The Role of Policy in the ITAM Maturity Process

By Rodney Penny

No one can dispute that IT assets and the information that they process, store and transmit present a huge risk to organizations. Every organization has the responsibility to protect their data from hackers and phishers, and that means that it is imperative to shape human behavior as it relates to the handling of IT assets. How users should interact with IT assets is fundamental to the role that both ITAM and informational security (IS) have in common; therefore, a policy framework around IT assets is one of the most important steps that ITAM should take on the road to a mature and relevant ITAM program.

The purpose of policy is to guide human behavior, so when it comes to ITAM is imperative to address both the physical and the data security aspects that IT assets pose due to human use and configuration. ITAM policies should follow some very basic rules in order to make them both relevant and to server as a guide for human behavior as it relates to IT assets. The following points are not meant to be all inclusive, but rather a guide to creating relevant ITAM policy.

Policy Should Not Be Created in a Vacuum

Policies should be coordinated with every ITAM stakeholder and their already published policies, if any. By working with stakeholders, the ITAM program can ensure that any new policy is synchronized with any existing policy. New policy should reference existing policies and/or give them greater clarity. Since policy is usually very difficult to get approved (and to revise), it is imperative that this coordination be done prior to approval submission. Review and decide what elements from existing policy should either be referenced or in some cases inserted into the new ITAM policy. Referencing is usually best, because it will keep the ITAM policy brief.

Policy Should Be Brief and Inclusive

Policy should be brief, but at the same time include, or at least reference, all of the elements necessary for meaningful policy. Remember, policy is to guide human behavior, so keeping it relevant and to the point can be a challenge. For example, the human resources (HR) component related to ITAM policy does not need to be rewritten in the new ITAM policy, but a reference to any HR actions for not following the ITAM policy can be referenced instead within the new ITAM policy. This is why it is important to coordinate policy with all stakeholders; because there is very little reason to put any new policy, something that is in existing policy.

Policy Should be Accompanied by Policy Standards

Because policies can be difficult to get approved and to revise, they should be scant on details. Policy details should be included in a policy standard. An organization’s policy framework contains many policies and can be difficult to navigate, so for your ITAM policy, keep it brief and include policy standards. Policy standards are the way to be more prescriptive without making it difficult to get your base policy approved. Standards are usually easier to revise and usually do not require organizational approval. Check with your organization’s policy department to see if this applies to your organization.

Standards, by nature, are more detailed and are intended to show more about how to accomplish a directive found within the policy document. Standards documents can vary in detail, but at the least they should provide organizational personnel with the bare minimum that it takes to better understand and uphold the related policy. Well written standards provide not only guidance on how to remain within policy guidelines, but extra details on processes and procedures related to the upholding of the policy. Policy standards, however, are do not contain work instructions, but rather focus on how to achieve a policy directive.


Remember, the purpose of policy is to guide human behavior. Creating policy requires a clear vision of the purpose of the policy and a clear understanding of what behavior you want to shape. Creating ITAM policy, cannot be done without proper coordination with other areas of the business, like information security and the purchasing department, amongst others. Policy should focus on the what, standards focus on the how. Therefore, the ability to create relevant and well-thought-through policy and standards is one of the most notable signs of ITAM maturity within an organization.

About the Author

Rodney Penny is the IT ASSET Manager for Sun Trust Banks, Inc.