Asset management guidelines

IT asset management (ITAM) overview

Objective

Provide a single, integrated view of agency assets in order to allow agencies to

identify the asset location and assess the potential data risk if an asset is reported as
compromised or lost.

ITAM
Defined

Information Technology Infrastructure Library (ITIL) describes IT Asset Management

(ITAM) as all of the infrastructure and processes necessary for the effective
management, control and protection of the hardware & software IT assets within an
organization, throughout all stages of their lifecycle.

Scope

Physical: Deals with the physical

characteristics of hardware & software in
support of planning, deployment, operation,
support and service; installation/use data.

Physical
Inventory
management
Asset discovery
Asset tracking
Refresh

Financial
Procurement
Budget
Cost control
Investment Strategy

Contractual
Asset compliance
RFP preparation
Contract
maintenance
Vendor
management
SLA management

Value of ITAM
Monitoring and Detection

Incident
Response

A faster response time for identifying and

locating assets with sensitive data that have

been compromised

Compliance Audit
License compliance audits

by vendors are increasing,

making it important to
minimize the financial
penalties associated with
the oversubscription of
licenses

Audit &
Accountability

Limit Risk
Identify the number assets

Asset
Control
Software
Asset
Management

Standardized methodology

for collecting and reporting

on software and hardware
assets

Asset
Acquisition

Risk
Management

that contain sensitive data and

validate that the appropriate
security controls are in-place

Standardization

Security
Posture
Security
Understand what assets are in use and what rogue

Cost Savings
Reduces duplicate asset purchases

by agency departments, and avoids

needless overpayment of license
fees

devices could potentially introduce security risks to the

organization

Goal:
Deploy an evolving asset inventory that will enable agencies to continually improve their informed
decision-making, and risk mitigation capabilities.
3

Where to Start
Key
Accomplishment

Develop an approach for collecting and maintaining the agency's IT asset inventory and data

Planning

Data Collection

Analysis

Identify where IT assets are located

Develop a process to collect IT assets

Analyze the IT asset inventory

Establish an IT asset management team

Identify key stakeholders and asset

repositories

Define the ITAM scope

Refine the asset management standards to

include additional data attributes

Define asset management standards and

data attributes

Normalize data as it is entered into the

asset repository

Establish a centralized, single source asset

repository for the collection of IT assets

Establish access controls for the asset

repository

Define performance metrics, set targets and

monitor progress

Ongoing IT
Asset
Management

Define an IT asset
management
strategy and
refresh period

Develop data collection methodology and

process to expand the SCEIS asset
inventory

Automate the
centralized, single
source of truth for
IT assets

Perform internal
compliance and
enterprise
architecture reviews

Develop an asset management decision

framework to assist in making clear
investment choices in IT assets

Monitor hardware
asset changes

Provide IT asset
management training
for employees

Please note that the following process is a suggested approach to asset management and may differ agency from agency
4

Phase 1: Define the key components of ITAM

Planning

Step 1:
Resources and scoping

Data Collection

Analysis

Step 2:
Standardization

Identify roles and responsibilities

Define asset categories and attributes

Establish project management structure

Identify key contacts

Establish an asset repository for physical

information for each IT asset

Conduct scoping meetings with key asset

owners

Gather an asset inventory list from the

department that handles purchasing or
deployment of IT assets (i.e. procurement
department or help desk)

Develop understanding of current IT

environment and existing inventory reports

Define an authoritative data source for IT

assets in a structured and manageable
manner

Step 3:
Metrics
Establish asset management metrics

Develop metrics to measure and

demonstrate tangible benefits/results

Establish standard asset category

guidelines (e.g., servers, mobile devices)

o Percentage of assets that contain

sensitive information

Conduct workshops to determine the

current ITAM situation for each asset
category (e.g. software, infrastructure,
desktop, telecom, and telephony)

o Percentage of laptops under 3, 4, 5

years old

Standardize the naming convention for

each asset category and asset class.

o Percentage of assets discovered not

in the State procurement system

o Percentage of assets with asset

owners from x department

o Percentage of duplicate assets

o Percentage of unknown assets

Key Outputs
Key points of contact

Centralized asset repository

Meeting schedule

Standardized asset build guidelines

Asset management scope

5

Asset management metrics

Phase 1: Data standardization template

Asset Inventory
Template

Category:
Class:

Use an MS-Excel template for the manual collection of asset data if no automated capability exists. Create an
MS-Excel workbook and define individual worksheets for each asset category (e.g., Network, Desktop,
Servers). If necessary, combine multiple data collection spreadsheets into one master spreadsheet that will
represent the asset inventory.

