IT Asset Management Its Not Just for IT Asset Managers Any MoreLynne M. WeissVP of Marketing

International Association of Information Technology Asset Managers, Inc. (IAITAM)-

What is an ITAM Program?IT Asset Management (ITAM) is defined as the set of business practices that join financial, contractual and inventory functions to support lifecycle management and strategic decision making for the IT environment in support of the organizations overall business objectives.

Why do IT Asset Management?Manage IT Assets so that maximum value is gained from the use of the assets across the lifecycle and beyondValue is:Financial accountabilityRisk reduction such as through proper disposition of wasteEfficiency, performanceCustomer satisfactionControl, long-term manageability

Key Process Areas that Make Up a Mature ITAM Program

Acquisition Management Disposal ManagementPolicy ManagementAsset IdentificationDocumentation ManagementProgram ManagementCompliance ManagementFinancial ManagementProject ManagementCommunication and Education ManagementLegislation ManagementVendor Management

What is an IT Asset?What is an IT asset?Hardware (PCs, servers, printers, displays)SoftwareMobile (pads, tablets, smart phones)Scope described in terms of:Environment (distributed, data centers)Life cycle (request through disposal)Relates to EVERY departmentBridge between IT and organization/department through goals and business perspective

Have Your Assets Gone Into Hiding?Can you identify all your IT hardware and software locations?How about your mobile assets? Do they just walk out the door?What happens with your retired or disposed of assets?Are you managing the business side of Asset Management to maximize the assets you own?Is Asset Management a game of hide and seek at your organization?

Asset Management: The Elevator PitchPolicy drivenCentralizedSavings opportunitiesProcess intenseTools supplement processImportantCareer-making!

Centralized IT Asset Management ProgramDefine Asset Management Policies encompassing the complete lifecycleCan enforce standards and the exception rules to standardsStart to collect asset information in an organized manner early in the life cycle.Process makes trend analysis possible

To Manage or Not to ManageCost of assetVolume in the environmentLife expectancyRisk factors if not managedSecurity risksLoss of productivitySarbanes Oxley & other legislationRedeployment LeasedMobility of assetCost of building the IT asset management processes

2008 - International Association of Information Technology Asset Managers, Inc. (IAITAM) *

2008 - International Association of Information Technology Asset Managers, Inc. (IAITAM) *

Commonly Managed AssetsSoftware Licensing compliance risk high cost and auditsMainframes high costLaptops mobility, cost, risk factorsDesktops redeployment candidate, often leasedPAD/BYOD devices risk factorsTelecom division of ownershipServers cost, risk to business continuity

Should we Manage?PrintersMonitorsHub, routers, firewalls

IT Asset Management Policies

Policies govern behaviors within the organization. The purpose of asset management policies are to have assets that are:TrackableMaintainableCost effectiveUsed for the good of the organization Topics are many times buried in policies with other names such as Security, Acceptable use, Disaster Recovery, Expenses, etc.

Policy Topics for Asset ManagementPrivacy no expectation of privacyProhibited use limitations on use of equipment and or softwarePersonal use rules for use non-businessUse of non-corporate assets on the network BYOD devices and software allowed? Dialing in from home?Physical security of the equipment loss and theft prevention, usually in the Security policyCommitment to energy conservation Energy Star program, monitor sleep settingsEnvironmental Self Audit policy for disclosure, escalation methods

Managing the Life of the AssetYou need help - Infrastructure, Help Desk coordination, Inventory and ToolsAssets are: In constant motion (IMAC) Change is frequent, with adds, deletes Users change Need rules to govern all of the movement and organizational buy-in

Managing the InventoryWhere is it?Who is using it?What is the configuration?What assets are being used with it (software, components)?What is the condition of the asset?

Asset Management Tools2 Primary tools are:Discovery Tool for Inventory:A discovery tool scans all equipment connected to the network and uncovers details of the hardware configuration (including DMI) and the software that is installed on the hardware. Ownership Repository Tool:A business application for IT, this tool focuses on the creation of a repository of financial, contractual and inventory information about the assets of the organization.And there are others.

End of LifecycleRedeployment RetirementRe-use

Legislation & Environmental Issues

Who is Responsible?The company that bought the asset is primarily responsibleSale to another can transfer responsibilityEquipment as garbage remains the owners issueSome laws are making the manufacturers responsible too when it concerns disposal practices

Where Are We?Everyone has the same goalsIncrease accountabilityUncover savingsReduce riskGain controlImprove performanceEach company at a different maturity point, different weak spots and strengths

Strategies for Success:Give yourself time Put the right people on the team across all functional business unitsEducate to promote buy-in and understandingSet financial and measurable goals for the program and individual projectsDont try to eat the elephant in one biteStay on track and report successes

No more Hide and Seek

IAITAM Services and Resources* Available to the Public

Thank You!

