Professional Documents
Culture Documents
Governance
Document
[Company Name]
IT Asset Management
Governance
[Company Name]
Document Control
Release:
References
1.
2.
In many organisations it is not often the start or the end of IT asset lifecycle
management that presents management challenges pertaining to status or location;
typically it is the day-to-day activities of IT operations that have to act (or react) in a
knee-jerk fashion, with resources being pulled from existing projects at a moments
notice. An effective ITAM solution will provide IT with the necessary tools to be able
to scope technical challenges, plan for remedies and do so with a pace and efficiency
that impresses.
Cost Control: Software can be purchased in vast quantities, and yet still be over-
deployed due to an absence of operational controls or even heated demands for
immediate service. To this end, a systematic auditing and reconciliation process
should take place to ensure that [COMPANY NAME] is only installing the software it
has paid for; thereby reducing fiscal risk/penalty in the event of a Software Vendor
audit, and that unused software is re-cycled wherever possible for re-deployment
elsewhere. (A default install of an Oracle database (as an example) can call upon
technology that may not have been purchased)
ISO 19770-1: 2012 Processes: Best practice principles pertaining to Software Asset
Management mandate the entire lifecycle of Software Assets is effectively controlled
through an organisation. Any aspect of use that could alter a licence position for a
software title needs to be monitored as a minimum.
ISO 27001 The ISO standard for Information Security: A core/mandatory requirement
of ISO 27001 is that any Information Security Management System (ISMS) created,
accounts for the risk of software licence compliance (a possible consequence of not
having the correct/adequate licences in place is delivery up a software vendor
demanding the removal of the software).
ISO 20000 The ISO Standard for IT Service Management: An integral part of being
able to deliver quality help-desk services, is understanding what software and
hardware one is dealing with so as to spot any potential conflicts with adjacent titles
or any hardware dependencies that might not have been considered prior to
installation. Current methods of working often means that the helpdesk team only find
out about what configuration of IT they are having to repair at the time a call is being
logged.
The Data Protection Act (1998): More a concern of the Information Security advocate;
however if we do not fully understand what software provides ingress and egress to
our IT estate, then [COMPANY NAME] is in danger of being ignorant of its
responsibilities in respect of personal data management and movement.
Software Licence Compliance: Whilst [COMPANY NAME] might be within its own IT
budget, it could easily be out of compliance based on ad-hoc installs of software not
being accounted for.
Financial Due Diligence: Long gone are the days when departments were given slush
funds to do with as they please; if IT assets are purchased through such funds, then
they remain unaccountable and invisible to the IT department, and a financial liability
when they are not returned to [COMPANY NAME].
Infrastructure as a Service (IaaS): This is the widest possible scope of the three
models, as hardware platforms are also leased from a third party, as well as the
IT assets covered in SaaS and PaaS this is the greatest possible out-sourcing
model of IT services.
In all instances though, vicarious liability will ensure that we are at least accountable
to validate what hardware and software is being used by [COMPANY NAME] so that
it remains the right-side of compliance, ensures accurate billing for the products and
services provided, and that value-for-money is being leveraged through the
contractual obligation agreed to.
Timelines: [Insert timelines here]. The processes will be engineered in such a way as
to allow a phased implementation, lessening any potential culture shock.
Objectives: The following objectives have been identified for the SAM Programme:
Tools / Systems to be used: Many systems are currently in place that can support the
ITAM strategy:
[Insert systems names here and offer a one-liner on what each does, and how it will
support ITAM Governance]
Requisition
Disposal Acquisition
Retirement Testing
Incident/Problem
Packaging
Management
Change
Release
Management
Deployment
Process Table
(You can download a template RACI document from the same location where this
document came from: www.samcharter.com/downloads).