LAN

WAN Desktops Servers Printers

Step 1:
Define Categories

Step 2:
Define classes
Data Attributes:

Step 3:
Define Data Attributes

Attribute Value:
6

Step 4:
Define Attribute Value

Mobile
Devices

Network Network
Wireless Other
Appliances Sensors

USB Devices
Cell Phones
Laptops
PDAs
Tablets
Other
Manufacturer
Model
Serial Number
Network Name
Operating System
IP Address
Applications
HIPAA Data
Owner
Contact Info
Location
Asset Tag
Checked out
Checked in
Yes/ No

Define all the asset classification-types

needed to accurately and
comprehensively describe the assets
found within the category within the
agencys environment.

Select the data attributes required to

accurately and uniquely describe the
individual asset classification.

Carefully define the data attributes value.

Use pull-down menus whenever possible
to minimize inconstant responses.

Phase 2: Develop a process to collect IT assets

Planning

Data Collection

Analysis

Step 4:
Data gathering

Step 5:
Refine and normalize

Perform data collection

Complete data rationalization to eliminate inconsistencies

Improve sustainability, availability, and quality of asset information

All processes from asset data collection through final report

generation/ distribution should be detailed and repeatable.
Limit the initial asset management phase to testing processes (one
asset category and asset type):

Normalize the collected asset data if multiple asset data sources are
used
Perform a data quality analysis to verify that:

o Use asset data that is well documented "so that the entire data
collection, rationalization and reporting process can be verified
for accuracy and inconsistencies eliminated

o Asset data collected is accurate and complete

o Reports accurately reflect the asset data counts and metadata

o Increase the asset data category collection incrementally

through each iteration

Key Outputs
Asset collection plan

Normalization and data rationalization procedures

Quality analysis asset management procedures

Phase 3: Analyze the IT asset inventory data

Planning

Step 6:
Decision framework
Develop a framework to improve the
management of assets
Track and trend metrics for stakeholder
review
o Where are assets located?

Data Collection

Analysis

Ongoing IT Asset Management

Integration

Sustainment

Identify opportunities to integrate

automated asset inventory solutions
Integration an automated IT asset
management tool with other IT solutions
(e.g., patch management, SIEM,
helpdesk)

Define the data refresh cycle and

ongoing asset management activities

Provide ongoing capabilities to track and

maintain an integrated IT asset inventory

Define the data refresh cycle:

o Industry typically refreshes asset
data every 3 months

o How does the asset provide value?

o How to derive (and demonstrate)
maximum value from IT
investments?

o How to manage risks and security

across the asset base?

Continually refresh the IT asset inventory

data by updating the existing asset data
and capturing new asset information

o What are the total number of laptops

in my environment that contain
sensitive data and have encryption?

Key Outputs
Asset management decision framework
Metric dashboard for the business

Automated asset management tool

implementation plan

Periodic baseline reports

Lessons learned
Why do ITAM Initiatives Fail?

Key Learning Points

Lack of executive mandate to comply with ITAM processes

ITAM must be a solution to a business problem

Attempting to satisfy multiple constituents: fiscal versus

operational interests

ITAM is more process and organization than technology

Implement in a staged approach

Metrics are needed to measure and demonstrate

benefits/results

Tangible results are highly dependent on management of

integrated asset, contract, vendor and financial portfolios
data standards are a challenge

Reports and data requirements poorly defined, often without

data architect expertise

Change management is critical to maintaining database

integrity

Manual data entry, collection and integration processes are

frequently incomplete, inaccurate and poor quality causing
additional data reconciliation effort

Automate ITAM data collection, normalization and

rationalization processes as much as possible

Lack of authority or will to enforce asset management process

and policy compliance
Poor or nonexistent change management lead to a loss of
ITAM database integrity
Expecting a tool to solve a process problem

Lack of a mechanism for maintaining manually-entered data

(e.g., metadata, warranty, contract)
Little or no tracking and reporting of business benefits
Lack of defined standards for server builds, configurations,
and other infrastructure