IT Asset Management

Governance
Document

[Company Name]
IT Asset Management
Governance
[Company Name]

Document Control

Version No. for Final [Insert release number here]

Release:

Issue Date: [Insert date of issue here]

Status (Draft or Final): [Insert document status here]

Author: [Insert author name here]

Reviewed by: [Insert reviewer name here]

Approval for Final [Insert approver name here]

Release:

Governance Document vxx Page 2 (13)

Document History

Date Issued Version No. Reason for Change Initials

[xx/xx/xxxx] 0.1 Initial Draft

References

Ref. No. Doc. ID & Version Document Title / File name

1.

2.

Governance Document vxx Page 3 (13)

Table of Contents
Document Control ...................................................................................................... 2
Document History ....................................................................................................... 3
References ................................................................................................................. 3
Table of Contents ....................................................................................................... 4
IT Asset Management Vision ..................................................................................... 5
Introduction ................................................................................................................ 7
Deployment Methodology ......................................................................................... 10
IT Asset Management Lifecycle Overview ............................................................... 11
Processes in Scope.................................................................................................. 12
Process Table .......................................................................................................... 12
Next Steps................................................................................................................ 13
RACI for IT Asset Management ............................................................................... 13

Governance Document vxx Page 4 (13)

IT Asset Management Vision
The vision of IT Asset Management (ITAM) within [COMPANY NAME] is to have a
responsive and dynamic IT infrastructure, matching the needs and demands of
[COMPANY NAME] to deliver world-class products and services to its staff; now and
well into the future. To that end, we need to ensure that whatever framework is
adopted to manage our IT assets offers a crystal-clear picture of where our IT assets
are, and who is using them. Higher business functions such as return on investment
and total cost of ownership should be addressed in any reporting requirements, and
so integration with the purchasing/finance division is vital so as to provide a solid
foundation from which accurate calculations can be based.

In many organisations it is not often the start or the end of IT asset lifecycle
management that presents management challenges pertaining to status or location;
typically it is the day-to-day activities of IT operations that have to act (or react) in a
knee-jerk fashion, with resources being pulled from existing projects at a moments
notice. An effective ITAM solution will provide IT with the necessary tools to be able
to scope technical challenges, plan for remedies and do so with a pace and efficiency
that impresses.

Primary strategic objectives to be addressed in implementing the recommended

framework include:

Risk Management: Operationally and fiscally; by having a dynamic system of control,

resources can be diverted to areas of need to match peak usage (e.g. Server/Storage
Virtualisation). From a financial standpoint, requisite control around ad-hoc purchases
of hardware and software will help mitigate non-license compliance of software.

Cost Control: Software can be purchased in vast quantities, and yet still be over-
deployed due to an absence of operational controls or even heated demands for
immediate service. To this end, a systematic auditing and reconciliation process
should take place to ensure that [COMPANY NAME] is only installing the software it
has paid for; thereby reducing fiscal risk/penalty in the event of a Software Vendor
audit, and that unused software is re-cycled wherever possible for re-deployment
elsewhere. (A default install of an Oracle database (as an example) can call upon
technology that may not have been purchased)

Governance Document vxx Page 5 (13)

Competitive Advantage: By aligning IT to the emerging demands of [Company Name]
IT will be better placed to support new initiatives for revenue generation in the future.
This element of ITAM governance is as much about effective communication as
anything else; and understanding that our IT department can move proactively to
support the business if it is offered buy-in to new initiatives at the outset of the idea-
creation phase.

Flexibility: Having a centralised framework allows businesses/business units to tap into

central resources as prescribed in Service Level Agreements between central and
business-unit IT.

Future-Proofing: An integrated approached to managing IT assets means that we can

create a technology road map that will be informed by hardware and software
lifecycles, and so keep pace with the business and strategic demands we make of
each.

Governance Document vxx Page 6 (13)

Introduction
Governance: By introducing an ITAM framework as outlined below, we will seek to
address/liaise the following standards and issues:

ISO 19770-1: 2012 Software Asset Management Processes

ISO 27001 Information Security
ISO 20000 IT Service Management
The Data Protection Act (1998)
The WEEE Directive (Waste Electrical and Electronic Equipment Directive)
Software License Compliance
Financial Due Diligence
Virtualisation

ISO 19770-1: 2012 Processes: Best practice principles pertaining to Software Asset
Management mandate the entire lifecycle of Software Assets is effectively controlled
through an organisation. Any aspect of use that could alter a licence position for a
software title needs to be monitored as a minimum.

ISO 27001 The ISO standard for Information Security: A core/mandatory requirement
of ISO 27001 is that any Information Security Management System (ISMS) created,
accounts for the risk of software licence compliance (a possible consequence of not
having the correct/adequate licences in place is delivery up a software vendor
demanding the removal of the software).

ISO 20000 The ISO Standard for IT Service Management: An integral part of being
able to deliver quality help-desk services, is understanding what software and
hardware one is dealing with so as to spot any potential conflicts with adjacent titles
or any hardware dependencies that might not have been considered prior to
installation. Current methods of working often means that the helpdesk team only find
out about what configuration of IT they are having to repair at the time a call is being
logged.

