1. <Category>
<Track>
The Role of ITAM in Information Security
Presented by
Steve Gerick CISA, CISM, CITAM, PMP
Associate Director - Protiviti
2. <Category>
<Track>
Industry Trends & Drivers
People
Mergers and Acquisitions
Regulatory Compliance
Reduction of Organizational Silos
Centralized Model (consolidation and standardization)
Technology
Increased computing complexity
Need for “Active Asset Management”
Electronic software distribution & Patch Management
Move to suites instead of point products
Vendor Consolidation
Process
Real-time process model
Interest in ITIL and CobiT
Driven more by compliance needs
3. <Category>
<Track>
Top Five IT Issues*
Strategic Alignment
Need to align IT with the business and its goals - providing a flexible,
integrated information infrastructure to support business strategy.
Value Delivery
Places the focus on expenses and proof of value and concerns itself
with cost-optimization, with ensuring a favorable return on investment
for IT and a positive bottom-line impact.
IT Assets
Targets knowledge and infrastructure. Deals with the selective
outsourcing of non-core processes to trusted suppliers, to leverage
knowledge and skills internally and externally
Risk Management
Concerns itself with safeguarding assets and preparing for disaster.
Performance Measurement
Necessary for any of the other four to be managed appropriately in a
complex economic and geopolitical environment. ISACA Journal Volume 4, 2002
Erik Guldentops - ITGI
7. <Category>
<Track>
ITAM & The ITIL Framework
Planning to Implement Service Management
T T
h h
Service Management
e e
ICT
The Business Service T
B Infrastructure
Support e
u Perspective Management
s c
i h
n n
Service o
e
Delivery Security l
s
s Management o
g
y
Application Management
Suppliers
* ITIL Best Practices Services
Software Asset Management
8. <Category>
<Track>
Relationship between ITAM & Security
Overall Management
Overall management Processes
Competence, awareness and training
responsibility Performance metrics and continuous improvement
Risk assessment Service continuity and availability management
Policies and procedures
Core Asset Management
Asset identification Processes management
Database
Asset control Financial management
Status accounting
Logistics Verification and Relationship
Processes Compliance Processes Processes
Requirements definition (Governance) Contract management
Design Supplier management
Evaluation Verification and audit
License compliance Internal business relationship
Procurement management
Build Security compliance
Other compliance (software standards) Outsourcing management
Deployment
Operation
Optimization
* ITIL Best Practices Services
Retirement
Software Asset Management
Editor's Notes
These are the industry trends I have seen from industry pundits and supported by what I ’ve been seeing in the field over the past two years working with over 50 different clients. People Mergers and acquisitions are placing severe strain on operations (IT, HR, Facilities, Finance) functions in organizations since this is an area that is usually cut deeply to help accelerate the financial benefits derived from consolidating operations. Regulatory compliance is placing tremendous burdens of public companies and in the health care sector with privacy concerns. Organizations have put a great deal of effort in promoting HR efforts that have focused on getting different groups within a company to break down organizational barriers. Technology Many organizations have multiple operating systems that drive platforms for business and productivity applications. UNIX, LINUX, Microsoft, OS/400, MVS, etc. Vendors have begun to offer real-time asset configuration and management solutions. Electronic software distribution and patch management solutions had proliferated. Altiris, SMS, Peregrine, CA, etc. Vendor consolidation. Process Technology model processes more closely now – ITIL-compliant ICT Management applications for example IT world more mature. Maturation typically migrates to standard frameworks that help organization integrate ICT functions. SOX, GLBA, HIPAA, Basel, etc.
1. strategic alignment , refers to aligning IT with the business and collaborative solutions. Alignment is best achieved when cross-functional, collaborative information systems are instituted. This allows IT to be an agent of change, enabling business transformation in a robust and nimble manner. Finally, strategically aligned IT helps educate and connect the c-suite (CIOs, CEOs, COOs, CPOs, CTOs, etc.) while enabling effective communication with information systems users. In other market analysts' lists, the issue of strategic alignment is referred to through terms such as "increasing business demands on IT infrastructure," "integration of processes," "systems integration," "IT serving as an agent of change" and "IT bridging the disconnect with the c-suite. “ 2. value delivery , places the focus on expenses and proof of value. Value delivery concerns itself with cost-optimization, with ensuring a favorable return on investment for IT and a positive bottom-line impact. It takes into account the total cost of ownership of IT services and the quality and effectiveness of enterprise wide service delivery. Most important, it emphasizses keeping users and managers satisfied, thus proving the value of IT. Accountants and auditors traditionally have looked at emerging technology issues from the risk and control point of view. Value, on the other hand, is a more important driver for management. Auditors and accountants should be aware of, and deal with, the management priority. In other market analysts' lists, the value delivery concept is alluded to by the use of such terms as "IT service delivery," "trust," "quality of service" and "proving the value of IT. “ 3. IT assets , targets knowledge and infrastructure. Specifically, this issue deals with the selective outsourcing of non-core processes to trusted suppliers, thereby enabling the enterprise to leverage knowledge and skills internally and externally. IT assets ensures that an integrated, economical IT infrastructure is provided, wherein new technology is introduced judiciously and obsolete systems are updated or replaced. It recognizes the importance of people, in addition to hardware and software, and therefore focuses on maintaining availability, providing training, promoting retention and ensuring competence of key IT personnel. Other market analysts make reference to the IT assets issue in terms such as "outsourcing," "trusted suppliers," "resource management, "training and competency" and "skills retention. “ 4. risk management , concerns itself with safeguarding assets and preparing for disaster. Risk management establishes IT security to protect assets and enable business recovery from IT failures. It ensures privacy for users and builds resilience into systems. Risk management knows the importance of establishing trust in the enterprise's services and among its partners. It manages internal and external threats--internal from misuse and errors and external from deliberate attacks, market volatility and the pace of change. Other market analysts' lists include the risk management concept by referring to "safeguarding business assets," "disaster recovery," "security" and "resilience. “ 5. performance measurement , is simply, in the opinion of the IT Governance Institute, necessary for any of the other four to be managed appropriately in a complex economic and geopolitical environment. Other analysts include "improving SDLC" in this category.
META recently estimated that some companies are over-licensed by as much as 40% and that the average is 15%
ITAM Relationship to ITIL Framework Software Asset Management is depicted in the framework model. The keys are:
Overview of ITIL Processes Planning to Implement Service Management covers the planning of Service Management Processes, together with the development of organizational and ICT cultures. Service Management consists of two guides: Service Delivery covers the processes associated with the development and improvement of the quality of ICT services such as SLM, Financial Mgt., Capacity Mgt., IT Service Continuity and Availability Management. Service Support describes the function and processes involved in the day-to-day support and maintenance of the ICT services such as Incident Mtg., Problem Mgt. Configuration Mgt., Change and Release Mgt. and the Service Desk function. ICT Infrastructure Management describes all of the processes associated with the management of the OCT infrastructure including overall management, Design and Planning, Deployment, Operations and Technical Support. Application Management includes all of the processes and issues associated with the development and management of applications and software lifecycles. Security Management covers all of the processes and issues associated with the security of ICT services and systems. Business Perspective focuses on the processes of business alignment and communication associated with the ICT systems and services.