COVID-19 and IT Asset Management (ITAM)
With millions of workers suddenly displaced and relocated to work from home (WFH) environments, there has been a massive surge in hardware and software relocations and deployments. As discussed in our “Working Remotely” video, the Hardware Asset Management (HAM) and Software Asset Management (SAM) space requires immediate attention.
With the urgency of bringing millions of newly remote devices on-line, the ability to procure, track, and deploy hardware assets has become much more complicated. From tracking stock levels, deploying out-of-date hardware, or establishing employee driven procurement processes, HAM teams must consider a myriad of scenarios to help keep the workforce productive while at the same time avoiding longer-term unintended consequences and risks.
The unprecedented nature of the challenges currently faced requires a reactive deviation from what would traditionally be considered best practice, as well as atypical responses to asset status changes.
- Temporarily leverage assets pending disposal
Normally, an effective ITAM program enables rapid provisioning and tracking of new hardware, i.e. being able to quickly add new devices for a remote workforce. However, as demand for laptops as temporary replacements for users surpasses existing supplier and internal stock levels, leveraging assets designated for disposal can be utilized as temporary stopgaps. Ensure end-of-life hardware is fully patched and tested for security prior to deploying to a remote environment.
- Identify and maintain assets now in remote locations
It is even more critical to understand where and who has the assets. Flagging the asset as being remote and ensuring that it is properly allocated is paramount.
- Leverage other sources to validate operational status, e.g., patching tool, anti-virus, etcetera.
Asset Managers should take full advantage of tools and processes to validate that the asset is still on the network and properly assigned. Now that the asset is off-site responding to a ‘missing’ state change should trigger an immediate follow-up and validation that the asset is still within the companies ‘extended’ control. As an activity, constantly compare your asset inventory against non-standard discovery sources such as patching, anti-virus, or security scanning tools. This allows for an added layer of validation in case native discovery tools struggle with inventorying the remote devices.
The above are short term reactive activities towards ensuring the ITAM program’s ability to maintain inventory accuracy while supporting productivity. However, every ITAM program, regardless of maturity level, should use this opportunity to review its business continuity plans.
- Ensure good record management is maintained
Ensure that the Asset Management Database (AMDB) is being updated in a timely manner. The transfer process should include accommodations, in the event that large-scale asset mobilization is required in the future.
- Security and compliance
In spite of these deviations from standard practice, adherence to security and compliance relative to privacy, cyber policies and regulatory compliance should not be compromised with these newly deployed assets. Diligently monitoring and reporting on standard hardware and software builds and versions is even more critical due to the lack of physical control of the asset.
- Conduct a review of the ITAM processes
Walkthrough the processes again, randomly follow an asset(s) through the lifecycle using real-time data. Validate procedures are documented. Validate that the process was followed and address any gaps there were uncovered.
- Conduct a Software Asset Management (SAM) review
Now more than ever, organizations are relying on Cloud and SaaS, such as Zoom, Office 365, and Adobe Creative Cloud, to support business continuity. This brings with it a whole new set of challenges around the usage and consumption of these types of software. Be aware that many SaaS enabled collaboration providers are currently offering free trials that may convert to user subscriptions once the pandemic has passed.
In addition, there is an increase in Cloud technologies that are used to virtualize applications in order to support a remote workforce such as Citrix, Amazon Workspace, Microsoft Azure, and Google Cloud Platform. Prepare now for software audits that will probably happen when the workforce reverts to on-sight.
Although the unprecedented nature of the current pandemic requires novel responses, business processes and protocols must be adapted to ensure business continuity as we emerge into the new reality. As a long term objective, ITAM programs should evaluate their capabilities to manage both large scale hardware deployments and scaled software license consumption for remote assets and work. Asset managers should have immediate transparency on blacklisted software installs, ability to fulfill emergency asset demands, and ability to provide inputs to broader corporate strategies around cloud migration for computer resources and subscription.
Some or all of the services described herein may not be permissible for KPMG audit clients and their affiliates or related entities.