– ITAM Policies Keynote

Keynote – ITAM Policies
Foundations for success
ITAM Policies, approved at the highest levels and enforced across
your entire organisation are a critical foundation for any IT Asset
Management function or programme.
Kylie Fowler, Principle Consultant at ITAM Intelligence, will present a
case study demonstrating how working with the Information Security
team of a large federated multi-national allowed her to define and
implement ITAM policies, approved at Board Level and
communicated across the business.
About Kylie
Kylie has supported organisations including Balfour Beatty Plc and Interserve Plc to
leverage the benefits of IT asset management and achieve their business objectives. Kylie
is passionate about bringing her expertise to support businesses of all sizes to reduce risk
and achieve a return on their IT investment. Kylie is Convenor of the UK SAM Networking
Group, a regular invited speaker at industry events and has published a number of
thought leading articles.
1
ITAM Policies
Foundations for Success
Agenda
Background
What we did
Outcomes
Conclusions
Questions & comments
3
ITAM Policies – Foundations for Success
Background
The Scenario
The company
-
>15,000 seats
Multi-national
Several verticals, including secure public sector (eg Dept of Defence contracts)
Federated business structure
•
-
Significant systemic risks
• actions of one business unit may adversely impact others
Low margin business
•
Low incentive to spend money to manage low probability - high impact risks
5
What is a federated organisation?
How do you manage
systemic risk?
Group Plc
Profits
Governance &
Management
Work!!
Division
Division
Profits
Profits
Business
Unit
Business
Unit
Profits
Profits
Contract
Contract
Contract
Contract
Business
Unit
Business
Unit
Profits
Profits
Contract
Contract
Contract
C
O
N
T
R
O
L
Contract
6
Governance through assurance
Group IT defines a minimum set of outcomes
- These outcomes are described in the Group Policies and Standards
-
Focus on managing areas of activity with significant systemic risk
Divisions & business units define their own policies
- Must meet these minimum requirements
-
Some business units may define stricter policies eg 27K accredited business units
Business units and contracts define processes and procedures
- Must produce the outcomes required by the policies to the required standard
Group assures the policies, process, and procedures
- Will they produce the required outcomes?
7
Assurance governance model
How do you manage
systemic risk?
Group Plc
Policies
Division
Division
Policies
Policies
Business
Unit
Business
Unit
Processes
Processes
Business
Unit
Business
Unit
Processes
Processes
Contract
Contract
Contract
Contract
Contract
Contract
Contract
Contract
Outcomes
Outcomes
Outcomes
Outcomes
Outcomes
Outcomes
Outcomes
Outcomes
A
S
S
U
R
A
N
C
E
8
ITAM Policies – Foundations for Success
What we did
Current state
ITAM Current State and Maturity Assessment
- Identified lack of global policies and standards as a concern
-
No global policies defined or approved at Exec Board Level
Some local policies in place, but no assurance that they are adequate or are at the standard required of a large multinational corporation
Information Security also addressing the lack of policies and standards
- ‘Dotted line’ from CISO to Company Secretary and Corporate Risk Board
- Joined the Information Security Forum
-
-
Policies, standards and recommended assurance processes being socialised across the federated divisions
Socialisation at Exec Board level in progress
-
-
Utilising the ‘Standard of Good Practice and Information Security 2014’ to define comprehensive set of policies and
standards for implementation across the company
Information Security Policy to be approved at Board level
Subsidiary policies and standards to be approved by a lower level approval body consisting of divisional representation
Info Sec recognise ITAM as a pre-requisite for effective Information Security
10
The challenges
Policy ‘fatigue’
-
Concern that senior stakeholders would not support a second policy development and
approval process
Lack of Exec Sponsorship for ITAM as such
-
ITAM has a high profile but mainly because of past security breaches
-
Perceived as an Info Sec issue
11
The recommendation
Implement ITAM Policies through the vehicle of the Info
Sec Policies
-
Complete a gap analysis between Information Security Policies and Standards and ITAM
equivalents
Work with Information Security to modify policies to minimise gaps
Report outstanding gaps back to Head of IT Governance to determine next steps
CIO Sponsorship obtained for this approach
-
Consultant (ie me!!) engaged to implement recommendations
12
The process
Review ITAM ‘policy library’
-
Identify policies appropriate to this organisation
