IT Asset Management – Governance Policies & Procedures

Kyle Daun
Feb 28, 2020 1:00:00 PM

One of the most daunting and time-consuming tasks that an IT administrator can face is logging, monitoring, and tracking assets for their organization. Depending on the size of an organization, tracking can vary and may or may not include a robust program with various tools and spreadsheets that track the acquisition and lifecycle of assets. This multipart blog series will outline some of the various areas that should be addressed to have an operational and functional IT asset management program, as outlined below:

  1. Establishing governance policies and procedures
  2. How hardware and software is acquired
  3. Monitoring and upgrading assets throughout their lifecycle
  4. Disposal of assets once their lifecycle has ended

Several frameworks including ISO 27001/2, PCI-DSS, HIPAA HITECH, and NIST require that some form of asset management is in place and operational for organizations to be compliant. Regardless of how assets are tracked and managed, having a program that can meet all your organization’s needs is vital to keeping an operational business successful.

The first step in an asset management program is to establish the governance and policies that will dictate senior executives’ and the organization’s goals and standards. This process should include the following at a minimum:

  • How employees or the organization request/acquire assets
  • How assets are approved and inventoried before being introduced to the environment
  • Assets that haven’t been pre-approved, how they are vetted, approved or denied, and what actions are taken if denied
  • Purchasing assets from reputable, pre-approved vendors that have been vetted using a vendor risk assessment
  • Actions employees must take when the asset arrives or is acquired before introducing the asset into the organization’s environment
  • Tracking and monitoring of assets throughout the lifecycle
  • Decommissioning of assets once their lifecycle has ended

Once the governance portion has been established and approved by executive management, distribution and necessary training of the workforce should be conducted. Like other established policies and procedures, this will ensure that all personnel know, and understand the process and the goals of the organization moving forward. Regardless of size, the importance of having a working governance program that outlines executive management’s goals will ultimately improve the workflow and productivity of the organization and its employees.

The next section of the IT asset management program that will be discussed is the process and acquisition of assets from reputable and vetted vendors. After the process of how assets are acquired has been established, the real work of monitoring and maintaining them begins. When assets arrive at the organization, they should be logged, tagged, and configured with the organization’s baseline security standards before being allowed access to the environment. Once the asset has been allowed, access monitoring and compliance with organizational standards needs to be maintained. Periodic audits throughout the year including an annual audit should occur to ensure that all assigned assets are in the locations they are assigned to and with the employees that are responsible for them.

As the Information Security Officer (ISO) for Compass IT Compliance, I use a cyclical quarterly audit and a full inventory audit to ensure that all assets are accounted for and accurately tracked. During these audits, like many organizations, we find discrepancies, which are logged and then remediated as needed. I have found that the quarterly audits help ensure that employees are following our established procedures and reduces the time spent on our full annual audit. Regardless of how frequently these audits occur, the overall goal is to ensure that all assets are tracked and that no unauthorized assets are operating within the organization.

Throughout the lifecycle of an asset, upgrades are introduced, and newer and better products come onto the market requiring decisions to be made on whether to maintain the asset or part ways for a different product. If an asset has reached the end of its usability for an organization, the final step of the asset management process needs to take place. Assets should be tracked up and until they are properly disposed. This could mean that hardware is taken offline and stored securely for an extended period until proper disposal occurs. However, it’s important that these assets are tracked to ensure that items don’t leave the organization without proper approval and possible organizational data isn’t leaked or disclosed to unauthorized personnel. Contact us today to learn more!

Part 1: IT Asset Management – Governance Policies & Procedures

Part 2: IT Asset Management – Acquisition of Assets

Part 3: IT Asset Management – Monitoring and Maintaining Assets

Part 4: IT Asset Management – Disposal of Assets

You May Also Like

These Stories on Policies and Procedures

Subscribe by Email

No Comments Yet

Let us know what you think