International Association of Information Technology Asset Managers, Inc. - IAITAM

CHAMP International Association of IT Asset Managers *CHAMP International Association of IT Asset Managers *CHAMP International Association of IT Asset Managers *CHAMP International Association of IT Asset Managers *The traditional approach is to submit a new request for equipment, get management approvals, submit to procurement where they do the price negotiations and normally from a pre-selected vendor list and then the PO is sent to the vendor.

Is this a practice that should be backed by policy?Policies address the what and the why

IAITAM recommends a different approach to this:

Practice of including IT asset management in the loop BEFORE an approved request is send to Procurement allows alternatives such as redeployed or warehoused assets.

Redeployment a possibility, warehoused assets. Standard breaches discovered after the purchase are difficult to rectify. Gives more detailed detail on what is being acquired, better for budget planning, easier to analyze. Procurement systems often have free text for the description, or collect data by PO. Not granular enough for asset management. CHAMP International Association of IT Asset Managers *Each organization must evaluate and reach their own conclusion. Some manage telecom, including cell phones. Others only manage machine and software. Other manage unique equipment that fits the criteria here check processing machines, tanks.

The decision may not be whether to manage, but at what level to manage manage boxes of cables differently than a serial number asset.

CHAMP International Association of IT Asset Managers * yes to these now

CHAMP International Association of IT Asset Managers *We are all familiar with the policies about discriminatory behavior, sexual harassment and other behaviors governed by law. A policy manual also covers the behavior of employees regarding the use of equipment. The policy manual is sometimes called an Employee Handbook, Corporation Guidelines, or simply Policy and Procedure Manual, . Occasionally, the IT Policy manual is a separate document and contains only IT related policies.

A document distributed to all employees (and considered a legal document) that describes the allowable and unallowable behavior of the employees including the rules regarding the use of all equipment owned by the organization.

CHAMP International Association of IT Asset Managers *Privacy, sets up expectation of discovery tool, Prohibited use part of the security policyPersonal use a morale builder when clear language permits personal actions that do not break the law and do not interfere with businessUse of non corporate assets PDAs, security risk, unlicensed software can be an issue. Dialing in one large company has you sign that the company may take your asset if they deem the access inappropriate.

Policy examples:Request and Approval prevents loss of control of the standardizationCorporate standards how they apply to the individual employee (job title, function)Maintaining an accurate inventory with SOX, this may become a policy level statement

Policy topics:Purchasing budget required, buy from catalog of approved vendorsExpense NO IT equipment can be expensedCommunications with Vendors, competitors, all non-employeesRedeployment ownership by cost center or department, if it isnt, say it hereDisposal policy on environmentally approved disposal methods or vendors, data removal requirements also critical

Gaining acceptance for policiesInvolve front line managersTake a more positive approach, not just list the dontsSeparate the ever-changing procedures from the policiesConsider an intranet Policy ManualInclude the why

CHAMP International Association of IT Asset Managers *IMAC is an acronym for Installs, Moves, Adds and Changes. These basic processes occur for every asset, not necessarily in the same way.

CHAMP International Association of IT Asset Managers *We are finally at the topic that most people think of when you say asset management! This is tracking the assets currently in use

Suggestions for physical inventories for hardware for example:Announce inventories in advance to plan for remote and frequent travelersTrain the technicians regarding definitions and standardsEliminate text entry wherever possibleUtilize bar codes or RFID for speed and accuracyCreate a report of the discrepancies for analysisPublish the findings, including improvements to be made and successes

CHAMP International Association of IT Asset Managers *Most of the tools have additional functionality, at the very least reporting capabilities.Wide selection, different functionality included metering, license tracking, to name a fewRecommendation: always do a trial installation in the environmentQuestion: Does a discovery tool find it all? Why or why not?

Assets can be owned or leased, networked or not, classic assets or tanks. This tool is invasive in a good way. Touches every aspect of the life cycle in some way. To work well, needs to be highly integrated with process and systems.

Owndership repositories unite disperate dataFinancial Invoice verification and reconciliation, cost center analysis, budgeting, chargeback, refresh planning, fixed asset reporting, finance reportingContractual Software license management, lease management, vendor management, warranty consolidation, maintenance evaluationInventory workflow, coordination of IMAC, user updates, asset loss detection and prevention, redeployment, return of lease, disposal

CHAMP International Association of IT Asset Managers *Area of business growth right nowSignificant legal changes pendingChoices require analysisTracking what happens important, no matter which path chosen

Reuse general term for continued use of an asset in another capacity or for another individualRedeployment the asset is no longer needed by the current individual or department, but has potential remaining value for internal useRetirement the asset no longer has value for any individual, department or in any capacity

CHAMP International Association of IT Asset Managers *Issue for landfills, leaching out and getting in the ground water. Statistic is from the International Association of Electronic Recyclers, report for 2003. Similar numbers reported on the EPA website.

Legislation Management is necessary to help you learn to stay current on legislation that will impact an organization in terms of non-compliance threats and risks, thus allowing an organization to proactively adapt, prepare, and respond to all legal compliance requirements.

