Risk Management within ITAM

07 August 2015
8 minute read
Best practice

Risk Management within ITAM

07 August 2015
8 minute read

16649925388_03f349d178_z

We often hear that IT Asset Management can help organisations manage their IT assets, and prevent any unwanted surprises. We believe that ITAM can help organisations avoid ‘messy situations’ and can help organisations become more aware of any existing or potential risks within their environment.

With that said, we also believe that ITAM can help ‘clean-up’ any existing mess, through the use of processes, people and technologies. ITAM can help clean up your software and hardware estate, and provide clarity and transparency on any risks, thus helping increase the maturity of the ITAM estate.

Identifying Risks

There are a number of methods for identifying ITAM risks, both from a hardware and software perspective. There are a number of inventory and software management solutions on the market, with SAM tools being extremely sophisticated and helpful in managing your software and hardware estate. However, a solution can only find and inventory the number of machines that it can get to, there may be machines that are not connected to the network, or that a firewall is preventing from being inventoried. As we’ll mention later, it is important to compare different sets of data to ensure you have complete visibility of your ITAM estate.

Processes and ITAM professionals can also identify risks through day-to-day workings or by talking to other users. They can identify future projects that may have an impact on hardware and software, be made aware of any potential audits, and generally have their ‘thumb on the ITAM pulse’ and aware of existing and potential risks. Processes are the key to identifying and addressing risks, as they can be the discover and cleaner of any ITAM messes!

Hardware Risks

Not disposing of your hardware correctly. There are a number of legal ways in which to dispose of or recycle your hardware assets. Organisations will come and take away all of the hassle and stress of physically disposing of your hardware for you, but you must make sure you correctly retire the asset from your environment. ITAM processes can help ensure you retire and dispose of an asset correctly. You may need to destroy the hard-drive to ensure no data or software is re-used, you may need to remove certain components (such as RAM, graphics cards ect) that can be re-used or put into storage. There are options for you to sell your devices for a small amount of money to organisations that then give them to schools or charities. It depends on your local laws and rights.

Compatibility with software. Experience dictates that identifying whether new shiny software will work with existing hardware is an after-thought for most organisations. This can end up being a major risk, with an investment in software that is not compatible with existing systems, which is likely to result in a needed investment in new hardware. This means more money spent, and redundant physical assets.

Miss-management of the physical asset. Not correctly managing the physical asset is a major risk for any organisation. ITAM and IT need to be aware of where the physical asset is at all times; consider it as being on a piece of elastic. Once given out, IT need to know exactly what it is being user for, and by whom and where the device is. Once it is no longer in use, or no longer required it needs to be returned back to IT. Allowing users to ‘horde’ machines, or not knowing where a physical asset it can result in non-compliancy, overspend on software and hardware and it is generally against best practice.

Low inventory accuracy. Before you can identify any hardware risks, your organisation needs to be sure that you are inventorying a high percentage of your hardware assets. This can be checked by using a number of different data sources, including an inventory tool, active directory, SCCM and HR data. It may take a lot of work and time to increase the accuracy percentage of known hardware assets, but by using ITAM processes you can ensure that you have complete visibility of your hardware assets. Having complete visibility then allows you to identify and manage any hardware risks, and also any software risks that are on those machines.

Software Risks

Along with hardware risks, there are also a number of software risks that ITAM can help identify and manage. As we’ve mentioned, the best method for identifying software and licensing risks is through a sophisticated solution. However, the solution is only as good as the people and processes using it; there is no silver bullet tool.

Non-compliancy. The biggest software risk is non-compliancy. For those that are not aware, non-compliancy is when a user or organisation doesn’t have enough licenses to cover all of their installs, or they are using the software in such a way that breaches the terms and conditions of the licensing agreement. In extreme cases there are also organisations that copy or pirate software. Software vendors are pretty hot on software audits at the moment, and the results of being non-compliant can range from huge financial fines to a severely damaged reputation for the organisation.

Over purchase / over spend. Over purchasing or over-spending on software can be just as bad as being non-compliant. Spending too much money is a risk to the ITAM function as it shows that it is not being as effective as it should be. It is important that organisations do not pay any extra money on software than they need to, and that they don’t purchase any additional licenses without the knowledge of any future projects or plans that will use up the licenses.

A lack of licensing knowledge. Enterprise organisations will have hundreds of thousands of different software vendors with different licensing metrics. It is impossible to assume or demand that the SAM/ITAM professional within the organisation will be a licensing guru for each vendor, as that simply isn’t possible. However, the organisation should prioritise their software vendors, and become experts for the most used/biggest spend or highest audit risk vendors. If the organisation still does not have the resources or knowledge to successfully manage the identified biggest risk vendors, then it is always worth to bring in external help and support to help manage those licenses.

Miss-management. This is a broad area of risk within SAM, but it mainly relates to the miss-management of the software license, any licensing contract documentation, and the physical software (or the software packages). Miss placing any documentation, can result in the organisation not fully knowing or understanding what their licensing entitlement is, and can cause problems for the organisation with any audits. However, you can ask the vendor for a copy of all of the licenses you have purchased, but this will ring alarm bells for the vendor as it shows you cannot manage your licenses correctly.

Other Risks

Not understanding your entitlement or agreement. This is slightly different to not understanding the license metrics. Depending on the vendor, you may have a unique set of rights to use the software in certain ways, ways in which other organisations may not be able to use the software. Not knowing your license entitlement or agreement can result in non-compliancy and can result in ignorance

Audits. The dreaded A word. Whilst ITAM cannot help avoid audits, it can help organisations be ‘audit ready’ and prepared for an audit. This is usually in a proactive ITAM environment, whereby audits do not result in great disruption, but roles and responsibilities are clearly defined and users know what audit processes to follow. ITAM can help organisations experience a positive audit, rather than the catastrophic scenario that would happen without a presence of ITAM.

Cloud computing. A relatively new risk for ITAM, and one that is certainly causing a few problems at the moment. The main issue is around data; where is it stored? Who has access to it? What happens if the vendor loses any data? There are a number of vital questions that the ITAM team should ask a vendor or cloud-computing provider before making an investment.

Conclusion

You may already of been in this position, but imagine you are entering a new organisation who are just starting to implement ITAM. How would you advise they start to look at and address their risks? Where should they start? What resources do they need to help identify and eliminate risks?
Please have your say, and leave a comment below.

Image credit

Can’t find what you’re looking for?