Things to consider with HAM and SAM

With so many different ready-made Software Asset Management (SAM) and Hardware Asset Management (HAM) solutions to choose from, the decision can be overwhelming and making the wrong choice can be costly. In some cases, implementing a vendor system can become so expensive that developing a bespoke system might have been faster, cheaper and better.

The best solution on the market might not be the best solution for your business if it doesn’t easily fit within your IT ecosystem.

Here are some things to consider:

  1. What data does your business have already about hardware and software?
  2. Will the new solution be the authoritative data set, or still rely on other data sources?
  3. How well does the solution fit into your organisation?
  4. What are the Infrastructure and Operating System requirements?
  5. Do software components need installing individual assets?
  6. Does the solution need any customisation to fit your environment?
  7. How much bespoke software development do you need for your requirements?
  8. Are any 3rd party software components and licences required?
  9. Which database system is required to store the data?
  10. Who will maintain and support the solution?
  11. How intuitive is the solution, and how much training is required?
  12. Does the solution manage software deployment and removal?
  13. Does the solution have workflow capability for software requests and line manager approval?
  14. Does the solution have a database of known software for identification and cataloguing?
  15. How does the solution manage software licences?
  16. Can the solution be easily integrated with licence purchasing records?
  17. Can the solution automatically detect software installations, and how does this work?
  18. How are software removals detected?
  19. How are new assets discovered?
  20. How is an accurate register of assets maintained?
  21. What types of assets does the solution manage?
  22. What reporting capability does the solution have out of the box?
  23. Does the solution allow direct access to data for bespoke reporting?
  24. Does the solution identify where installed software is out of date?
  25. Does the solution have any patch management capability?
  26. How is the data in the system maintained?
  27. What happens when new assets are purchased?
  28. What happens if assets go missing?
  29. How are missing assets detected?
  30. What is the process for decommissioning assets?
  31. How does the system handle assets being renamed?
  32. How does the solution deal with virtual machines and their hosted environments?
  33. How will software on virtual machines be managed?
  34. How does the solution distinguish between hardware and virtual hardware?
  35. Can the solution identify unauthorised executable files on assets?
  36. What documentation does the vendor provide with the solution?
  37. What does the solution consider to be a software installation?
  38. Does the solution have software recognition data to identify individual files?
  39. Does the solution have data about software and licence requirements?
  40. How are software licences reconciled with discovered software?
  41. Does the solution monitor software usage?
  42. Can the solution manage different types of software licences?
  43. How are hardware assets uniquely identified?
  44. Can the solution track the physical location of assets?
  45. Does the solution capture hardware data through WMI?

SAM and HAM are the top two controls in the Centre for Internet Security (CIS) top 20. Although they are two separate topics, in my experience over the years building bespoke systems, both HAM and SAM are so intertwined that it makes sense to deal with them together, and where appropriate expanding into other areas of security and service delivery.