ITAM Primer - The Program Manager's Guide to IT Asset Management

A robust IT vendor management program is required if IT vendors form the foundation of an organization’s success. The IT vendor nee ds to be managed differently than typical vendors. Some vendor management programs manage vendors to the lowest common denominator. For example, invoices are rated based on the accuracy of the line items and sometimes just the total charge. This means the IT vendors are managed based on the same criteria as those that supply toilet paper! Yet we know invoices for software asset management require much more scrutiny, including an accurate software title, seller name, and buyer name.

Not all vendors are managed to the same degree. Vendors are ranked based on spending, criticality, and risk. The vendors are managed based on the contractional agreement created during the Acquisition Phase. Thus, another reason ITAM must be involved in contract negotiations. Suppose software license compliance is defined as adhering to the terms and conditions of the license agreement; then vendor compliance is defined as adhering to the terms and conditions of the vendor contract.

Vendor management requires people skills. The vendor manager must solicit input from anyone interacting with the vendor’s solutions or personnel. The vendor’s solutions, personnel, and billing performance are represented in the vendor scorecard, a tool used to provide feedback to the vendor efficiently. The frequency of meetings with the vendors depends on their ranking. Vendors the organization depends on most meet more frequently with vendor management than vendors who contribute little to the organization’s operations.

The vendor management effort also depends on the IT asset type, which includes services. For example, a vendor that provides mobile asset management lifecycle support requires more effort to manage than a vendor whose mobile assets are acquired with only a warranty. The importance of ITAM vendor management has been significantly elevated with the adoption of the cloud.

There is a core group of tools required for every ITAM Program. These tools include electronic discovery, usage, metering, physical asset tracking, and the ITAM repository.

Electronic discovery, or just discovery, is one of the first tools deployed for an ITAM Program. A discovery tool scans the network collecting data about an asset. For example, the discovery of a laptop can report the hardware asset’s configuration, serial number, and installed software, including the software title and version. The discovery tool depends on a database containing signatures or fingerprints that exist when a software asset is installed. It is not unusual for departments to use a discovery tool for their purpose. Departments such as IT, IT Security, and Network use discovery data. The combination of these reports increases the accuracy of ITAM’s data. The discovery tool has one major weakness – it cannot discover that which is not on the network or is not reachable on a network. 

Discovery tools are scheduled at specific intervals depending on the need and practicality. Discovery can run daily, every three days, or when the asset accesses the network. The result of discovery is compared to the previous run, and the differences are reconciled against other data, such as service tickets. All this is done to ensure the quality of ITAM data.

The usage tool provides valuable information on how assets are being used. The tool can be used to identify assets that are not in use or are rarely being used. One popular application of usage monitoring is license optimization. Many organizations have used usage monitoring to redeploy the Microsoft Visio application. When doing so, it is best to have a policy, policy awareness training, and confirmation the application will not be needed. It is this confirmation where application ownership is essential, for you must be able to contact someone before removing an application that may not be quickly restored. A potential challenge to usage tools is privacy laws. Work with legal to understand the privacy laws of the countries where the organization’s users are before becoming dependent on a usage tool.

The metering tool has the capability to meter software license usage. Sometimes metering is built into server-side software. Metering is a great way to prevent using more software licenses than you are entitled to. Using Visio as an example, a server-sided metering tool could be developed that allows Visio to be installed on every client computer. Each time a user launches Visio, a proxy Visio application checks with the server to see if a license is available before launching the Visio application. Of course, this solution can only be legitimate if Microsoft agrees. The metering tool provides excellent data on software utilization.

Physical asset tracking involves affixing tags to a physical asset that a reader can scan. The most popular tag types are barcodes like the image to the left and Radio Frequency ID (RFID). Both types have pluses and minuses, but using a tag creates significant efficiencies and accurate data collection. Tags can be used to automate workflows and track the asset’s location. The barcode industry revolutionized the supply chain industry, and the same can be said for ITAM. These two very cost-effective solutions have eliminated hundreds of hours of effort. ITAM needs to take a lesson from the supply chain and retail industries. Both technologies will contribute to more IT asset data and more quality data.

The ITAM repository collects all data relevant to the IT asset and includes the relationship between data items. The following diagram is a logical view of the repository. While most data can be structured, there can be unstructured data. An example of unstructured data would include service desk tickets. The more significant problem is the completeness and accuracy of the data. Most ITAM data comes from other departments, meaning ITAM has little control over what is produced. Enter the ITAM Program and executive management support. The ITAM department defines the requirements of the ITAM Program. These requirements are approved and supported by executive management. The requirements are then communicated to each department, along with their ITAM roles and responsibilities. The ITAM department monitors the data quality that is produced.

