

The IT Asset Discovery Tool Checklist

2014-12-02_9-01-28

Discovers Hardware Details

Choose discovery tools that give you detailed information about your devices. Information, such as part numbers and serial numbers for all the components that make up an IT asset, is not too much to ask. This type of information will come in very handy in the event of a hardware recall.

Discovers Software Details

Choose a discovery tool that can tell you about the Firmware, Drivers, Operating System, and the Software installed on all your PCs and laptops. At face value, you may not think that having this information is important for your security requirements. In actuality, having the ability to verify versions of your software is directly related to your security baselines.

Many older versions of software do not meet current security requirements. Security tools that keep software applications updated often do not account for additional installations of older versions of that same software on the same machine.

Also, do not forget about those software audits, which can cost your organization lots of money. It is important your discovery tools have the ability to give you an accurate inventory of all installed software. You need to know the version installed and the name of the PC or laptop where it is installed. I will discuss software audits in much more detail in an upcoming blog.

Checks-in Often

The asset information in your database is a snapshot in time. The accuracy of your asset information deteriorates over time. For example, imagine it has been a week since your PCs and laptops have checked into the asset management database. If you run a report today to see how many installations you have of a software application, your report will be a week old based on when the asset data was last updated.

Asset Management tools need to “monitor” the assets and report back on a regular basis. It is important to have a report that tells you how long it has been since an asset has checked in. Assets that have not checked in for several days should be flagged and investigated. The asset data should be in question and investigated until the asset is recovered.

Tracks Assets over the Internet

Many organizations allow their users to take their laptops with them for business travel or to work at home. When asked, many IT administrators feel confident about the accuracy of their IT asset information, including the security posture of those assets with one caveat, the remote users. It is important to have asset discovery tools that continue to monitor assets even when off the internal network.

Choose tools that can use the internet to connect to those assets to get any updates or changes. Many IT asset monitoring agents can be configured to “call home” using the internet. Make sure the discovery tools you choose meets this requirement. Simply waiting for the end-user to VPN on to the network so that you can get any asset updates is inefficient and unreliable. Tools that connect and update the asset management database each time the user connects to the internet should be the requirement.

Tracks Asset Changes

Choose asset management tools that can detect changes to your hardware or software. To minimize network traffic, only changes should be sent over the network to the asset management database.

Avoid tools that send ALL of the asset’s information each time the asset checks in to the asset management database. This can cause additional network traffic.

Tracks Location

Choose asset discovery tools that have the capability to provide the location of the asset. Determining the location of the asset can be done by looking at the IP address and mapping the address to the actual location. You could also track the asset location by the associated end user.

No matter how you locate the asset, choose an asset discovery tool that can provide a way for you to locate the asset you are managing. If the asset is off the network, then you should at least know who has it and that the asset is “remote.”

Eliminates End User Disruption

Choose a tool that prevents the end user from interrupting the ongoing processes and communication with the asset management database. The best way to prevent users from interrupting the asset management procedures is to make the solution transparent. If the local agent software is interrupted or removed, the asset tool should have the ability to detect and repair the local agent so that it can continue to report on the state of the asset.

Summary

The foundation of IT Asset Management is collecting all the asset information. Choose discovery tools that detect both hardware and software. Utilize discovery tools that keep the asset management database up-to-date by monitoring the assets for any changes to hardware and software. Make sure the tools you choose work on the internal network and over the internet. To ensure accuracy, implement measures to prevent users from interrupting the asset discovery tools. Remember, not only is it important to know the asset exists, it is also important to know where it is located.

Follow me on Twitter @marcelshaw

IT Asset Management, a Three Tiered Approach (Part 4 of 4)

IT Asset Lifecycle Management Process Automation

IT Asset Lifecycle Management is Tier Three of IT Asset  Management.

2014-11-18_13-15-51

Tier three is about managing IT Lifecycle Processes. This includes automating your processes to eliminate human error which can occur while doing manual input. It is important to choose automation tools that meet your asset management requirements and that allow you to apply ITAM principles.

