One of the core aspects of any Asset Manager’s job is to maintain adequate controls over an organization’s asset base as changes are made through day-to-day operations. In any organization, but especially in large companies, the number of people who can affect the asset pool is much, much larger than the Asset Manager’s area of control.
Desktops and laptops are swapped through break/fix processes. Applications are deployed (and redeployed) from VM to VM through the change process. In any organization, the majority of events that affect assets happen outside of core “asset management” activities. It is critical that an asset management function creates the necessary controls to track these changes, manage exceptions, and measure adherence.
ITIL’s Change and Request Management
Under the ITIL framework, changes to the base happen primarily through the IT Change and Request Management processes, and those changes are tracked through the Configuration Management process. In mature organizations, the controls within those processes should provide regular updates to maintain an accurate picture of the asset base. Even in this ideal case, Asset Managers need to ensure that the required points of control exist within those processes and that IT staff understand their asset responsibilities. Those asset responsibilities represent a dotted line from those teams to the Asset Manager.
Of course, in the real world, control of assets is much more complicated. It’s rare that any organization’s change and request processes cover the entire asset base. Even assuming that fully-documented change processes actually exist, the organization may have valid business reasons for excluding non-production environments. The exclusion creates a gap in the Asset Manager’s ability to control the assets in the development and test environments as assets are deployed and redeployed.
Configuration management also has a limited scope outside of production environments. Often, assets are outside the scope of the configuration management processes, such as client hardware and software. In cases where there are gaps in the processes that update the asset base, the Asset Manager must identify controls to track the changes to assets made through day to day activities, and establish standards and processes for operations teams to follow.
Many organizations also have adapted the ITIL framework to match their reporting structure, or have incorporated legacy processes into their configuration, request or other processes. It’s very common, even in the largest organizations, for a significant number of asset updates to happen through the incident management workflow. While the ITIL purists may suggest that the answer is to change those processes to match the framework, Asset Managers have the responsibility to track assets based on where updates do happen, not just where they should happen. For example, if software is deployed through a self-provisioning process, or if hardware is updated through an annual technology refresh program, the Asset Manager needs to understand the detailed workflow that results in changes happening and needs to control those assets when those changes occur.
At a minimum, Asset Managers need to account for the key status changes for hardware and software through each asset’s lifecycle:
Effective management of hardware and software assets requires an organization-wide commitment. Asset changes that occur through unmanaged processes lead to lost assets and increased risk to the organization. Asset Managers will need to gain buy-in from senior IT leadership to require that teams follow asset processes and identify the metrics to use to verify compliance with those processes. Of course, in order for those processes to be effective, IT leaders also need to make it clear that there will be consequences for people/teams that don’t do their part to help control the assets. Finally, leadership needs to invest resources to build the processes and measure adherence effectively.
Only when the necessary controls are put into place does it become possible to effectively control the asset base throughout the organization. Asset Managers can use the updates from the various operations teams to establish an accurate baseline and measure adherence to the processes at the control points. The Asset Manager also has the information to effectively deal with the exceptions to bring those assets back under control. The ultimate outcome to establishing robust controls throughout the day-to-day operations processes is that the Asset Manager can confidently track assets, manage asset risk to the environment, and provide accurate information about the asset base and help to align the asset portfolio to IT priorities.