The following is a suggested (pro forma) IT asset management uplift plan that can be modified and re-arranged based on an individual department/agency’s priorities and maturity. Note that each phase may take anywhere from a month for a smaller agency to up to say six months for a department/agency with a large asset fleet.
Phase 1
People
Assemble ITAM steering committee/governance board (managers of relevant IT staff, risk and assurance, finance and procurement representatives) and allocate a senior ITAM sponsor (e.g. CIO/CTO).
Hire an accountable IT Asset Manager or an ITAM Project Manager to manage the uplift process either through a project or BAU program of work.
Identity staff roles and shortages.
Allocate processes and KPIs to relevant staff.
Train relevant ITAM staff on AMAF and this guidance.
Process
Perform a baseline maturity assessment using AMAF (41 areas).
Implement an IT Change Control CMDB update hook (e.g. no PROD release until the CMDB is updated).
Implement an Enterprise Architecture forward planning process (minimum 12 months ahead).
Data
Configure CMDB to the WoVG standard fields for Applications and Infrastructure.
Identify IT asset data shortcomings (priority is the data accuracy of BIL 3+ systems).
Technology
Start using a modern CMDB (ITSM) system (if not already).
Implement discovery/scanning tools.
Decommission unused public websites/Domain Names.
Decommission unused and unsupported servers.
Phase 2
Process
Do baseline KPI assessment against WoVG ITAM KPIs.
Achieve minimum WoVG KPIs for all Essential 8-related KPIs to Level 3 (“Competence”).
Implement IT Procurement visibility governance hooks (esp. to capture cloud and shadow assets).
Data
Uplift Application data coverage and quality (including SaaS and shadow systems).
Define mappings between IT assets.
Meet End User Administration minimum KPIs across all areas.
Technology
Integrate ongoing scanning data feeds into CMDB.
Commence regular and automated reporting.
Identity IaaS platform accounts/tenants/subscriptions (e.g. AWS, Azure, GCP) inc. owners.
Decommission unused IaaS and SaaS services.
Phase 3
People
Reinforce the need for ITAM responsibilities and improvements across the business through socialisation, awareness and reporting.
Process
Achieve Security Patching KPIs to Level 3 (“Competence”).
Achieve Asset Disposal KPIs to Level 3 (“Competence”).
Data
Uplift Infrastructure data coverage and quality.
Technology
Implement ongoing product Vulnerability data import feeds.
Implement outgoing feed process to inject IT asset risks into IT and/or organisational Risk Registers.
Phase 4
People
Train relevant ITAM staff on SQL/ITSM reporting/advanced data analysis/advanced ITSM/CMDB configuration.
Reinforce the need for ITAM responsibilities and improvements across the business through socialisation, awareness and reporting.
Process
Implement Application re-attestation processes.
Achieve lifecycle management KPIs to Level 3 (“Competence”).
Achieve Monitoring KPIs to Level 3 (“Competence”).
Repeat AMAF maturity assessment to show improvements since uplift commencement.
Data
Achieve minimum (to Level 3 “Competence”) WoVG ITAM KPIs for Identification, including Internet of Things/Operational Technology assets if relevant.
Technology
Implement ongoing automated feed of IT asset reference data into SIEM system.
Expand reporting.
Phase 5
People
Consider cycling staff around ITAM processes/jobs to avoid disengagement.
Process
Expand Enterprise Architecture/forward planning to a minimum of 3 years in advance.
Identify which assets need to be managed at a maturity of Level 4 (Optimising).
Data
Enterprise architecture/ planning /technology investment decisions now based on the CMDB data as the source of the truth.
Technology
Implement ongoing feed to inject one of AWS, GCP or Azure asset data into CMDB.
Phase 6
People
Reinforce the need for ITAM responsibilities and improvements across the business through socialisation, awareness and reporting.
Process
Commence uplifting the ITAM processes supporting more critical assets to Level 4 “Optimising”.
Data
Identify asset de-duplication and standardisation opportunities based on business capabilities.
Technology
Implement ongoing feed to inject one of AWS, GCP or Azure asset data into CMDB.
Phase 7
People
Ensure that ITAM processes and data are embedded into the organisation and maintained on an ongoing basis.
Process
Achieve AMAF Level 4 “Optimising” across all 41 areas and WoVG ITAM KPIs for the more critical assets.
Technology
Implement ongoing feed from CMDB into the Fixed Asset Register for financial depreciation purposes.
Updated