The Data Protection Act (1998): More a concern of the Information Security advocate;
however if we do not fully understand what software provides ingress and egress to
our IT estate, then [COMPANY NAME] is in danger of being ignorant of its
responsibilities in respect of personal data management and movement.

Governance Document vxx Page 7 (13)

The WEEE Directive: Ensuring that hardware assets are disposed of in accordance with
EU regulations this is also a timely point at which [COMPANY NAME] can recycle
any licences that could still be of use to [COMPANY NAME], rather than paying for
replacement titles that were thrown out with the physical disposal.

Software Licence Compliance: Whilst [COMPANY NAME] might be within its own IT
budget, it could easily be out of compliance based on ad-hoc installs of software not
being accounted for.

Financial Due Diligence: Long gone are the days when departments were given slush
funds to do with as they please; if IT assets are purchased through such funds, then
they remain unaccountable and invisible to the IT department, and a financial liability
when they are not returned to [COMPANY NAME].

Virtualisation: Three primary models of Virtualisation exist, namely:

Software as a Service (SaaS): This would be a paid service to deliver software

applications (usually) via a public cloud solution and typically paid for by
metering end-user usage, or charging per user account created.

Platform as a Service (PaaS): Widens the scope of Software as a Service, in that

devices, operating systems and storage are also included as part of any leasing
agreement. Assessments of cost are devised on a case by case basis.

Infrastructure as a Service (IaaS): This is the widest possible scope of the three
models, as hardware platforms are also leased from a third party, as well as the
IT assets covered in SaaS and PaaS this is the greatest possible out-sourcing
model of IT services.

In all instances though, vicarious liability will ensure that we are at least accountable
to validate what hardware and software is being used by [COMPANY NAME] so that
it remains the right-side of compliance, ensures accurate billing for the products and
services provided, and that value-for-money is being leveraged through the
contractual obligation agreed to.

A cost-benefit analysis should underpin any move towards Virtualisation, with a

viewpoint of future-proofing also being considered to ensure that such a move is in the
best interests of [COMPANY NAME]. SLAs (Service Level Agreements) should be
tightly scrutinised PRIOR to any agreement being struck, to ensure that the service
desk element of the contract is fit for purpose.

Governance Document vxx Page 8 (13)

Scope: The scope of the ITAM programme is all IT assets procured by [COMPANY
NAME]; either centrally or locally (this excludes insert out of scope
technologies/areas here).

Stakeholder Identification: Subject to the formal endorsement of this paper, nominated

individuals within each company/department will act as project-based liaisons to offer
guidance on local input to the central view.

Timelines: [Insert timelines here]. The processes will be engineered in such a way as
to allow a phased implementation, lessening any potential culture shock.

Objectives: The following objectives have been identified for the SAM Programme:

To enable [COMPANY NAME] to have a centralised view of its entire IT estate.

To inform the IT department of which IT Assets will and will not be supported
centrally.
To maximise the IT resources at [COMPANY NAME]s disposal, ensuring
licence compliance and risk avoidance wherever possible.
To create and maintain a Technology roadmap, informed by business
requirements and the product lifecycles as published by software and hardware
vendors.
To support [COMPANY NAME] helpdesk requirements with timely and
accurate data of hardware and software builds so as to support efficient
resolution of IT queries, incidents and problems.
To prevent IT outage caused by local (unsupported) IT purchases that have not
been given [COMPANY NAME] endorsement.

Tools / Systems to be used: Many systems are currently in place that can support the
ITAM strategy:

[Insert systems names here and offer a one-liner on what each does, and how it will
support ITAM Governance]

Governance Document vxx Page 9 (13)

Deployment Methodology
Expand upon your deployment methodology here it could be phased, or it could be
big bang. This depends on the number of systems being used and/or implemented
and also the implementation of any processes that might have to be created or
amended. Consider too, distinguishing between project-based activities and activities
that will be considered BAU. Next, make mention of any BAU activity delivered by 3rd
parties ensuring that requisite SLAs are in place to effectively deliver services to
support your ITAM strategy.

Governance Document vxx Page 10 (13)

IT Asset Management Lifecycle
Overview

Requisition

Disposal Acquisition

Retirement Testing

Incident/Problem
Packaging
Management

Change
Release
Management

Deployment

Governance Document vxx Page 11 (13)

Processes in Scope
According to the diagram above, the IT Asset Management Lifecycle Overview which
is to be modelled within [COMPANY NAME] has been broken down into the following
sections, with some sub-processes also listed:

Process Table

No. ITAM Process Name Doc ID Process purpose Process Owner

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18

Governance Document vxx Page 12 (13)

Next Steps...
To secure senior management buy-in of the direction and strategy this
Governance Paper seeks to deliver.
Draft best practice processes pertaining as listed above.
Take these processes to each of the stakeholders for endorsement/amendment
as required.
Benchmark their performance as they are adopted throughout [COMPANY
NAME], ensuring that they work with, and support the systems chosen to deliver
ITAM Governance as described above.

RACI for IT Asset Management

An overall RACI Chart (Responsible, Accountable, Consulted, Informed) has been
created and will be used to inform, and be informed by the drafting of processes as
they are developed in conjunction with identified stakeholders. A copy of the chart is
available upon request.

(You can download a template RACI document from the same location where this
document came from: www.samcharter.com/downloads).

Governance Document vxx Page 13 (13)