When an ITAM manager works closely together with compliance officers in their organisation, sharing data and insights get all involved a step (or even many steps) closer to their goals.
TIP #49 - July 2020: How can collaboration between ITAM and Information Security benefit both worlds?
The benefits are not limited to sharing data, there are several more organisational matters where the ISO/IEC 19770-1 standard for ITAM and the standard for information security overlap.
Here are three measures from the ISO/IEC 27001 standard where ITAM and compliance officers can benefit from working together:
Inventory of Assets
The ISO/IEC 27001 standard states, assets associated with information and/or information processing facilities need to be actively managed throughout their lifecycle and be up to date. A register or inventory of those assets must be in place, showing how the assets are managed and controlled. This means, compliance officers are stakeholders when it comes to CMDB issues and changes, just as the ITAM manager is. The same goes for lifecycle management. A perfect opportunity to collaborate on your common interests.
Installation of Software on Operational Systems
Another control in the ISO/IEC 27001 standard describes that procedures must be in place to formally control the installation of software on systems. Issues related to software inappropriately installed or changes on operational systems can have many unwanted effects, such as malware infected software being installed, capacity issues or hacking tools. Just restricting and limiting the installation of software is not enough, formal control of the legitimate installations is necessary.
Good practical examples frequently given:
- Implementation of formal change management based on appropriate levels of authorisation
- The implementation of roll-back procedures is in place
- Version control of software and change histories
Since everybody knows such unpopular measures take time and effort to effectuate, it’s good to know the interest of the compliance officer aligns with yours.
Restrictions on Changes to Software Packages
The final example of an information security measure is that any modification to a software package should be limited to necessary changes, and all changes should be controlled. This should be restricted and controlled to ensure that the changes made do not have an unwanted or unexpected impact on the integrity or security of the software or data. Even though there might be valid reasons to allow changes, there should still be procedures and controls in place. Given the risks associated with altering software, such as lack of support, void warranties and rights to patches, teaming up with compliance officers seems like a logical step.