Paul AlvarezD.C.paul.alvarez@spglobal.com
Published Aug. 15, 2023
IT asset management (ITAM) is the practice of tracking and managing hardware, connected devices, software, and networks throughout their lifecycle.
ITAM is foundational to effective cyber security. Its absence at an organization can be indicative of flawed cyber-risk management and could weigh on S&P Global Ratings' view of an entity's creditworthiness.
ITAM is particularly important to the implementation of time-critical cyber security, including identifying assets with critical vulnerabilities, searching for compromised equipment or systems, and lifecycle management.
For a cyber security system to be effective it must know what it is meant to protect. At large organizations that can include thousands of connected devices, such as laptops and mobile phones, as well as multiple operating systems, software systems, and networks.
The process of logging, tracking, and managing those resources is typically called IT Asset Management (ITAM) and its effective practice is foundational to good cyber defense.
S&P Global Ratings considers robust ITAM to be vital to an entity's ability to proactively manage vulnerabilities, respond to incidents efficiently, and minimize the financial impact of cyber attacks. We furthermore regard the absence of ITAM as potentially indicative of poor cyber-risk management which, in conjunction with other factors, could weigh on our assessment of an entity’s governance and operational risk management.
Reputational damage and financial losses following cyber attacks linked to poor ITAM can be significant. In July 2017, Equifax, a U.S. credit reporting agency, agreed to pay a minimum $575 million to settle a complaint, led by the Federal Trade Commission (FTC), after an inaccurate inventory of internet-accessible systems contributed to a data breach affecting about 147 million people. Further settlements and recovery and security improvement costs are estimated to have increased the total cost to over $1.4 billion.
The National Institute of Standards and Technology (NIST), an agency of the U.S. Department of Commerce, underlined ITAM's importance to cyber security in a September 2018 report, which described the benefits of robust ITAM, including:
Faster response to security alerts (facilitated by knowledge of device location, configuration, and ownership).
Increased cybersecurity resilience due to an improved focus on valuable and critical assets.
Improved cost management.
A reduced attack surface due to better patching and updating.
ITAM can also play an important role in facilitating asset prioritization. Not all IT systems are equal, and the failure of a critical system can have major impacts across an organization. A system that helps organizations track the assets that are the "crown jewels" of their network makes risk assessments easier, and aids in prioritizing security efforts.
NIST and the Center for Internet Security (CIS), a nonprofit consultancy and benchmarking organization, described an accurate inventory of hardware and software assets as the starting point of an effective cyber security and risk management program.
Frameworks provided by NIST, and other organisations, contribute to the framework that guides our analysis of an organization's integration of cyber security into its overall risk management. We thus also consider ITAM to be foundational to the effective conduct of many key cyber security activities, including vulnerability management, incident response, and cyber risk management (see chart 1).
Entities can generally be expected to update risk management policies and practices as threats evolve, and the response to shifts in cyber risk should be no different. ITAM plays a key role in managing these changes, ensuring inventories remain accurate (as assets are replaced or new assets are introduced) and that protection of assets (including software updates and patching) evolves with the threat environment.
While ITAM systems share a common purpose they can vary significantly in structure and operation across organizations. Those differences generally reflect entities' IT environments and cyber-security needs. For example, manual ITAM systems (such as spreadsheets) can make sense for organizations with small or low-complexity IT structures. Meanwhile, entities operating complex IT systems (including multiple locations, departments, and diverse assets) will likely require some level of automation to effectively manage their IT assets.
Purpose-built ITAM tools can offer a simple route to that automation. These tools, for example, typically provide the means to store relevant information about each IT asset (including location, system owner, and software version). They thus offer a ready-made means to centralize information in a single repository, which makes conducting IT risk assessments easier.
No matter what system is chosen, for ITAM to fulfill its function and provide the foundation required by the other cyber security elements it must perform a minimum set of functions and be supported in an ongoing manner. For example, an entity implementing ITAM must properly identify the assets that need to be protected. ITAM must also be comprehensive enough to effectively track assets, and there must be processes in place to keep that oversight up to date.
ITAM systems typically consist of software and processes that track key information on an asset's potential vulnerabilities over the whole course of its lifecycle. Across an entire organization, that information may include:
Network addresses
Hardware type (e.g., laptop, desktop, or server)
Software (including for operating systems and applications)
Ownership details
Configuration settings
Criticality of the asset
Robust IT Asset Management is vital to an entity's ability to proactively manage vulnerabilities, respond to incidents efficiently, and minimize the financial impact of cyber attacks.
Responsibility for ITAM typically falls to the IT department, though to be effective it is better if ownership and management is shared across different teams. For example, security teams may have data that can aid IT teams' production of accurate inventories, which are important to a robust ITAM program. In our view, ITAM should be directed by explicit policy that provides the authority for the system to be effective and assigns clear roles and responsibilities.
The absence of ITAM can create gaps and blind spots in organizations' cyber risk management, which can lead to increased vulnerability, compliance issues, inefficiencies, and sub-optimal incident response. Ineffective ITAM can also create similar issues, and as a result can be a gateway to security incidents. The FTC's complaint against Equifax, for example, cited an inability "to maintain an accurate inventory of public facing technology assets" that contributed to poor patching among the "basic security failures" at the company.
There is little doubt that other organizations are also at risk due to poor ITAM. Indeed gaps in IT oversight, and the potential for gaps to develop, is a common risk, according to the U.K. government's National Cyber Security Centre. “Many organisations have significant gaps in what they understand about their environment. The result is a weakened cyber security posture," it said in a May 2021 article on asset management.
Those gaps likely reflect a lack of attention and resources dedicated to ITAM by some organizations, but also the difficulty inherent in meeting the bespoke needs of differing ITAM systems--which are determined by factors including complexity, size, and operational area. Yet ITAM's foundational position within any effective cyber security system means organizations can ill afford to ignore it. Starting a journey that leads to a robust ITAM is a positive step toward reducing cyber risk.
Writer: Paul Whitfield
This report does not constitute a rating action.
