IT Asset Inventory is the log, spreadsheet, document, or database that keeps track of who in your company has which device(s). It can also extend beyond hardware sometimes, but today we're going to focus on the hardware (laptops / workstations / tablets) type of asset tracking.
You already know where this is heading: nobody (and we know a lot of IT folks) loves spending time on catching up on a backlog of asset tracking work. So, that begs the question: does it matter? Should we bother with an asset inventory at all? Won't employees just fundamentally know what hardware they've got in their possession, and keep us apprised of any changes or needs?
Probably. But that's not the point.
Security Controls Implementation
Before we dig deep into the ramifications of your IT asset tracking approach, let's talk about security controls. Remember when you adopted an information security plan that promised that client data would only be stored in a manner that is indecipherable to unauthorized personnel?
That type of policy decision (and it's a good one) creates a cascade of controls decision. And the cascade goes something like this:
- We need to keep client data indecipherable to unauthorized personnel.
- So, we need to manage which storage devices and workstations contain that type of data.
- In order to make the information on those devices indecipherable to unauthorized personnel, we'll implement full-disk encryption and federated authentication on those devices.
That's a very simple cascade, but it illustrates an important pattern. The first step of the cascade was policy-oriented assertion. We're not in the business of implementing arbitrary security practices on an ad hoc basis. Rather, we start with an overarching strategy outlined in a policy. Then, in Step 2 of the cascade, we conclude that we must know the scope of what IT assets the policy relates to. Finally, in Step 3 of this cascade, we make a controls decision about the particulars of our encryption and authentication practices.
What if we didn't have the information to fulfill Step 2 in the cascade? Uh oh.
When Security Controls Fail
Let's elaborate further on our fictitious (but realistic scenario). Let's say that the organization we're talking about is subject to HIPAA, and that they routinely handle PHI (Protected Health Information). Perhaps medical records containing names of patients and details of medical examinations.
In an initial asset inventory of this hypothetical company, it's a good bet that computers in any of the examination rooms and the reception areas would be remembered, and included in the inventory. Probably a few laptops, too. But what about the devices used by the doctor who has been on sabbatical for two months. Did anyone remember to get in touch, to take an inventory of that doctor's devices?
It's easy to imagine an initial oversight, and in time, occasional oversights in asset inventory lead to mistakes when IT professionals circle back an implement solutions to enforce the security controls that the agreed-upon policies require. And in this example, that could lead to unencrypted Protected Health Information sitting on an unencrypted laptop that doesn't enforce time-elapse screen lock policies. And it would be hard to explain how that type of setup could possibly comply with HIPAA.
Wrapping Up
Small organizations don't need fancy I.T. Asset Inventory systems. But they do need an agreed-upon database, spreadsheet, or system -- and they do need to make updates corresponding to asset purchases (e.g. for a new-hire) and asset dispositions (e.g. a failed laptop's hard drive being irrevocably destroyed). The effectiveness of all of your other security controls relies on the question of whether they are being applied to every "in scope" device.
Want to talk more about security policies + plans, security controls + practices in small businesses? We'd love to connect.
