With so many IT assets outside of the office, unfortunate events like losing an asset or asset theft are likely to happen more often. Due to the increased risk, IT Asset Management (ITAM) Lost and Theft policies may need to be written, revised, or recommunicated.

Lost and Theft Policies are Important

Policies are written instructions that indicate what behaviors and actions are permissible. They answer the who, what, and why: who is responsible for performing certain activities, what needs to be accomplished, and why the task needs to be accomplished. An organization cannot be run without policies because employees would have no rules or regulations to follow. This would leave the organization at risk to break compliance, risk to accidental exposure, poor internal process flow, etc.

IT Asset Managers help to create, enforce, maintain, and measure ITAM policies. Policy Management is one of the 12 Key Process Areas (KPAs) that IAITAM has identified. KPAs are processes that an ITAM program needs to have in order to be successful and reach optimum flow. Policy Management is a core KPA, meaning that it is a policy that touches every other KPA in the ITAM program. Policy Management is designed to provide the authority to have expectations set. The goals of Policy Management are to set expectations for employees across all levels, provide uniform enforcement, create effective implementation, periodically review policies, and maintain policies.

When an asset is lost or stolen, the organization relies on the policies for the incident to know what to do and what are effective, safe options. While IT Asset Managers do not directly perform the IT services on the lost or stolen device, they take on a supporting role by helping to map out procedures and policies. For example, the IT Asset Manager can help to implement a process to be able to remotely wipe data off of the missing devices. They can help create policies that may involve warning systems or involve remotely locking missing devices. Setting up policies and procedures for these incidents is a major way an IT Asset Manager can make help with missing assets.

How to Effectively Write Lost and Theft Policies

Writing policies can be a difficult and intimidating task. Taking the process one step at a time will help to create efficient policies. A few steps that should be taken are:

Focus on the organization’s goals: Why are these policies being created? What does the organization want to protect? What is most valuable? These can be different things, depending on what the organization wants. For example, most organizations likely to want to protect the data on the device. They also likely want to be able to recover the data from the device so that it is not forever lost. Creating a procedure to gain this data back might be a goal the IT Asset Manager needs to focus on. Another example is that some organizations may have a limited amount of a certain IT asset, so if it is stolen, they may want to get it back by whatever means. Finding a way to track the asset might be a goal the IT Asset Manager needs to implement. Considering the different objectives before writing the policies will make policy creation smoother and more effective

Investigate other organizations’ Lost and Theft policies: Researching and reviewing other competitors’ policies and seeing what issues they discuss and behaviors they condemn will help to give an IT Asset Manager an idea on how to structure their own Lost and Theft policies. There may be some similarities in the issues both organizations face, so the IT Asset Manager could consider different solutions before building their own policies. For example, some organizations have remote systems and procedures to lock and track devices that are stolen or lost. This could be a procedure the IT Asset Manager may want to add

Meet with organization leaders: The IT Asset Manager will need to work with organization leaders to initiate, implement, and enforce necessary ITAM policies. Meeting with these employees will tell the IT Asset Manager how the different processes function, why certain behavior needs to be governed, who is affected, etc. Regarding Lost and Theft policies, meeting with the IT Security team will help to know what procedures are available if there is an incident. This knowledge will help the IT Asset Manager construct the policies appropriately

Write policies to be less complicated: Writing policies to be easier to understand will increase the chances of getting employee buy-in. Employees can comprehend the policy easier and are able to follow it better. If they are too complicated, acceptance is less likely, and the policies may be ignored altogether

Communicate the reason for the policy: Policies are more likely to gain employee buy-in more if the reason behind the policy is explained. When employees realize the reason for the policy, they understand why it is important and will feel obligated to do their part to protect the organization

How to Accurately Improve and Update Current Lost and Theft Policies

IT Asset Managers should want every alteration to the policies to be useful and efficient. In order to know what changes will be helpful, there are a few actions that can be taken to get the most accurate knowledge to improve the policies:

Set periodic times to review policies: Policies need to be reviewed periodically, with every 6 months being the ideal increment. The reason that policies need to be reviewed is because the organization grows and changes constantly, so if policies are not renewed, they can become ineffective

Use a feedback mechanism: Having a feedback mechanism for how the policies perform and work is vital because the IT Asset Manager can know how to improve it or if it is not useful. Getting the feedback is what can be the starting point in knowing where to reform what in the policies

Meet with the IT team: The IT security department will know what processes are best in instances of loss or theft. They can explain different technology and processes to the IT Asset Manager, helping the IT Asset Manager to know how to restructure the policies

Communicate the updated policy: Policies will not be followed if employees are not educated on them. Explaining the modified policy and why it exists will help employees to remember the process if anything does get lost or stolen. Educating employees on the importance of the policy will help it to be accurately implemented and followed

Since so many assets are outside of the office, Lost and Theft policies may need to be reviewed and updated to prepare for the increased risk of having devices go missing. Having these policies updated and recommunicated will give the organization a firm foundation on what actions to take if IT assets go missing.

References:

MacMillan. (2012, July 12). XIII.2.3a Asset Accountability Policy. Retrieved June 8, 2020, from https://www.paho.org/hq/index.php?option=com_docman&view=download&category_slug=english-2480&alias=21016-asset-accountability-policy&Itemid=270&lang=en

Oregonian/OregonLive, A. T. | T. (2020, May 15). Police recover $4,000 road bike, 14 others after tracking stolen phone to SE Portland ‘chop shop’. Retrieved June 8, 2020, from https://www.oregonlive.com/commuting/2020/05/police-recover-4000-road-bike-14-others-after-tracking-stolen-phone-to-se-portland-chop-shop.html