Written by Rory Canavan, SAM Charter
If you have adopted a service management framework that is feed-forward in nature and driven by stringent KPIs to have hardware and software assets in the hands of your end-users at a moment’s notice, then you may find that the rest of the business almost back-pedals to accommodate the fall-out of standing up devices and applications at a plug-and-play speed.
You may already find that Procurement write off devices that cost less than $1,000, so the commercial impetus (and desire) to recover such devices after a 12-month period is near-zero. Are you finding that long-term members of staff view their portable IT devices as their own possessions rather than as corporate assets? Indeed, some staff may view IT equipment as a leaving present!
However, with increased device mobility come risks that your business might not have perceived 10 years ago, and so would not have refreshed its IT device policy in regard to retention, or even correct disposal.
Offering flexibility of movement, IT places new considerations at its own door – particularly in respect of Information Security, Device Security, Data Protection and good old Software Asset Management (SAM).
In respect of SAM, the primary goal is the retention and re-use of software. This cannot be achieved if the business is in a state of mind where it shrugs its shoulders when portable devices are written off. While we might have the technology to restrict non-approved access should a device be reported as lost or stolen, we need to have the mechanisms in place whereby we can recover the right to use the software for those lost/stolen devices.
This entails aligning asset control to the HR lifecycle, which in turn allows the business to periodically confirm that assets are indeed being used for their intended corporate use.
Your ‘Joiners, Movers and Leavers’ process is a ready means by which to do this, and the primary advantage of using the HR lifecycle is that it also ensures that the IT department is adequately provisioning company personnel. A final advantage to checking whether staff are properly resourced at key stages of their HR lifecycle is that such data can be used to update a CMDB.
A point worth noting in regard to Movers – not only are we checking to see whether the equipment they have in their possession is fit for purpose, but we can also check whether certain software titles that might have been granted under a project/ temporary status can be recovered. Not only does this offer the opportunity to recycle software, but also helps to reinforce a need-to-know information security protocol for project/confidential data.
If you are looking to adopt an agile approach to identifying status changes to your IT estate, then being able to accommodate the changes brought about by HR churn could act as a great barometer to judge the relative success or failure of maintaining your CMDB.
Next, we can turn our attention to Information Security and how our JML process is not merely viewed as a “nice to have”, but rather a compelling demand of demonstrating adherence to ISO 27001, GDPR, or any other security frameworks/legislation worthy of mention. If you are looking to protect data (be it personal data, or commercially sensitive data), then establishing a boundary to which that information is managed within your company is essential for the scoping of your data management efforts.
Your boundary (or scope) will be comprised of the devices and software that can access that data – if those devices then go missing, you need to have processes/protocols, etc. to reinforce your existing scope, which invariably means declining network access to those missing devices. Indeed, it could even result in the wiping of devices if they contain the data you are trying to protect/manage.
In respect of keeping your CMDB up to date, the Movers and Leavers waypoints in the HR lifecycle are ideal to confirm that mobile devices are either reusable by other staff members, or recoverable back to the IT department (as a minimum).
So what other pointers can be offered to ensure that your JML process is deemed an asset rather than a burden to your company?
Make sure you have a company policy that leaves users in no doubt as to their liability concerning lost and stolen devices. If devices are lost, and are reported as such by an employee, then information security needs to be informed asap so it can take steps to protect/recover data and access to data that those devices might otherwise grant.
If devices are believed to have been stolen, then the standard data recovery/network denial protocols will need to be instigated, but so will certain steps to recover the value of the asset. Hardware may be on a write-down and so the value that is being recovered won’t match the original purchase price, but don’t forget to factor into the equation the value of the software that might be on that stolen device. Of course, liaising with HR is absolutely vital around instigating a stolen device process – recovery is possibly within the remit of your company if the employee is the one being accused of stealing a device, but perhaps not as straightforward if an anonymous non-employee is the person being accused.
Patience is a virtue
A point worth noting about this valuable IT/SAM process: many processes are assessed by the length of time taken for their completion as to whether or not the process has been successful. In theory, an instance of this process could take years to achieve – and this is no bad thing! This is highlighting that your company has good staff retention, and that they feel adequately resourced with the IT placed before them.
A final point worth thinking about is the eventual repository for the information that this process seeks to create and maintain. HR systems may not have the scale and scope to accommodate such a customization; indeed, would HR systems owners want to grant IT access to store such data? A SAM suite is a possible option, but my recommendation would be a CMDB/Asset Register, supported by a service management and software asset management toolset.