Taming Your Moving Assets: Governing through Policies and Procedures
An effective ITAM program can be the difference between getting the most out of your assets and possibly leaking millions of dollars.
by Phara E. McLachlan
Today’s business world is moving at a rapid pace. Employees work longer hours, from more locations, and with more devices to get the job done. From mobile phones to laptops to iPads, the amount of number assets assigned to individual executives has grown considerably over the last five years.
Although IT asset management (ITAM) has never been as cut and dried as counting how many desktops are in use and what software is installed (though it may have been that simple during the initial adoption of technology in the workforce many years ago), it ha become more complicated and essential with “moving” assets on the rise.
A proper ITAM program is essential for governing mobile assets to minimize security risks, increase compliance, and manage costs. It will be difficult for your organization to stay in compliance in the face of more frequent -- and more expensive -- vendor audits. The increasing mix of personal devices used for business also increases security risks and exposes your enterprise to substantial financial liabilities. The foundation of a successful ITAM program, with multiple moving assets, is a strict set of policies and procedures that is strictly enforced.
Tracking and Consequences
One of the most difficult and important activities involved in managing mobile assets is collecting, tracking and monitoring mobile asset inventory. Remember the infamous FBI debacle in 2005, when more than $6.7 million worth of laptops went missing? Whether it’s one or several hundred missing mobile assets, there are heavy-duty consequences, such as the lost value of an asset, time wasted trying to locate it, and security issues (including compromised sensitive data).
Policies must address the issue of missing or lost mobile assets, but rarely do they outline or enforce the penalties. Once employees are held accountable for a device, it’s more likely they will take better care of the mobile asset. Penalties include charging an employee for the value of the device or the threat of taking legal action against an employee if any action put the company out of legal or regulatory compliance.
Your organization also needs a uniform process to follow when theft or loss occurs. Your policy should address questions such as:
- How long should the employee wait before reporting the theft or loss to IT?
- How long before the authorities are contacted?
- Can you erase the data on the mobile device remotely?
- Is the data backed up?
Software License Compliance
When mobile assets are not part of the auditing process -- as they are often “forgotten” or only a portion of mobile assets are audited due to poor tracking -- an opportunity arises for unauthorized software downloads and use. Strict policy and procedures for software downloads and mobile apps need to be created and followed to prevent audit fines that could equal millions of dollars (especially for a multinational company). A majority of companies don’t know what is on their mobile assets, so they can’t have an accurate inventory of software in their environment and do not know if employees are using the installed software. What is thought to be the usage amount is not always the case unless the company is constantly monitoring everything that happens on their mobile assets. Otherwise, they are out of compliance.
Data Security
The very nature of mobile devices creates a corporate security issue. Users often work “offline” only to connect and synchronize information with enterprise back-end systems once the employee is back at home (literally). Perhaps they are synching e-mail or documents on a Blackberry or Netbook with their home computer. The risk is the lack of transparency the company has to each owner’s device and where the information may be transferred.
With today’s work habits, the blurred line between work and home can cause organizations to overlook possible security breaches that must be addressed by their mobile IT policies. On many devices, IT has the ability to pre-empt data security breaches with parental controls or special configurations based on the device itself. In any case, you should limit what types of information can be sent using the mobile device, how it is used, and what happens should the device be stolen. By keeping the most vulnerable information off of a mobile device, you will minimize the risk from theft or loss.
Implementing a Strict Policy
No matter how strong your IT infrastructure/operations, if employees and assets are not properly managed, things can quickly get out of hand. Having a comprehensive set of policies in place, with a proper communication and education program for employees, will reduce problems during each phase of your ITAM program. Here are some tips for effective policy management.
Provide Details: A good set of policies and procedures that specifically address mobile assets will pre-empt any questions by giving employees comprehensive, well-thought-out answers. Questions or topics that can be covered in detail:
- What are the policy procedures for my Blackberry and laptop?
- Can I use my corporate phone for personal calls?
- Can I receive corporate documents to my phone via e-mail?
- How do I order a replacement security token for my laptop?
- Can I forward work e-mail messages to my personal phone?
- Can I take my laptop home?
Get Ahead of Your Users: Explain for the most common scenarios and anticipate potential security threats before problems arise. Some industries, such as health-care or financial services, must follow stricter policies for compliance and privacy than, for example, a marketing agency that isn’t subject to industry legislations.
You also must specify consequences for non-compliance. A strict policy is nothing if it is not followed.
Tips for Implementing Your Policies
Once policies are in place, communication is key. It’s hard enough to get employees to pay attention to something as significant as changing their health-care policy let alone to IT policies. Here are three simple steps to implementing policy.
Presentation: Many companies make the mistake of developing a 500-page manual and don’t consider their audience. A young audience may prefer to watch a YouTube tutorial or participate in an interactive Q&A. Consider brainstorming for new and innovative ways to present your policy guide that will grab and hold your employee’s attention. In high school drivers education class, they always showed us a “scared straight” video of foolish young drivers becoming injured. Your ITAM education can stress the real-life and personal (not corporate) price to be paid for “bad behavior with assets.”
Implementation: Although we have seen the gigantic manuals employees must sign to verify they have read and understand the policy, the likelihood is that very few actually read it. Once again, think about your audience and how to make this fun and unforgettable for them. Perhaps a company off-site that incorporates fun activities and policy presentations or an interactive game every new employee must “play” to get up to speed.
Ongoing Education: Without ongoing education, policies and procedures are useless as they can and will change and as new employees begin. Ongoing initiatives re-enforce the messages; they provide an opportunity to address new issues as they arise.
Companies must adapt to their employee base -- what is going to get their attention?
The Bottom Line
“Save Money, Make Money, Stay out of Jail” -- each of these brief statements is accurate when it comes to ITAM. An effective ITAM program can be the difference between getting the most out of your assets and possibly leaking millions of dollars -- whether from audit or organizational inefficiencies. It’s in every organization’s best interest, and in the employee’s best interest, to invest in an ITAM program, especially with the constantly changing world of IT and the addition of new devices at all times. As an investment, it has a great return.
Phara E. McLachlan is the CEO of Animus Solutions which focuses on helping organizations establish best practices for managing their IT infrastructure. You can contact the author at phara@animussolutions.com.