Q. What is your current role?
An important part of my role as security manager is to identify, evaluate, track and classify company assets. These assets can be physical ones such as servers but also business processes or information. Risk assessments for these assets and safeguard implementations are equally part of my tasks.
Q. What exactly does your open source ITAM software do?
The main benefits of the application are a coherent global view and management of partners, contracts, licenses and assets while ensuring separation of duties. The application allows multiple views and analysis:
- Users from HR and from the Legal department can manage parties and contracts.
- The notion of customer/provider is linked to the contract; the same party can be both a buyer and a seller in different contracts.
- Currently, the following contract types are defined: Customer, Provider and Non-Disclosure Agreement.
- The IT department manages servers, licenses and assets.
- The frontier between the IT and the HR/Legal views is that IT personnel can associate licenses to existing contracts and link servers or assets to particular clients but they cannot create, delete or change clients or contracts.
- The Information Assurance and Security personnel use the system to check dependencies between assets.
- This is useful for asset valuation/risk assessment (the asset’s value is greater if more assets/business processes depend on it).
- Correctly identifying these dependencies is key for Business Continuity and for Disaster Recovery planning.
Q. How long did it take you develop the software?
The design and development of the software took around 5 months.
Q. Does it integrate with other systems or ITAM Tools?
It would be quite easy to integrate it with the OCS Inventory Management (Open Source IT Inventory Management Software) or OSSIM Open Source Security Information Management system.
Q. Why not buy ITAM software off the shelf?
We wanted to have a system which offered all the functionalities detailed above for our Legal, HR, IT, Information Assurance and Security users. With current off the shelf solutions, we would have been forced to deploy several different applications for each user category (OCS for IT, OSSIM for information assurance and security management and another system for Legal and HR).
Q. How has your company supported you in this project?
The decision was made by top management and was motivated by the fact that this software is not related to the company’s core activities. In addition, it can be useful for any company that has to manage clients, contract, licenses, servers etc… Our end users have expressed their needs in a clear and exhaustive fashion to help with requirements.
Q. What platform does it require – are there any prerequisites for installing?
The platform functions on Windows and Linux; thanks to the underlying framework, it can be deployed on any database supported by Django (Currently PostgreSQL, MySQL, SQLite and Oracle. MS SQL ).
Q. How can people build on it?
People can easily extend the application’s model to add new concepts and functionalities (for example adding Threats for each Asset type and implementing Risk Assessment functionalities). It is also extremely easily to build new reports, graphs and email alerts.
Q. What is planned for the future?
We plan to add the concepts of Threat and that of Safeguard in order to be able to model the cost effectiveness of existing and future defenses. This is another situation where a coherent global view between Legal, HR, IT, Information Assurance and Security is essential. The Legal department can propose creative ways of dealing with risk or threats, for example by negotiating new contracts or modifying existing partner or insurance deals as well as non-disclosure agreements and internal rules and regulations.
If you have any other questions for Marc please post them below or contact me directly.