IT Asset Management Governance

[Company Name]

Document Control

Version No. for Final Release: / [Insert release number here]
Issue Date: / [Insert date of issue here]
Status (Draft or Final): / [Insert document status here]
Author: / [Insert author name here]
Reviewed by: / [Insert reviewer name here]
Approval for Final Release: / [Insert approver name here]

Document History

Date Issued / Version No. / Reason for Change / Initials
[xx/xx/xxxx] / 0.1 / Initial Draft

References

Ref. No. / Doc. ID & Version / Document Title / File name

Table of Contents

Document Control

Document History

References

Table of Contents

IT Asset Management Vision

Introduction

Deployment Methodology

IT Asset Management Lifecycle Overview

Processes in Scope

Process Table

Next Steps...

RACI for IT Asset Management

IT Asset Management Vision

The vision of IT Asset Management (ITAM) within [COMPANY NAME] is to have a responsive and dynamic IT infrastructure, matching the needs and demands of [COMPANY NAME] to deliver world-class products and services to its staff; now and well into the future. To that end, we need to ensure that whatever framework is adopted to manage our IT assets offers a crystal-clear picture of where our IT assets are, and who is using them. Higher business functions such as return on investment and total cost of ownership should be addressed in any reporting requirements, and so integration with the purchasing/finance division is vital so as to provide a solid foundation from which accurate calculations can be based.

In many organisations it is not often the start or the end of IT asset lifecycle management that presents management challenges pertaining to status or location; typically it is the day-to-day activities of IT operations that have to act (or react) in a knee-jerk fashion, with resources being pulled from existing projects at a moment’s notice. An effective ITAM solution will provide IT with the necessary tools to be able to scope technical challenges, plan for remedies and do so with a pace and efficiency that impresses.

Primary strategic objectives to be addressed in implementing the recommended framework include:

Risk Management:Operationally and fiscally; by having a dynamic system of control, resources can be diverted to areas of need to match peak usage (e.g. Server/Storage Virtualisation). From a financial standpoint, requisite control around ad-hoc purchases of hardware and software will help mitigatenon-license compliance of software.

Cost Control:Software can be purchased in vast quantities, and yet still be over-deployed due to an absence of operational controls or even heated demands for immediate service. To this end, a systematic auditing and reconciliation process should take place to ensure that [COMPANY NAME] is only installing the software it has paid for; thereby reducing fiscal risk/penalty in the event of a Software Vendor audit, and that unused software is re-cycled wherever possible for re-deployment elsewhere. (A default install of an Oracle database (as an example) can call upon technology that may not have been purchased)

Competitive Advantage:By aligning IT to the emerging demands of [Company Name] IT will be better placed to support new initiatives for revenue generation in the future. This element of ITAM governance is as much about effective communication as anything else; and understanding that our IT department can move proactively to support the business if it is offered buy-in to new initiatives at the outset of the idea-creation phase.

Flexibility:Having a centralised frameworkallows businesses/business units to tap into central resources as prescribed in Service Level Agreements between central and business-unit IT.

Future-Proofing:An integrated approached to managing IT assets means that we can create a technology road map that will be informed by hardware and software lifecycles, and so keep pace with the business and strategic demands we make of each.

Introduction

Governance:By introducing an ITAM framework as outlined below, we will seek to address/liaise the following standards and issues:

  • ISO 19770-1: 2012 – Software Asset Management – Processes
  • ISO 27001 – Information Security
  • ISO 20000 – IT Service Management
  • The Data Protection Act (1998)
  • The WEEE Directive (Waste Electrical and Electronic Equipment Directive)
  • Software License Compliance
  • Financial Due Diligence
  • Virtualisation

ISO19770-1: 2012 – Processes:Best practice principles pertaining to Software Asset Management mandate the entire lifecycle of Software Assets is effectively controlled through an organisation. Any aspect of use that could alter a licence position for a software title needs to be monitored as a minimum.

ISO 27001 – The ISO standard for Information Security:A core/mandatory requirement of ISO 27001 is that any Information Security Management System (ISMS) created, accounts for the risk of software licence compliance (a possible consequence of not having the correct/adequate licences in place is “delivery up” – a software vendor demanding the removal of the software).

ISO 20000 – The ISO Standard for IT Service Management:An integral part of being able to deliver quality help-desk services, is understanding what software and hardware one is dealing with so as to spot any potential conflicts with adjacent titles or any hardware dependencies that might not have been considered prior to installation.Current methods of working often means that the helpdesk team only find out about what configuration of IT they are having to repair at the time a call is being logged.

The Data Protection Act (1998): More a concern of the Information Security advocate; however if we do not fully understand what software provides ingress and egress to our IT estate, then [COMPANY NAME] is in danger of being ignorant of its responsibilities in respect of personal data management and movement.