Asset Lifecycle Process

The lifecycle of an asset is usually determined by the type of asset being managed. For example, the lifecycle of a laptop would be much different than the lifecycle of a software asset. To create an asset lifecycle process, you need to understand how you purchase, receive, procure, and dispose of an asset. A laptop lifecycle process may look something like this:

2014-11-18_10-56-51  

State Map

Each part of an asset’s lifecycle is a “State.” To determine the States of the lifecycle process, create a diagram such as the one above. Use your diagram to determine each State that will be used in the asset lifecycle process. For example, based on the diagram above, the different States assigned to laptops may look something like this:

2014-11-18_11-44-38

The State of the asset tells you where the asset is in the lifecycle. The lifecycle process should NOT allow you to bypass States. In the diagram below, A can be changed to B, B can be changed to C, and C can be changed to D, E, or F.

2014-11-18_11-20-33

In this example, A should not be allowed to jump to C, D, E, or F and B should not be allowed to jump to D, E or F. The method you use to change the State field should be enforced through an automated process.

If you rely on manual input to change the State of the asset, there is a greater possibility of human error and as a result, you will very likely lose track of some of your assets. Choose asset management tools that allow you to enforce your lifecycle processes by using process automation.

Process Automation for IT Asset Lifecycle Management enforces lifecycle processes by automatically enforcing the pre-determined lifecycle path.

For example, when a laptop arrives at the loading dock, a barcode scanner may be used to account for every box unloaded. If the asset is tracked from the time it was purchased, based on the laptop lifecycle process above, the moment the asset is scanned by the barcode scanner, an automated process should change the State from “Ordered” to “Received.”

When you evaluate tools for asset lifecycle process automation, it is helpful to understand the two types of process automation tools available: In-App Processes and Out-of-App Processes.

In-App Processes

In-App processes are processes that run within a software tool. The processes are designed as part of a software application or a software suite. They are usually built to support the features offered by the software.

2014-11-18_12-11-56

A good example of In-App processes can be found in many ITSM tools. For example, an incident opened by the help desk will have a process associated with it to define how the incident is assigned, escalated, and closed.

However, if you attempt to do IT Asset Lifecycle Management using In-App processes from your ITSM tool, it might be a challenge since the processes were built to support the ITSM software solution.

Out-of-App Processes

Out-of-App processes are independent of a software tool. The goal for this type of process tool is automation. Out-of-App process tools are much more flexible which means you could build help desk processes with this type of process automation tool; however, it would require a lot more. For example, additional tools would be required to build forms, to build and manage a database, and to build reports.

The advantage of an Out-of-App process automation tool is the ability to build automation using multiple databases and software tools within your organization.

For example, your organization may build a form on the internal web site to order new printer toner. When the toner is ordered, a process may take the data and automatically update the purchasing department’s database, create a purchase order, and send it to the printer vendor without any intervention.

Hybrid-App Process Automation For IT asset lifecycle management, the best solution for process automation would be to have a hybrid of In-App process automation tools and Out-of-App process automation tools. Having both types of process automation tools would allow you to fully automate all your IT asset requests.

 

Hybrid-App

Many organizations use an ITSM tool for IT Asset Request Management. You could automate IT asset request processes from your ITSM tool using your IT asset management lifecycle processes.

If your asset lifecycle processes are Out-of-App processes, they will not only update the asset management database, they will also update the finance database, contracts database, and create the purchase order.

An Out-of-App process can also take a software request made from your ITSM solution and pass it to your software distribution tools, update the Asset Management database, and then notify the ITSM tool that the application has been delivered and installed. I will address asset management and help desk integration in greater detail later this year.

Summary

IT Asset Lifecycle Management is tracking an IT asset from when it is requested to when it is disposed. Lifecycle processes will track the State of the asset that is managed by the organization. Asset Lifecycle process automation enforces lifecycle processes by eliminating human error.

Process Automation can integrate and automate your IT Asset Management tools with other tools on your network. Using a three-tiered approach to implement asset management will help you collect, organize, and manage your assets when applying ITAM principles.

Follow me on Twitter @marcelshaw

See Also:

IT Asset Management, a Three Tiered Approach (Part 1 of 4)

IT Asset Management, a Three Tiered Approach (Part 2 of 4)

IT Asset Management, a Three Tiered Approach (Part 3 of 4)

IT Asset Management, a three tiered approach (Part 1 of 4)

Asset Management is an enormous task for any IT department. Gartner predicates shadow IT expenditures will reach 35% in 2015. IT Assets not tracked may pose security risks and additional costs.   An IT Asset Management strategy is critical however the larger your organization, the harder it becomes to track every IT asset. Learn how to take on the IT asset management challenge by using a three tiered approach.

