IT asset management (ITAM) and its relationship to good cyber security practice and risk management is becoming a vital element in determining an organisation’s ability to obtain credit, and those that lack an appropriate ITAM strategy may find their ratings adversely effected, according to credit ratings agency Standard & Poor’s (S&P) Global Ratings.
In its report, Cyber risk insights: IT asset management is central to cyber security, the agency explores how ITAM – defined as the practice of tracking and managing hardware, connected devices, software and networks throughout their lifecycle – is now vital to an organisation’s ability to proactively manage vulnerabilities, respond to cyber incidents and attacks, and minimise their financial impact.
It cites the 2017 breach of personal data on 149 million Brits, Americans and Canadians at fellow credit agency Equifax as a prime example of an incident in which ITAM, or lack thereof, was a decisive factor.
The US Federal Trade Commission’s (FTC’s) complaint against Equifax, which ultimately led to a multi-million dollar fine, cited an inability to maintain “an accurate inventory” of its public-facing IT assets that ultimately led to the failure to patch an Apache Struts vulnerability, which a Chinese advanced persistent threat (APT) actor was able to use to access its systems.
S&P credit analyst Paul Alvarez said: “ITAM is foundational to effective cyber security. Its absence at an organisation can be indicative of flawed cyber risk management and could weigh on our view of an entity’s creditworthiness.”
“ITAM is particularly important to the implementation of time-critical cyber security, including identifying assets with critical vulnerabilities, searching for compromised equipment or systems and lifecycle management,” said Alvarez.
S&P warned that ineffective or absent ITAM can lead to gaps and blind spots in organisations’ ability to conduct appropriate cyber risk management, leading to increased vulnerability, compliance issues, inefficiencies and sub-optimal incident response.
It said that these gaps more usually reflected a lack of attention or resource dedicated to ITAM, but also acknowledged that many IT and security teams do find it hard to meet the bespoke needs of differing ITAM systems, which can be determined by multiple factors such as complexity, size and operational area.
S&P said that for ITAM to properly fulfil its function, it must perform a minimum of functions and be subject to ongoing support.
Assets that need to be protected must be properly protected and effectively tracked, and there need to be processes in place to maintain that degree of oversight, which ideally will cover a wide range of information, including network addresses; hardware type, such as desktop or laptop PC, or server; software, including both operating systems and applications; ownership details; configuration settings; and how critical the asset is to the organisation.
S&P added that while responsibility for ITAM has traditionally fallen to the IT team, the most effective practitioners break out of this silo and share ownership and management across different beats. As an example, says the report, the security team will often have data that can help the IT team take an accurate inventory of exactly what assets it has on its books, which helps everyone.
“In our view,” the report concludes, “ITAM should be directed by explicit policy that provides the authority for the system to be effective and assigns clear roles and responsibilities.”
"*" indicates required fields
Software Asset Management is a business practice that involves managing and optimising the life cycle of software within an organisation.
Software asset management is relevant to many facets of a business - take a look at some of the roles that it can form part of the focus of.
Software vendors come in all shape and sizes - all with their own set of licensing models and rules. We take a look at just a few of them.
As a constantly evolving subject, SAM is not without its challenges. We take a look at some of the most common ones.
Wondering what an investment in SAM could do for your business? Fill out a few details and find out what return you could get!
Answer a few questions about your SAM infrastructure & experience, and we'll put together a personalised recommendation for the future.
A simple health check of what's being used across your Office 365 estate in this FREE, Microsoft backed and easy to setup review.
Just like you would with your vehicle each year, get an annual check up of your software asset management programme.
Overwhelmed by the task of documenting the steps for a successful SAM programme? Get the experts in to help!
Concerned your SAM tools aren't covering your whole estate? Or on the look out for an entirely new tool? Get us in to assist.
Not content with covering all things SAM related, we've teamed up with Capital to provide a comprehensive hardware asset management review.
A simple, one-time reconciliation of the software you have deployed versus the licence entitlement you own.
A regularly scheduled analysis of your organisation's estate, specifically adapted to your needs and budget.
A full appraisal of your Microsoft 365 setup and how best to optimise it through automated recommendations.
An add-on to our SAMplicity One, MOT and Plus offerings, quickly diagnose your ability to migrate your resources to the cloud.
In collaboration with law firm Addleshaw Goddard, ensure the legality of your SAM programme and get assistance with any contract disputes.
Available as standard with SAMplicity Plus, ensure you're compliant if you're unexpectedly audited by a vendor.
We've teamed up with some of the forefront experts in licensing knowledge so you can teach yourself to be an expert too.
Stumped by the continually evolving complexities of SAM? Join us for one of our comprehensive courses, either in-person or online.
It’s chock full of useful advice, exclusive events and interesting articles. Don’t miss out!