The WEEE Directive: Ensuring that hardware assets are disposed of in accordance with EU regulations –this is also a timely point at which [COMPANY NAME] can recycle any licences that could still be of use to [COMPANY NAME], rather than paying for replacement titles that were thrown out with the physical disposal.

Software Licence Compliance:Whilst [COMPANY NAME] might be within its own IT budget, it could easily be out of compliance based on ad-hoc installs of software not being accounted for.

Financial Due Diligence:Long gone are the days when departments were given slush funds to do with as they please; if IT assets are purchased through such funds, then they remain unaccountable and invisible to the IT department, and a financial liability when they are not returned to [COMPANY NAME].

Virtualisation: Three primary models of Virtualisation exist, namely:

Software as a Service (SaaS):This would be a paid service to deliver software applications (usually) via a public cloud solution and typically paid for by metering end-user usage, or charging per user account created.

Platform as a Service (PaaS):Widens the scope of Software as a Service, in that devices, operating systems and storage are also included as part of any leasing agreement. Assessments of cost are devised on a case by case basis.

Infrastructure as a Service (IaaS):This is the widest possible scope of the three models, as hardware platforms are also leased from a third party, as well as the IT assets covered in SaaS and PaaS – this is the greatest possible out-sourcing model of IT services.

In all instances though, vicarious liability will ensure that we are at least accountable to validate what hardware and software is being used by [COMPANY NAME] so that it remains the right-side of compliance, ensures accurate billing for the products and services provided, and that value-for-money is being leveraged through the contractual obligation agreed to.

A cost-benefit analysis should underpin any move towards Virtualisation, with a viewpoint of future-proofing also being considered to ensure that such a move is in the best interests of [COMPANY NAME]. SLAs (Service Level Agreements) should be tightly scrutinised PRIOR to any agreement being struck, to ensure that the service desk element of the contract is fit for purpose.

Scope: The scope of the ITAM programme is all IT assets procured by [COMPANY NAME]; either centrally or locally (this excludes – insert out of scope technologies/areas here).

Stakeholder Identification:Subject to the formal endorsement of this paper, nominated individuals within each company/department will act as project-based liaisons to offer guidance on local input to the central view.

Timelines:[Insert timelines here]. The processes will be engineered in such a way as to allow a phased implementation, lessening any potential culture shock.

Objectives: The following objectives have been identified for the SAM Programme:

  • To enable [COMPANY NAME] to have a centralised view of its entire IT estate.
  • To inform the IT department of which IT Assets will and will not be supported centrally.
  • To maximise the IT resources at [COMPANY NAME]’s disposal, ensuring licence compliance and risk avoidance wherever possible.
  • To create and maintain a Technology roadmap, informed by business requirements and the product lifecycles as published by software and hardware vendors.
  • To support [COMPANY NAME] helpdesk requirements with timely and accurate data of hardware and software builds so as to support efficient resolution of IT queries, incidents and problems.
  • To prevent IT outage caused by local (unsupported) IT purchases that have not been given [COMPANY NAME] endorsement.

Tools/Systems to be used:Many systems are currently in place that can support the ITAM strategy:

[Insert systems names here – and offer a one-liner on what each does, and how it will support ITAM Governance]

Deployment Methodology

Expand upon your deployment methodology here – it could be phased, or it could be big bang. This depends on the number of systems being used and/or implemented and also the implementation of any processes that might have to be created or amended. Consider too, distinguishing between project-based activities and activities that will be considered BAU. Next, make mention of any BAU activity delivered by 3rd parties ensuring that requisite SLAs are in place to effectively deliver services to support your ITAM strategy.

IT Asset Management Lifecycle Overview

Processes in Scope

No. / ITAM Process Name / Doc ID / Process purpose / Process Owner
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18

According to the diagram above,the IT Asset Management Lifecycle Overview which is to be modelled within [COMPANY NAME]has been broken down into the following sections, with some sub-processes also listed:

Process Table

Next Steps...

  • To secure senior management buy-in of the direction and strategy this Governance Paper seeks to deliver.
  • Draft best practice processes pertaining as listed above.
  • Take these processes to each of the stakeholders for endorsement/amendment as required.
  • Benchmark their performance as they are adopted throughout [COMPANY NAME], ensuring that they work with, and support the systems chosen to deliver ITAM Governance as described above.

RACI for IT Asset Management

An overall RACI Chart (Responsible, Accountable, Consulted, Informed) has been created and will be used to inform, and be informed by the drafting of processes as they are developed in conjunction with identifiedstakeholders. A copy of the chart is available upon request.

(You can download a template RACI document from the same location where this document came from: ).

Governance Document vxxPage 1 (13)