One of the key mottos of information security is, “prevention is ideal, but detection is a must.”
IT asset management (ITAM) is an essential part of information security. IT asset managers play a critical role and therefore must evolve ITAM practices to align with security initiatives.
The weakest link in information security is IT asset disposition (ITAD). Unlike other aspects of information security, establishing controls can be challenging because retired assets are no longer connected to a network making monitoring the whereabouts of retired assets difficult to automate.
Data security laws require organizations have adequate controls. Controls are countermeasures. There are two types of controls: preventative and detective. Both are important and required.
Mature organizations already take preventative measures seriously. For example, they establish formal disposal procedures. They contract with certified electronics recyclers. The frequently destroy data before a move.
Almost all organization, however, fall short in terms of detection. The only way to detect if a retired asset is missing is to reconcile inventories. Anybody who has reconciled knows this is easier said than done.
It is time for ITAM to evolve. It is time ITAM recognize that reconciliation is a requirement. If you are not reconciling, you are ignoring the law. Should a breach occur (regardless of the nature), your organization is at risk of being found negligent.
Asset managers are not miracle workers. It is virtually impossible to track every single asset. That is not an excuse for not reconciling.
It is important to recognize that it is not a failure if an asset manager detects a loss. It is negligence if they don’t.