Three Reasons ITAM Should be Part of Your Security Strategy (Part 1 of 2)
Several years ago, we purchased a home in the country. The biggest difference I noticed is how dark and quiet it is to live there. When alone in the house at night, I get spooked at the slightest sound, so I am considering a security system. I counted how many windows and doors need to be monitored. Knowing how many windows and doors I have is important information when installing a home security system. The most advanced security system in the world would not be able to protect me if I neglect to secure a single window or door.
In the context of IT security, the most technologically advanced security systems available today will not protect your data if a single device goes unnoticed and, as a result, unsecured. Companies spend a lot of money to protect the data on their networks and devices. The problem is that not every organization has a good strategy to track the devices holding their sensitive data.
Three reasons IT Asset Management (ITAM) should be a part of your security strategy:
- ITAM processes will track devices with sensitive data
- ITAM will control inventory by implementing end-of-lifecycle processes
- ITAM processes will help you comply with government security requirements
ITAM processes will track devices with sensitive data
In a blog post by Laura Heller, she says “…breaches continue with more shopper data stolen in 2014 than any previous year. It’s a pattern likely to continue in 2015 as long as companies focus on window-dressing IT security solutions that fall short by failing to include a solid foundation of IT asset management (ITAM)”
It is puzzling to me how organizations scramble to make sure they have the latest security patches applied to all their devices when the very meaning of ‘all’ is not completely understood. It’s like adding a home security system without knowing for sure that every window and door is monitored.
Generally, when securing a network, an inventory is taken of all the PCs, laptops, servers, and software prior to applying any security policies and applications. However, without ongoing proper IT Asset Management, IT organizations are at risk of losing track of those devices. It is important to understand that asset management is not a one-time event. If you lose track of devices, it becomes more difficult to ensure they are secure.
Jaime Kahan from Ernst & Young identified 10 key areas related to cyber-security where companies should focus their efforts. She identified IT Asset Management as one of those key areas. “Firms need to be able to identify who has access and to what physical and electronic assets within the organization. This would include but not be limited to laptops, computers, servers, software, iPads, mobile devices and electronic files”
The cost of losing a device is minimal compared to the cost of losing data contained on a device. The reason it is so important to track devices, including the person who has access to the device, is to protect your data. This is a task that needs to be considered as another layer of security.
ITAM will control inventory by implementing end-of-lifecycle processes
A challenge many organizations encounter when tracking devices is that the task itself can be overwhelming. The reasons may include a lack of ITAM tools, a lack of ITAM education, and, in many cases, an inefficient disposal process for end of lifecycle.
On May 29, 2013, Frank W. Deffer, United States Assistant Inspector General of the Office of Information Technology Audits, sent a memo to the United State Coast Guard (USCG) after they performed a security audit. The memo stated that the “USCG needs to improve its laptop acquisition and inventory management practices, and strengthen laptop security controls. Specifically, it needs to improve its laptop recapitalization program to eliminate excess quantities of unused laptops.”
I have visited many commercial and government organizations throughout my career. It is not uncommon for employees to have more than one laptop or desktop. In many cases, the additional device is older and has been replaced by a newer one. The additional devices typically add to overhead, since they need to be updated, patched, and managed. Often, organizations simply lose track of the additional older devices.
Older devices that have not been disposed of properly may contain sensitive data. If the device is misplaced, lost, or even stolen by an employee that is aware the device is not properly tracked, then you may run into a problem as Coca-Cola did in December 2013. Coca-Cola reported 74,000 individual’s information had been compromised. The Wall Street Journal claimed that the “…Laptops were stolen by a former employee who had been assigned to maintain or dispose of equipment”
Most organizations spend a lot of time evaluating and implementing security solutions; however, when the lifecycle of a device ends, the task of disposing of the device along with the data tends to be minimized or sometimes overlooked. This is probably because most IT employees are focused on upcoming projects and tasks.
In a Techtarget.com post, Barb Rembiesa states that “Current trends show ITAM overlapping data security processes and concerns in several ways, especially around end-of-life hardware disposal and data security during the disposal processes.”
Organizations need to consider the disposal process of a device as a security task. The task should be assigned to a person who is properly trained. A method to verify that a device is properly sanitized and recycled should also be put in place. This type of service is offered by several third-party companies.
When a security breach becomes part of the news, those in charge of security will ultimately be held responsible. For this reason alone, those who are accountable for IT security should include ITAM as part of their security strategy.
In my next blog post (Part 2), I will continue on this subject by addressing how ITAM processes will help you comply with government security requirements.
This article initally appeared on marcelshaw.com