At the beginning of the ITAM Program, the cooperation and data quality vary, sometimes significantly. Data can be missing, incomplete, or sporadic. This is where the data engineering capability of ITAM comes into play. It should come as no surprise that the ITAM Program's maturation mirrors the data's maturity. Next, we will look at each database common to the ITAM Repository.

The finance database contains P.O.s, invoices, budgets, purchase history, vendor contact information, charge-back accounts, taxation, fixed assets, and more. One challenge presented by finance is the granularity of purchase information. For example, purchasing ten servers may go on the books as just one asset. A dollar value may determine the policy for tracking assets. Financial records may be destroyed after the term set by the country’s tax laws. The information on an invoice may not be complete enough for software compliance. And finally, the purchasing contract may ignore the ITAM Program’s requirements detailing how to manage the vendor or the asset. These challenges have prevented the ITAM Program from reaching its full potential and providing the most value to the organization. Once again, the ITAM Program requirements backed by executive management are mandatory.

The HR database is home to the organization’s policies and employee records. HR is among the first to know when new positions are created or when there will be a reduction in force. HR typically owns two critical ITAM processes, onboarding and offboarding. Why are these processes critical? Because it is when IT assets are assigned and when they are collected. 

The onboarding process matches the new employee with the employee’s role and, thus, the IT assets associated with that role. The IT assets are assigned to the new employee and recorded in the ITAM Repository. The information includes the employee’s name, location, role, department, and business unit. 

The offboarding process is the event that causes the collection of the IT assets and the return of those assets to inventory. The recovery of the assets depends on accurate ITAM Repository data because asset assignments can change during the employee’s lifetime. Data is secured, licenses and subscriptions recovered, and hardware made available for redeployment.

While this sounds ideal, there is one flaw – typically, consultants or contractors are not in the HR system meaning the onboarding and offboarding processes must be executed by someone else. These processes can trigger changes in a physical security database or something like Microsoft’s Active Directory. 

IT databases include the CMDB (Configuration Management Database), the AMDB (Asset Management Database), Active Directory, Service Desk tickets, and network administration databases. IT and the IT service desk rely on this data to deliver IT services. IT services, or operations, are where changes are made to IT assets, hopefully in a controlled fashion. IMAC (Install, Move, Add, and Change) is typically used to describe these changes. IMAC operations can be the installation of a desktop or software, the relocation or reassignment of a server, the update of software, or the recovery of unused IT assets. There is a cost associated with these operations and potential risks. For example, installing software while ignoring or misunderstanding the license can create a non-compliance event. Once again, ITAM does not own these processes, but the ITAM Program requires accurate data and executive management’s support.

IT Security was separated from IT because of the differences in objectives and operations. ITSEC will most likely have its discovery tool and other data, but it may not be complete because of the tool, its configuration, or IT assets that are not reachable. The interests between ITAM and ITSEC are very similar in so far as both want to know the configuration and location of IT assets as well as who owns them and who is using them, and for what purpose. ITSEC should not waste time searching for assets or asking why a configuration has changed. The need for the ITAM Program to start the lifecycle at “I think I need it” gives ITSEC the earliest opportunities to be proactive when altering their plans to secure the asset. Finally, ITAM is a significant component in almost all cyber security frameworks, including NIST and CIS.

The legal database is where contracts are stored and managed. Types of contracts include purchasing agreements, SLAs (Service Level Agreements), cloud contracts, and software licenses. The IT Asset Manager not only needs access to these contracts, but they need to provide input into the contract's language. This is critical for all ITAM practices but even more vital for SAM and CAM, where the vendor delivers services.

ITAM also needs to break the contracts into manageable “chunks” for usability and workflow. For example, a software installer should not have to read the entire license agreement to understand under what conditions software can be installed. The SAM can identify the parts of the license that are the entitlements and then summarize and clarify the “software installer” role. Another example is the hardware warranty. A technician should not have to search for warranty information but scan the tag into the system that informs the technician of the asset’s warranty status and RMA procedure.

The ITAM Repository is by far the most complicated tool to implement. Expect the implementation to take several years and require continuous maintenance and improvement. After all, the repository is where the trustworthy data lives. Using database terms, view the repository from a logical and physical perspective. The logical view is what was presented here and obviously can be extended. The physical view is the real systems that make up the repository. For example, the physical view can include the organization’s ERP system, spreadsheets, and even paper! The goal is not to consolidate all data into one tool but to provide information curated from trustworthy data.