Regardless of which SAM or HAM solution you selected, it will need your data for the system to work. More than that, the data is the essential part, and it doesn’t matter how much money you spend on building or buying and delivering a system, without your data, it will not work, and it will not provide any meaningful service to the business.
I have taken over failing projects where businesses have already purchased a solution, but it is not yet operational. Often, nobody involved in the project understood:
- What data already existed
- The location of the data
- Who could provide the data and how
Also, very little information was available as to how the system would function in the target environment. The non-technical buyer believed and expected that spending the money and installing the software would solve the problem. Data and many other factors are essential and need consideration long before a buying decision. The availability of data will depend on the size, the age and the maturity of the business.
With mergers and acquisitions, different solutions exist already, and that the data fragmented across various systems with no holistic view of hardware or software. Due to the inaccuracy of data over time, compiling data from multiple sources will allow an accurate picture to emerge. The following are some examples of where be locate data:
- Active Directory – details of all computer accounts in the domain along with the date and time stamps showing when assets last accessed the network. The same principle will apply to other directory services.
- DHCP allocation – the logs will contain details of every piece of hardware with an allocated IP address. This data will also indicate how recently each piece of equipment accessed the network.
- Purchasing records – details of hardware and software purchases will be available, however, not necessarily available in a convenient machine-readable format.
- Anti-virus – details of assets with anti-virus software installed and details of the most recent virus definitions updates
- Support Teams – individual support teams should have information on what hardware assets fall within the scope of services they offer
- Laptop allocation records – details of laptops purchased, their location, and who is responsible for them
The list of data sources will differ for every organisation and in some cases may include manually maintained spreadsheets with details of computers. From an accurate or partially accurate list of hardware assets, inexpensive utilities can identify software installations and usage.
Commercially available software such as Microsoft Access and Microsoft SQL Server, with free of charge versions, are available and suitable for data analysis at this level. These software packages can answer many questions about hardware and software from this raw data already available. Consider the following actions:
- Get access to the data
- Perform some analysis
- Find out what the data says
I have observed the following in numerous cases:
- Expensive solutions remain undelivered for excessive periods due to insufficient skills to deliver and operate the service
- Many data sources within businesses often remain unknown, or known but not understood, analysed or utilised
It is not always necessary at this stage to decide to buy a commercial product or build an in-house asset management system. Getting the data and performing an analysis can often provide actionable intelligence to mitigate sources of risk and increase overall compliance.
Robert is an information security consultant with over 20 years of experience across a diverse range of organisations, both in the UK and internationally. Robert graduated in 1997 with an honours degree in software engineering for security and safety-critical systems. Robert is contactable directly through LinkedIn.