Dealing with random requests for new IT equipment from staff members, managers, and your boss can be quite daunting. Without a policy or ERP (Enterprise Resource Planning) system to follow, it is often up to you to decide who needs new equipment, what options are available, what security risks are present, and how to stay under budget. In this paper, I will explain some of the vital areas and aspects of a well-built IT asset procurement policy, as well as provide a sample ISSP for one. Finally, I will show my proposed sample ISSP to a work colleague and use their feedback to improve my policy.
Asset Procurement Policy
Statement of Policy:
- The primary purpose of this policy is to outline how IT assets are managed and procured in the workplace.
- This policy applies to the management and procurement of all IT assets, including software, hardware, and externally-hosted software/systems.
- Consumables- Inexpensive and replaceable items, such as keyboards, headphones, mice, batteries, and USB cables.
- Permanent- Expensive, longer-lasting/more critical items, such as PCs, printers, and monitors; these are further separated into the following categories: travel, normal, and high-power.
- IT staff will carefully gather data about the size of the company, the budget it is allotted, employee types, security threats, asset categories, replacement criteria, and the hardware/software it is currently using.
- IT staff will separate assets into categories, minimizing the thinking involved, paperwork, and the time to solve each asset request; these two categories will be Consumable and Permanent.
- IT staff will document all consumable inventory and requests. Consumable asset quantities will change often, and quickly; due to this, these items should be stored so that one can easily see if a stock is getting low, without counting them. Minimal thinking leads to minimal paperwork.
- Permanent assets make up the bulk of the IT inventory and budget; thus, they can be further separated into multiple categories. Some example categories are travel, normal, and high-power. ‘Travel’ items are intended for employees who are mobile and do not require much operating power, such as salesmen, whereas a developer would require more advanced ‘high-power’ items. For those who do not fit in either the ‘travel’ or ‘high-power’ categories, they would receive ‘normal’ equipment. With the help of HR regarding new hires, you can have their equipment ready in advance, prepare for future expansion, and turn budget nightmares into something more reasonable.
- For larger companies, setting new equipment standards is of great help by limiting the equipment choices down to only a few versions of each device. For example, allowing employees to choose one out of two options of cell phones and PCs. By standardizing which equipment is available for the company to select, IT/Security can prepare security procedures beforehand, reducing the threat of exposing the network to a potentially hazardous laptop without any form of anti-virus software, for example.
- Another benefit of setting strict standards is being able to control what OS employees run, seamlessly roll out updates, and avoid favoritism. If an employee requests a device that differs from the standard options, have that employee provide the business justification, additional cost, and finally, the approval of the item from IT and their manager, depending on the company. Make sure to research and list any possible security concerns by introducing a non-standard device to your superior or the individual requesting the item. More often than not, adding a new IT device that differs from what your IT team is accustomed to should be avoided, if possible.
- If you are not already using some form of ticketing system, this would be the ideal time to start one. Having employees submit asset requests through a medium separate than direct communication with you limits your stress and enhances accountability. If you do not currently use a ticketing system, create a specific email address or filter in an existing email address; this will sort and store all asset requests.
- A replacement program should be introduced, which cycles equipment from old to new, to ensure that older devices are automatically replaced before they become obsolete. A replacement program should be as automated as possible, using data from your IT asset management system and a well-built timeline of each piece of hardware’s lifecycle. A simple method of deciding which devices need to be replaced is to use warranty expirations. For example, set a rule of warranty expirations to the nearest half-year, so that the warranties that expire in the first half of the year get replaced in the second half.
Violation of Policy
- Enforcing violations of this policy will be the task of IT/Security staff. Policy owners reserve the right to restrict access to or limit hardware/software access based on violations.
- This policy will be reviewed annually by both IT and Security staff. All changes must be documented and approved by the board.
While larger organizations often have a dedicated employee tasked with asset management and procurement, smaller companies such as the one I work at, tend to have this role designated to an individual who already has too much on their plate. Due to IT/Security members often wearing more than one hat, it is critical that a proper IT asset procurement and replacement policy is set in place and strictly enforced.
Feedback from Coworker:
I showed my proposed policy to my coworker, another IT member at my company; while he said my work was well-thought-out, there wasn’t really anything ‘concrete’ about the actual operation to request and acquire IT assets. For example, what program will be used to create tickets, who will manage those tickets, etc. I explained to my coworker that I had to try to fit this assignment into two pages (which I failed at), and he decided that my policy would be better if I trimmed everything down and revised some ‘bullet point’ policy objectives. I then applied the suggestions and am now satisfied with my final draft.
Whitman, M. & Mattord, H. (2016). Management of Information Security (6th ed.). Boston, MA: Cengage Learning.
IT Asset Management Policies and Procedures. (n.d.). Retrieved December 17, 2019, from https://www.ittoolkit.com/articles/asset-management-policies.