 Asset-Management-Graphic

Tier 1 – Asset Data Collection

Tier 2 – Asset Data Intelligence

Tier 3 – Asset Lifecycle management

When organizations neglect any of these components, they have a security problem in addition to an IT asset management problem.

 Tier 1 – Asset Data Collection

Collecting your asset information is the first consideration for IT asset management. It is important to have a central database that contains all the asset information you collect. Next, you need tools that scan your network on a regular basis. These tools need to report back to your database, providing as much information about all the devices connecting to your network. These tools also need to provide a way for you to connect to your business partners, so you can begin to track your asset from the moment you issue a purchase order. These tools should also integrate with mobile devices, such as bar code scanners, that are used to collect asset information. Most important of all, is to have a method to inventory every software application and virtual OS that runs on the hardware you have in your inventory. I will go into tier 1 in greater detail on my next blog.

Tier 2 – Asset Data Intelligence

Tier 2 is where the magic happens. After the asset information is stored in the database, you will have thousands and thousands of data points at your fingertips. Now it is time to normalize the information, to map the assets to relevant information, and to link the assets to their contracts, projects, departments, and people.

Tier 3 – Asset Lifecycle Management

IT assets are upgraded and change on a regular basis. You need to build processes that control how you purchase, procure, and dispose of IT assets. This includes virtual devices and software, along with the associated software licenses. Tier 3 is where you apply ITAM principles. Follow me on Twitter @marcelshaw

Questions to consider regarding Shadow IT

What is Shadow IT?

Shadow IT refers to IT devices and applications that an organization does not track or manage. In many cases, the organization does not even know these devices or applications exist. Furthermore, they cannot audit and track how these assets are being used.

Is it costing my organization money?

Gartner once estimated that 35% of enterprise IT expenditures will happen outside of the corporate IT budget in 2015.    However, there are organizations that believe shadow IT actually reduces costs.

Projects that use Shadow IT increasingly have the resources and bandwidth to build solutions on their own and can deliver them much faster. Thus reducing the budget that would otherwise be required for overall IT expenses. In other words, some say it is a wash.

Are there many risks created by shadow IT?

Let’s start by looking at the top security breaches in 2014 so far..

eBay

145 million customer names, encrypted passwords, email addresses, physical addresses, phone numbers and dates of birth. The breach is thought to have affected the majority of the company’s 145 million members.

Michaels Stores

The company said up to 2.6 million payment card numbers and expiration dates at Michaels stores and 400,000 at Aaron Brothers could have been obtained in the attack.

Montana Department of Public Health and Human Services

Names, addresses, dates of birth and Social Security numbers on roughly 1.3 million people

Variable Annuity Life Insurance Co.

A former advisor used a thumb drive to obtain Social Security numbers and other details on 774,723 of the company’s customers.

Spec’s

Texas wine retailer’s network resulted in the loss of information of as many as 550,000 customers. Hackers got away with customer names, debit or credit card details, card expiration dates, card security codes, bank account information from checks and possibly driver’s license numbers.

St. Joseph Health System

Approximately 405,000 former and current patients’ and employees names, Social Security numbers, dates of birth, medical information and, in some cases, addresses and bank account information.

When business processes are not under the control of a centralized IT or IS department, there is an increased risk that shortcuts will be taken, security procedures will be overlooked, and at least one or more of the security standards your organization adheres to will be compromised.

If we embrace Shadow IT, what Security Standards could we break?

  • FISMA (Federal Information Security Management Act of 2002),
  • GAAP (Generally Accepted Accounting Principles),
  • HIPAA (Health Insurance Portability and Accountability Act),
  • IFRS (International Financial Reporting Standards),
  • ITIL (Information Technology Infrastructure Library),
  • PCI DSS (Payment Card Industry Data Security Standard),
  • TQM (Total Quality Management), etc.

How should we approach the problem?

The bottom line is that you can’t secure something you don’t know about. It’s time for organizations to implement IT Asset Management processes. I suggest a three tiered approach which I will discuss in an upcoming blog.