Published: November 24 2009, 09:30 AM | 1 Comment(s)
by Shawn Sande

Read Part 1: The Landscape of Risk
Read Part 2: Hardware Accountability and Security 

Disposal: Darling of Green Initiatives or Bane of IT Asset Managers?

Disposal is the final chapter in IT asset lifecycle, but it rarely has a happy ending.  According to the US EPA, 134.5 million IT assets currently sit idle in America, and of those, only 18% are likely to be recycled.  This presents an array of risks to IT asset managers who must simultaneously consider the following concerns, whether they choose to refurbish, sell, donate or dispose of IT assets:

1. Ecological - According to one environmental group, brominated flame retardants, lead, cadmium, mercury, hexavalent chromium, PVC are among e-waste's many non-biodegradable and toxic materials that pose significant environmental and health risks. Today, as much as 47 percent of exported e-waste is illegal, destined for illicit landfills in China, India and Central Africa that heavily pollute the local air, soil and groundwater. If widely publicized, the stigma of indiscriminately dumping e-waste may set off a public relations nightmare, especially in today's eco-conscious society. IT asset managers therefore have a duty to shield the organization from negative publicity by responsibly disposing of IT assets.
2. Regulatory - Ecological concerns spawned a wave of regulatory oversight. US EPA regulations govern the proper disposal of e-waste, and in the EU, the WEEE directive mandates safe disposal of electronic equipment. Violations often result in stiff fines and penalties.
3. Legal - Disposal activities must be closely scrutinized to minimize software license or data protection liabilities.
4. Financial - Disposal is also about financial accountability, weighing depreciation, extended inventory carrying costs, tax liabilities and so on. IT asset managers must be able to reconcile evidence of usage versus proof of ownership, ascertain which assets are idle and have reached the end of their useful life, and document the lifecycle events associated with disposal, including vendor and contract information.

Final Thoughts

Risk and cost aren't discrete concerns.  They coexist.  They feed off of one another.  It's important for the business to understand IT risk and the cost associated with managing (or failing to manage) that risk.  In today's battered economy, facing shadow risks head-on can have a discernable impact on an organization's bottom line by offsetting unanticipated expenses such as fines, penalties and legal fees.  The question that remains is: what do we have to fear from our own shadows?

Share this post:  Email

Share

Published: November 23 2009, 02:00 PM | no comments
by Shawn Sande

Read Part 1: The Landscape of Risk

Hardware Accountability & Security: Who Has It, Who Owns It and Where Is It?

Suspend disbelief for a moment, and assume "Company A" lacks a formal ITAM program-or any ITAM program at all.  Let's also assume that a high-profile executive from Company A announces her departure from the company effective the end of the fiscal year.  But two months before this announcement, she's issued a brand new laptop.  Her old laptop is returned, tagged for disposal and placed on a shelf in an IT storeroom.  On her last day with Company A, our executive dutifully returns her "new" laptop, turns off her Blackberry and walks out the door.  The "new" laptop is shelved and forgotten.  A month later, a developer's laptop crashes, and he quickly needs a replacement.  One is hastily pulled from the shelf and given to the developer.  Lo and behold, it's our executive's "new" laptop, or so the developer finds out when he turns it on.  The developer then leverages confidential insider information on the laptop to make a small fortune shorting Company A's stock.  And the executive's old laptop?  It's sold for "scrap," shipped to a developing nation, hacked, and finally immolated in a noxious bonfire.

Okay, I'll readily admit that this scenario is far-fetched, but we've all heard horror stories of hardware and media ending up where they're not supposed to be or "sprouting legs and walking off."  It happens all too often, especially in government, financial services and healthcare, threatening patient privacy, identity protection and even national security.

Physical security begins with regular inventory reconciliations and active monitoring of asset whereabouts (i.e., surveillance).  Security is further enhanced through a comprehensive IT asset repository that can track the type of data stored on hardware and aid in configuring escalations for hardware that fails to appear on inventory scans.  IT asset managers can even collaborate with their counterparts in Desktop Management to employ Active Directory services to configure BitLocker encryption for fixed and removable storage on Window Vista and Windows 7 devices.  The key is tracking these lifecycle events to ensure consistent application of physical security policies.  The alternatives are painful: class-action lawsuits, damage to reputation and penalties stemming from regulatory non-compliance.

Security: Disk Wipes and Bare-metal Reimaging

Failing to properly sanitize hardware before transfer or retirement can expose an organization to significant legal and financial risk.  Risk invariably invites government oversight-as it has in the US (SOX, FACTA, GLB, HIPAA), the EU (EUPUD) and Canada (PIPEDA)-so the burden on organizations to properly process hardware transfer or retirement is multiplied by regulatory compliance.  Again, leveraging a comprehensive IT asset repository to log and track these lifecycle events is crucial to attenuating an organization's risk profile.

