CHAPTER 8: CASELET #5 – COMPLIANCE AND IMPROVEMENT
IT Issue: Last year, in an effort to get better visibility of assets in the company, a publicly traded energy company created a small IT team to manage the PC asset register. The intent of the team was to document the acquisition of PCs and assign ownership to each. Additionally, the software installed on each PC was managed via a software licensing contract ensuring up-to-date versions. This contract also documented the number of licenses distributed throughout the energy company for billing purposes.
In a recent internal asset audit, the team discovered that out of the 3000 PCs in the register, 300 had not been on the network in the last nine months (most of these were laptops), and it was unknown who had them or their locations. Upon learning this, the IT Director quickly held a meeting in which the following concerns were raised:
- It is unknown whether the 300 PCs have been lost, stolen, or simply being used in the field without having connected to the company’s network.
- Sensitive information could be on the PCs.
- Since these have not been on the network in the last nine months, their anti-virus software could be out of date.
- The company is paying for licenses on PCs that are not being used.
The Five Anchors
| Anchor | Discussion |
I. Strategic Alignment: IT Services to Business Objectives |
|
1. What are the business strategy, goals and objectives? Are there any measures that demonstrate the achievement of the business strategy, goals and objectives? |
• Unknownwith the information provided. |
2. What is the business issue, or activity at risk? |
• Truly this an asset management issue. This organization has “lost” 10% of the purchased (or leased?) PCs and the impact is far beyond the actual physical device. There should be concerns around corporate data (data confidentiality), actual loss of corporate property and payment of license and potential maintenance fees. |
3. Is the ownership to resolve the issue at the appropriate level of authority? |
• The IT Director is now aware of the issue and it would be presumed there would be an appropriate delegation of this issue with the IT Director continuing in the accountable role. |
II. Security, Compliance, and Risk Issues |
|
1. Has there been a compromise of the information security policy? |
• While the caselet doesn't directly state this is an issue, the possibility is very real. • COBIT5: APO13, BAI09, DSS05 • ISO20K: 6.6, 9.1 • ITIL: SD 4.7; ST 4.3 |
2. What are the internal and external compliance or regulatory concerns? |
• As a publically traded company, there are numerous regulatory, statutory and legal concerns (as well as potential contractual obligations). A primary concern within a majority of the regulations includes positive control of company information assets (i.e. safeguarding of customer information, etc.). • COBIT5: APO11, MEA03 • ISO20K: 4.1 • ITIL: 4.1 |
3. What is the cultural appetite for risk? |
• The nature of the organization would presume a low risk appetite in some areas and others (trading) may have a much higher appetite. What is important to know from an IT perspective and for this specific issue, is understanding what potential information and services are at risk and the overall vulnerability to the energy company. |
III. Value-based Portfolio |
|
1. Does the current portfolio meet expectations and needs of the stakeholder? |
• Unknownwith the information provided. |
2. What is the value of that business activity (VBF)? |
• Unknown with the information provided. |
3. Does the portfolio have the right mix of resources to deliver business benefit? |
• Unknownwith the information provided. |
IV. Design and Architecture |
|
1. Will the current architecture effectively resolve the issue? Is it feasible? |
• The process architecture demands improvement. There seems to be some level of control of the infrastructure and there is no indication of outage or compromise. But, the issue clearly is one of asset management and the lack of process that will maintain control over corporate assets. • Therefore, the IT Director (or delegate to an appropriate party) should deploy good Problem Management techniques and discover why these 300 laptops have gone missing. Use this information to improve the asset management processes. • COBIT5: BAI09, DSS03 • ISO20K: 4.5.4, 4.5.5, 8.2, 9.1 • ITIL: CSI 4.1 |
2. Can the current architecture accommodate the issue? |
• Presumably. It seems there is some level of control and management – the current issue doesn't seem to be chronic. |
3. Do we have the necessary competencies to design the required change(s)? |
• The small IT team was able to create a PC asset register and collect current information. What is lacking now are the overall controls necessary to ensure equipment is properly identified, controlled, deployed and managed. • COBIT5: BAI06, BAI07, BAI09, BAI10 • ISO20K: 9.1, 9.2, 9.3 • ITIL: ST 4.2, 4.3, 4.4 |
V. Planning and Use of Resources |
|
1. What resources are required to resolve the situation (e.g. people, capital, technical...)? |
• The IT Director must recognize the process improvements will require funding as well as appropriate training or even re-training. |
2. Can the required resources be acquired? |
• It shouldn't be an issue as long as the leadership recognizes the impact of the missing PCs to the overall market standing of the organization. This event is not something that should be “swept under the rug” and ignored, even though the full impact is not stated in the caselet. |
3. Is the necessary data and information available, collected and managed to resolve the current situation and prevent future occurrence? |
• The organization has collected the data and is beginning the investigation into a resolution. We would assume once the IT Director's concerns were answered there would be specific changes to ensure the cause is remedied and monitored. |
Improvement Model Application
The scenario circumstances describe an organization that recognizes there is a need to improve their asset management practices. We don’t know if there has been any business impact. We have seen steps in the IT department that truly follow the elements of PDCA and they should continue that journey. What they should add is a clearly defined policy around the management of the PCs – we have seen over and over again in industry, PCs going missing because of lax controls when it comes time to upgrade. These actions can be easily translated across the enterprise as necessary.
Solution References:
Primary Solution:
All three frameworks offer support in the solution – ISO/IEC 20000-1 provides the detail around the application of a PDCA management system, ITIL provides detail around the necessary elements of asset management and components of a security policy and COBIT specifies required governance factors. As a solution is developed, this organization needs to ensure the regulatory, statutory or other legal requirements are met. Lastly, even if IT “gets their asset house in order,” it will make absolutely no difference if the new policies are not endorsed by top management and communicated to the user community – this is not just an IT issue! IT should take the lead, but it is an enterprise compliance issue and it should be treated as such.