Composed of many toxic materialsLeadCadmiumBariumMercuryVolume of the problem, anticipating 1 billion units of computer equipment will be disposed of between 2003 and 2010

The Environmental Protection Agency has both civil and criminal enforcement capability. They would rather prevent, or support a self-audit than do either

Fines can be up to $10,000 per chemical per computing device found in a landfillGraduated series of administrative actions ranging from a notice of violation without penalty, to formal actions to force compliance or corrective action, penalty of up to $27,500 per day.The EPA is also capable of conducting enforcement audits.It also provides mechanisms for small businesses to correct violations with limited fines, and provides incentives for businesses to engage in self-audit and declare their violations.

Resource Conservation and Recovery Act (RCRA) of 1976

Actually modified Solid Waste Disposal Act of 1965, but really own lawRCRA was amended in 1984 by the Hazardous and Solid Waste Amendments, which made it stronger

What does the RCRA do?

Regulate hazardous and solid waste cradle-to-graveRegulates solid waste, hazardous waste, and underground storage tanks

Violations can lead to:Personal Penalties - Fines of up to $27,500 per day Civil Penalties - Fines of up to $27,500 per day Criminal Penalties - Usually reserved only for the most serious violations, but always an option if you violated the law.Can be punished by $50,000 per day and up to five years in jail as well as additional violations have a penalty of up to $250,000 or 15 years of prison for an individual, or $1 million fine for a corporation.

The first major law to regulate the actions of federal agencies was NEPA, the National Environmental Policy Act. It introduced environmental impact statements, The Federal Facility Compliance Act of 1992 put federal agencies. explicitly under the control of RCRA. Can be sued.

Maine Shared responsibility model, take back their own equipmentCalifornia Fee collected from purchaser at time of purchase to fund recyclingMaryland Manufacturers pay annual fee, can be reduced if put a free take back program in placeOver half states have proposed or have legislation in effect since 2003.

European Union legislative concernsElectrical and Electronic Waste Law (WEEE), with graduated roll out through 2008Free take-back programs by manufacturers requiredRecycling goals setHazardous Substances in Manufactured Equipment (RoHS)Stop using lead, cadmium, mercury, hexavalent chromium, brominated flame retardants by 7/06

Scale of problem: 3.878 billion pounds of obsolete PCs and monitors were rendered obsolete and required disposal in 2002 alone. Two main issues: CRTs and Circuit Boards

CHAMP International Association of IT Asset Managers *Bringing in a vendor for disposal:Not matter what path chosenCheck references, get final disposition methods in agreementReasonable due diligenceRequire documentationGet the right to audit data cleanup

Documentation needed:Transfer of titleReceipt of saleCertificate of disposition Certificate of data destructionAgreement Audit statistics and reportsKEEP THEM FOREVER!

Certificate of Disposition:Serial numbersDate the batch was disposedName of the companyLot numberSanitation standard used (DoD)Signature by officer of the company (providers if done externally)

This is the impact on ITAM not acceptable policies:

1. Just because there is not a security/due diligence reason to dispose of an electronic component does not mean there is either an environmental law or incentive program that would give you a reason to do so, or vice versa.2. Keeping large quantities of broken computer waste components in a back room indefinitely at your office is NOT an acceptable storage policy. 3. You must have an asset management policy in place for all electronic components that count as hazardous waste. You must monitor the amount of waste you produce in order to be able to track your EPA compliance requirements4. In todays society, hazardous materials are not merely a legal and security consideration; they are also a publicity consideration.5. Recordkeeping and reporting requirements on these issues are of course an issue in regards to Sarbanes-Oxley compliance.6. Avoid any policy to export to a 3rd-world country for disposal without proof that it is permitted by the EPA, and that the receiving end can engage in environmentally sound disposal. Additionally, even if you are compliant, it may present a significant public relations risk due to the prevalence of bad practices in those countries.

CHAMP International Association of IT Asset Managers *Implementing through a project plan

A project plan is a comprehensive document stating what needs to be done (in specific, measurable segments), who is to do it, and when it is to be completed. CHAMP International Association of IT Asset Managers *Most fail the first milestone, defeat out of the gate. Lots of people, give it time. Make sure that it is a phased implementation with projects in starting point to success point sections

Leave time for planningTake your guesstimate and double itBreak into sub-projects

Title changeTodays process peopleManagers of involved departmentsTechnical Authority to set standards

The right peopleThe right timeSame terminologyInternal trainingVendor trainingITAM training

Set financial goals for the project

Show to Measure success:Track initial state, functional levelKeep current or in a reportSummarize in percent of IT hardware budget saved and put a $ to itTCO and ROI calculations from the analystsChange in cash flow for assetsBuild a report cardMoney itemsSOX compliance factorsEducation/training hoursAdopt existing measurement techniquesSecurity risk ratingStaying on TrackAre we doing the right work?Are we doing it faster than before?Are we using the right resources?Have we checked our presumptions (sacred cows)?Are we doing the work once, sharing, and eliminating duplication of effort?Have we built communication pathways that allow us to find problems early?Have we considered new trends and their impact?

*