Discussions on the management of IT assets are often enough to bore even the most ardent systems manager, until 'that' event happens. But what is 'that' and why should such an event act as a wake-up call to do something?
Well 'that' event could be notification of a visit from FAST or a call from your director's PA to say that he's lost his laptop and can he have another one with exactly the same configuration. Or it might be that the ERP application needs a patch distributing to all workstations - immediately.
These challenges highlight the need to manage IT assets in a highly professional manner, which is at the very heart of enterprise management.
If you are part of a medium-to-large enterprise, the situations outlined previously will be very real. They should be all in a day's work for IT departments in every sector, except that such events often precipitate significant, frantic activity for the simple reason that we don't always know who has got what or even where it is.
Companies with fixed asset registers will keep records of their hardware assets at the time of purchase, but asset ledgers are not usually accessible to IT managers and are rarely updated. And neither do such fixed asset registers reflect the technical detail that IT managers need to effectively manage 'those' events referred to earlier.
Defining the problem
So how much of a real issue is asset and configuration management today? The answer is self-evident to any company with licensed software, people who lose laptops or have a large user base.
It's the difference between being able to satisfy the need without diversion of effort away from other tasks. And then being able to do it again tomorrow, and the day after that.
Anyone with a sizeable installed base of PC workstations will recognise that operational complexity increases disproportionately with the numbers involved and in many organisations, churn rates - the number of workstations that need upgrading, moving or refreshing - can exceed 30 per cent a year, with dynamic organisations experiencing anything up to 100 per cent churn.
So what can be done to exert the appropriate amount of management to this aspect of IT? There is no shortage of standards and specifications covering asset and configuration management - witness the ITILĀ® treatises on this subject as well as the new international standard ISO 20000, which mandates process compliance in order to achieve accreditation.
Configuration management is central to the attainment of ISO 20000 as it was for its BS 150000 predecessor, although this is not the only recognised standard for configuration management since ISO 10007 has existed for some time in the manufacturing and logistics world.
But IT is always different
The personnel manager in your company knows exactly how many people work in the organisation, where they are based and how much to pay them each month. Similarly the fleet manager keeps accurate records of what company and pool cars they are responsible for, who has them and when they are going to be sold, upgraded or moved between departments.
These people expect to manage the assets under their control as a normal part of their day job, unlike IT departments, which rarely know exactly how many bits of inventory they control or where the current 'owner' is working from.
We also expect new roads and railways to be mapped accurately and records kept about their maintenance, so why should IT claim to be any different? The same issues arise with software since this is as much of an asset as the more obviously visible hardware and has to be paid for either by the number of licenses needed or the capability of the kit on which it is hosted.
If a company with 10,000 employees can keep track of everyone, pay them on time and legally keep a fleet of vehicles on the road, then IT has to be up to the challenge of managing the corporate information assets they use to at least the same standard.
Much of the blame for poor asset management can be attributed to the way that IT assets are acquired, either on a project by project basis or by end-user purchasing, although neither of these reasons is an allowable excuse under current IT governance rules. An effective asset governance regime will exhibit some fundamental management principles:
- IT assets belong to the company, not the employee or department.
- No personal data should be held on PCs.
- Access is blocked to non-corporate data such as eBay or MP3 sites.
- All software must be registered on an auditable database.
- Network patch automation tools should be used to record all changes.
- Every asset is uniquely registered on the network and is known to IT.
The only reason that IT is different is that it expects to be so. However the rules have changed and a discipline for IT asset management is now needed.
A common issue revealed
Many companies inadvertently allow staff access to music sites from where, assuming payment is made, legal copies of tunes can be downloaded.
However storing these on company servers gives rise to the problem of copyright theft and the potential for law suits in connection with the illegal distribution of MP3 files, such as in the case of Integrated Information Systems in Arizona who settled out of court for $1 million to avoid prosecution for copyright infringement by employees who accessed music files through their servers.
Effective asset management policies will avoid the potential for such embarrassing situations as well as maximizing legitimate IT capacity.
So what can IT do about this?
IT needs to ensure that every computing asset is effectively controlled, managed and operated according to the environment in which it is used.
This can be most simply done by implementing asset and configuration control at senior management level, linked to other key disciplines such as change and release management as defined by ITILĀ® and ISO 20000.
This is administered by tools such as a Configuration Management Database (CMDB), together with its key attributes.
This type of control regime leads to a number of significant benefits:
- tighter control of IT assets leading to reduced purchasing;
- better awareness of software and distributed licence management;
- shorter time to achieve repair, replacement or upgrade;
- better audit and regulatory compliance;
- improved IT and user staff time utilization during change;
- control over staff activities and reduction in corporate liabilities.
And of course it is essential in order to gain ISO 20000 accreditation. But it would be wrong to assume that all this can be done without giving rise to concerns, not least of which will come from users who will see increased IT control as inhibiting their freedom to do whatever they like with 'their' PC.
However, in the same way that the fleet manager does not allow unauthorised modifications to company cars, neither should the IT manager allow similar infringements to corporate information facilities.
The advantages that the IT manager has over their fleet counterpart lie in the tools that are available to manage, audit and control the IT asset base - and if staff still conspire to circumvent them, the personnel manager is available to offer support for disciplinary proceedings!
The future of asset management
A new ISO standard on software asset management (SAM) to complement ISO 20000 was published in mid-2006. This new standard, known as ISO 19770, was developed to provide an internationally agreed definition against which organisations can measure their policies and procedures to ensure good asset management quality.
Following this standard, which for professional service delivery organisations will also mean becoming formally accredited to it, will help IT departments achieve compliance with their legal and commercial obligations as well as demonstrating effective governance of software assets as part of an increasing focus on IT controls.
SAM on its own will not satisfy ISO 20000 or deal with the problem of physical asset moves, changes and thefts. One technology that could be used to complement ISO 19770 is the deployment of radio frequency identification (RFID) tags on all moveable assets so they can be discovered without the need for physical hardware verification.
More than 1.3 billion RFID tags were made in 2005 so these are inexpensive, as are the tracking devices to make use of the information they provide. An IT department that tracks its mobile workforce through RFID tags and manages its software in accordance with ISO 19770 will be in control of its assets to a far greater extent than is the case today.