In the final installment of this series, tomorrow, I will address some of the shadow risks posed by disposal.

Share this post:  Email

Share

Published: November 23 2009, 09:53 AM | 1 Comment(s)
by Robert Stroud

After enjoying way too much ITIL 20^th Birthday cake in the UK recently I thought that it would be nice to sweat some of it off in hot Monterrey Mexico, where not only the weather is hot, so is the adoption of IT Service Management good practices!  The 2^nd Internacional ITIL evento will be taking place in Monterrey where I will be speaking on the topic of Service Portfolio Management, more on that after the event.  

At the event, an industry colleague and friend, Teresa Lucio, Customer Care Associates/ITESM 2009 will share some of her finding from her independent survey undertaken in July of the 268 independent companies in Mexico after 10 years of ITIL in Mexico and she has allowed me to share some initial findings with you:

• 69% of Mexican organizations said that they have heard or know about itil
• 28% of them have already implemented ITIL with 35% of those implementing already migrated to ITIL v3
• The most important benefits of ITIL reported from implementing ITIL included;
• Improvement in the IT service quality & customer satisfaction
• Continual service improvement
• Strategic IT alignment to the business
• The challenges they have faced during implementations;
• Cultural change to adopt ITIL
• Effort required implementing ITIL
• The most reported processes reported include;
• Incident
• Problem
• Change Management
• Service Strategy
• Continuity
• Service Level Management
• Security

To be brutally honest the statistics were a very pleasant surprise and I was especially interested in the focus on Service Strategy - which in many organizations, especially in these difficult times has been totally ignored.

Time to take this survey global I think - regardless, look for me on Twitter reporting from the event http://www.twitter.com/RobertEStroud.

Share this post:  Email

Share

Published: November 20 2009, 02:30 PM | 1 Comment(s)
by Shawn Sande

As I've grown older, I've become acutely aware that one's age and one's aversion to risk are directly proportional.  I suppose it's ironic then that I chose the topic of risk for my inaugural blog post.  Risk is pervasive.  It manifests itself in many ways and presents a limitless array of possible outcomes: What will she say if I propose?  How will this equity purchase affect my stock portfolio?  What will happen if I start this chainsaw without first reading the "Safe Use Instructions?"  And the risks you underestimate often cause you the greatest consternation, especially when managing IT assets.

Risk management is core to the mission of any asset manager, irrespective of their caste.  In my 10 years in the EAM industry, I saw how adherence to local building codes, PM regimens, MSDS guidelines, OSHA and EPA regulations and adoption of IFMA and BOMA best practices affected exposure to risk in the management of infrastructure assets and facilities.  For transportation assets, the stakes are even higher.  Conformity to maintenance schedules-warranty work, recalls, state and local inspections and NHTSA and NTSB oversight-is crucial.  In EAM, if you get it wrong, people get hurt...or worse.

The hazards are different in the world of ITAM, but it's equally important to get it right. Risk here is measured in legal, fiduciary, regulatory, strategic and operational terms, and mistakes can also be very costly, affecting your customers, your reputation and your bottom line.  In ITAM, if you get it wrong, the business gets hurt.

For IT asset managers, the perennial poster child for risk is software license compliance.  Get it right, and life's dandy.  Get it wrong, and you face the unpleasant prospect of very lengthy and costly audit and true-up cycles.  And the emphasis on license compliance isn't surprising.  Despite declines in the developed world, the BSA recently reported a four percent annual increase in global software piracy.  Intentionally or otherwise, a lot of people are still getting it wrong.

But as I noted earlier, risk manifests itself in myriad ways, and many of these manifestations are unchecked or ignored altogether.  These "shadow risks" hide in plain sight.  We know they're there, but we do little to manage them because of limited budget or bandwidth, ignorance or apathy.  Although license compliance is frequently cited as the centerpiece of ITAM risk mitigation, serious legal and financial threats may also emanate from shadow risks posed by hardware accountability, security and disposal.

In Part 2 of this series (next installment on Monday), I'll briefly address the first two of these shadow risks, hardware accountability and security.

Share this post:  Email

Share

Published: November 15 2009, 01:58 PM | 1 Comment(s)
by CA Community

The first question we face is granularity: Is Office the application or is Excel? And is the shared spell checker part of the application or not. And if we use the translation function, is that part of the application? ( while in reality it is a service running at either Microsoft’s or Google’s website?). And is the online training part of the application or is that only part of the service? Same for support, automatic patches and updates? 

But more important than the answers to the above, is the fact that in reality nobody cares! Unless we are still trying to write down (defend) what we do, it makes no difference to anyone.
  

Share this post:  Email

Share