Integritum – Governance, Risk, Audit, Security, Privacy, and AI

Data silos emerge when teams operate on disconnected datasets, with each assuming theirs is the definitive version, and all carry out their work duties on the assumption that the data they are using is complete, reliable, and trustworthy.

Organisations often evolve into this state when different teams self-manage their areas, their hardware and their software in isolation. Although attempts may have been made on occasion to collate the data and provide a more accurate holistic view, without processes to maintain such data, it inevitably becomes out of date very quickly. Where such an aggregation of data is undertaken upon the initiative of an individual team or team member rather than driven by senior-level strategic direction, data from some areas may be missing.

If you allocated time and resources to building or buying a new solution:

• The system must become the authoritative source of truth for hardware and software assets across the enterprise. If other teams need a subset of the data, it should come from this source and not independently compiled.

• Where multiple teams manage hardware and software, the new HAM/SAM delivery project should have buy-in from all relevant departments to ensure that the system becomes the central system of record. Without this, the new solution will quickly become another “one of many” solution.

• Understand any specific requirements that individual teams may have for data on hardware and software. If the new solution doesn’t meet the needs of all stakeholders, they are likely to continue compiling their data independently. Reports should not be generated using separate data sources but should come from a consistent data source.

Consider the following actions:

• Make sure all the stakeholders are involved in the process or have an awareness of the new project.

• Maintain regular communication with stakeholders, ensuring visibility into project status, decisions, and expected outcomes.

• Catalogue all inventories or processes currently in use by teams throughout the business and identify any specific requirements at a local level.

Regardless of which SAM or HAM solution you selected, it will need your data for the system to work. Ultimately, the data is the system, without it, the solution offers no value. It doesn’t matter how much money you spend on building or buying and delivering a system, without your data, it will not provide any meaningful service to the business.

I have taken over failing projects where businesses have already purchased a solution, but it is not yet operational. Often, nobody involved in the project understood:

• What data already existed

• The location of the data

• Who could provide the data and how

Also, very little information was available as to how the system would function in the target environment. In several cases, the non-technical buyer assumed that procurement alone would resolve asset management challenges. Data and many other factors are essential and need consideration long before a buying decision. The availability of data will depend on the size, the age and the maturity of the business.

With mergers and acquisitions, different solutions exist already, and with data fragmented across multiple systems with no holistic view of hardware or software. Due to the inaccuracy of data over time, compiling data from multiple sources will allow an accurate picture to emerge. Examples of potential data sources include:

• Active Directory – details of all computer accounts in the domain along with the date and time stamps showing when assets last accessed the network. The same principle will apply to other directory services.

• DHCP allocation – the logs will contain details of every piece of hardware with an allocated IP address. This data will also indicate how recently each piece of equipment accessed the network.

• Purchasing records – details of hardware and software purchases will be available, though often stored in formats unsuitable for automated analysis.

• Anti-virus – details of assets with anti-virus software installed and details of the most recent virus definitions updates

• Support Teams – individual support teams should have information on what hardware assets fall within the scope of services they offer

• Laptop allocation records – details of laptops purchased, their location, and who is responsible for them

The list of data sources will differ for every organisation and in some cases may include manually maintained spreadsheets with details of computers. From an accurate or partially accurate list of hardware assets, inexpensive utilities can identify software installations and usage.

Tools such as Microsoft Access or SQL Server can yield actionable insights when combined with known data sources. These software packages can answer many questions about hardware and software from this raw data already available. Consider the following actions:

• Get access to the data

• Perform some analysis

• Find out what the data says

I have observed the following in numerous cases:

• Expensive solutions remain undelivered for excessive periods due to insufficient skills to deliver and operate the service

• Many data sources within businesses often remain unknown, or known but not understood, analysed or utilised

It is not always necessary at this stage to decide to buy a commercial product or build an in-house asset management system. Getting the data and performing an analysis can often provide actionable intelligence to mitigate sources of risk and increase overall compliance.

Key drivers for implementing Hardware Asset Management (HAM) and Software Asset Management (SAM) include:

• Security assurance – effective patch management depends on complete and accurate hardware and software inventories. Having a detailed list of hardware and software is crucial if you want to be sure that all software on all devices gets updated to the latest version and any security patches are applied.

• Asset valuation – determining the current value of assets for accounting purposes – such as for negotiating a price during mergers and acquisitions or for end-of-year valuation purposes.

• Software licence compliance – beginning the discussion on HAM and SAM in direct response to vendor accusations or investigation by the Federation Against Software Theft (FAST).

• Response to an audit – could be an internal or external audit, but generally where SAM and HAM identified deficiencies need corrective actions, or as a preventative response to known under-licensing risks.

• Budgeting and cost centre allocation – calculating the costs per business unit of IT services for cross-charging purposes.

HAM and SAM are crucial aspects in the implementation of security standards. Capturing information about corporate assets and maintaining inventory accuracy is essential, and achieved in several different ways, for example:

• Use of data from existing services such as Active Directory, anti-virus solutions, DHCP and other sources of data within the organisation

• Connecting remotely to individual assets to assess the current state of the asset and capture information about software installations

• Deploy background agents to gather continuous telemetry to update software and hardware inventory records

• Maintain the inventory manually

Agents may not exist for all asset types, and a combination of the above is likely to maintain data over time. These operational dependencies must be understood early, as they directly influence rollout timelines and ongoing SAM and HAM data accuracy. If an asset requires an agent, you will need an initial inventory as a starting point.