Identify standards that meet Group minimum requirements
-
Focus on systemic risks
Avoid being prescriptive about details best left to the business to determine
Review draft Info Sec policies
-
Record which clause covered which ITAM policy / standard
Identify gaps / areas where amendments would need to be made
Agree changes to be made to the drafts
13
Structure of the Policy Documents
Information
Security
Policy
Information
Security
Standard
Human
Resource
Management
Policy
Asset
Management
Policy
Systems
Management
Policy
Access
Management
Policy
Human
Resource
Management
Standards
Asset
Management
Standards
Systems
Management
Standards
Access
Management
Standards
Acceptable
Use Policy
Other Info Sec
Policies
Other Info Sec
Standards
14
The process continued
Amend Info Sec policies and standards
- The majority of amendments were made to the standards
- There was a bit of ‘back and forth’ to explain the relevance of some amendments and why they
should be included
Document the ITAM policy requirements and their location
- List of all relevant ITAM policies and which section of the Information Policies cover them
15
The process continued
Report outstanding gaps to IT Governance
-
Disposal of Waste Electrical and Electronic Equipment
-
-
The nature of the business means this issue is bigger than IT and needs to be addressed by
Sustainability policies
IT systems design to consider software licensing compliance
-
Need to consider systemic or indirect licensing implications of system design
Will refer to Technology Strategy Director for action
16
Changes we made
Acceptable Use Policy
- All end user oriented policies were added to this document eg
-
Do not download or install non-approved software
Do not give or loan IT Assets to other individuals
Assets can be audited and under-utilised assets will be reused
IT Asset Management Standard
- The policy and standards already specified a requirement to maintain an asset register
-
-
Both hardware and software
Provided additional detail regarding how asset register accuracy should be maintained
Specify that asset register is checked for software licensing prior to granting system access
Implementation of arrangements to support asset tracking and their relationships to each other
Implementation of arrangements to enable auditing of software licensing compliance
17
Changes we did NOT need to make
Of relevance, but minimal changes required to:
-
Human resource management standard
Third party access standard
Access management standard
System management standard
Mobile computing standard
External supplier policy
System development management standard
Systems development lifecycle standard
18
ITAM Policies – Foundations for Success
Outcomes
What we achieved
A set of comprehensive set of ITAM policies
-
Single set of integrated policies
Approved at Board level and enforceable globally
Info Sec and ITAM leveraging and reinforcing good practice
Next Steps
-
Develop ITAM governance and assurance model
Aligned but separate to Information Security governance and assurance
-
Different people, processes and practices, but a single set of policies
20
What I learned
Changes to my ‘Policy Library’
- Became less prescriptive
-
instead of ‘thou shalt not’ it now reads ‘determine the standard regarding...’
eg can IT Assets be used for reasonable personal use? (but note; must define ‘reasonable personal use’)
- Added sections regarding Systems Design and the need to take into account ITAM requirements
Changes in attitude and thinking
- Differentiate between Group level and business unit level policies eg
-
-
Group level: IT Assets to be purchased through prescribed authorisation processes
Bus unit level: No reimbursement for software or hardware purchased on a credit card
Focus on reputational and systemic risks rather than financial or business unit focused risks
-
If a business unit or contract wants to waste money or resources through poor ITAM that is their decision to
make
21
Conclusions
Info Sec and ITAM speak different languages
- Info Sec are focused on risks to Information Assets
- Regulatory and contractual risks are only relevant where it may impact Information Assets
-
-
Confidentiality
Integrity
Availability
Luckily for ITAM practitioners, the potential for software copyright owners to restrict availability to software
means software licence compliance is a consideration for Information Security practitioners!
However
- ITAM is undoubtedly a pre-requisite for good Info Sec
- Many good Info Sec practices are good ITAM, even in areas that are NOT obviously related eg procurement
practices
There may still be a need for detailed ITAM policy documentation
- Particularly for centralised businesses and at the IT Organisation level
- But this exercise would certainly give you a head start!
22
Thank you!