As business drivers go, we almost take for granted that the notion of IT security is “someone else’s bag” or that username and password validation is sufficient straight out of the box.
But in a recent IT exercise, a review of interfaces expected of Software Asset Management highlighted something of a gap. ISO 19770-1 is quite pre-occupied with the security of its own framework, but fails miserably when it comes to interfacing with ISO 27001 (or any other security framework).
I’m reminded of a visit I made to a client one time that supplied products and services to a high-street catalogue retailer. That retailer insisted on requisite security controls being in place prior to the client winning the business; and so they chose to adopt the best practices of ISO 27001.
ISO 27001 states that a core risk that needs to be mitigated is licence compliance. Yet when I asked the IT manager how many installs of MS Office he had, we experienced a “tumbleweed” moment. He was not able to tell me – and so I knew from the outset he was entrusting to a true-up and not concerning himself with quantities much less optimisation and Products Use Rights.
However; from a security perspective what did concern me was that if he was unable to answer an entry-level inventory question, would he be able to answer more probing questions around business critical systems such as install base, network port requirements or system access control?
As Software Asset Management professionals, some of us might be more adept at recovery of IT assets prior to someone leaving a company, but how adept are we at closing off those systems permissions once a staff member has left?
ISO 19770-1 has a real potential to influence reports on systems deployment and systems access, but doesn’t engage nearly as positively as it does with ITIL/ISO 20000 – shame!