The Impact of ITAM to Security – TCO is Not The Only Reason to Invest In an ITAM Program

By Keith Bennett & Tyson Hiner, FAA

Why invest in an Information Technology Asset Management (ITAM) program? The first answer that comes to mind is Total Cost of Ownership (TCO). There are numerous ways that an organization can save money utilizing a properly managed ITAM program. But, what if I told you that an ITAM program in your business would provide you with an even more valuable benefit than TCO?

I’m talking about IT security.

When you mention IT security, most people think about anti-virus programs, firewall settings or even software and operating system patches. But if you don’t know where your IT assets are, how are you going to effectively deliver these IT security products?

The Impact of the ITAM Program

When we implemented an ITAM program at the Mike Monroney Aeronautical Center (MMAC) – a Federal Aviation Administration center in Oklahoma City, OK where we manage more than 5,700 computers – we were able to standardize software, hardware, patch deployments, and virus software updates.

We created an IT infrastructure, without a major capital investment, that provides security patching and updates to computers actively on the network and joined to the domain. Before our ITAM program was in place with the current IT infrastructure, we spent numerous person-hours hunting down IT assets to manually patch them (this was primarily IT assets that were stored, like a laptop that was seldom used or an old machine that had not been disposed of yet). In addition to efficient patching, we have found that even a slightly mature ITAM program allowed us to easily find a machine with an identified security problem. It has been invaluable to know where a machine is, what is on it, and the status of the security patch. In our IT environment, our assets report to the server within 24 hours, some in real time (depending on the tool and security system). Knowing where your IT assets are also ensures proper end-of-life disposal. Before we had an ITAM program, assets were often left in a closet, under the stairs or in some dark corner. There was no accounting for the asset from a security standpoint (it was accountable, but only as a property asset – the same way a hand truck would be accounted for). By implementing our ITAM program, we now have a structured process for disposing IT assets. This process includes the critical security step of ensuring that all data is erased from the hard drive(s) and any removable media is destroyed. There is also a network security process in place whereby an asset is disabled (for network activity) if it has not reported to the server within 60 days. Next Steps for ITAM and Security With support from management and a capital investment, our utopia would consist of some form of network access control (NAC). Basically, if an asset has not been patched with critical patches or up to date software, it will be ushered into a separate network and automatically patched before it is allowed to join the actual production network. Another choice is to force a manual intervention by a technician prior to the machine coming online. This next step will allow us to deploy patches deemed important or urgent by upper FAA management in an efficient manner as well as stipulate requirements to be active on the network.

With the help of this technology, NAC, and our developing ITAM program, we envision great synergy and structure of IT security and IT asset management. So when you are contemplating an ITAM program, or trying to convince management it is the right thing to do, don’t forget about IT security. A successful marriage between IT Asset Management and IT security will help sustain a healthy IT environment for everyone.

About the Author

Keith Bennett is the Computer Specialist for the Federal Aviation Administration.