When you need to develop fast and precise IT asset management capabilities, it’s time to call in the experts.
The risk management team at a leading credit union must be ready to respond to both internal and external audits at a moment’s notice. The credit union has a large scale, diverse infrastructure with a huge inventory of IT assets to manage, including more than a million hardware assets and software licenses combined. All of these assets require IT governance to manage risk based on regulatory requirements. Non-compliance may result in large fines and reputational damage to the business. Both internal security and external regulatory agencies require them to:
The credit union must demonstrate they can readily report on security-related controls for all on-network assets. This requires knowing which reports and data are available, identifying reasons for gaps in the data, and recommending remediation.
They must be able to prove that processes designed to achieve the control standards for the security of an asset are well documented and updated as needed throughout the asset’s on-network lifecycle. This requires identifying all IT support teams who manage assets; discovering the processes involved with controlling an on-network IT asset; assessing the availability of current documentation for those assets; process mapping; creating a repository of process maps and operating procedures for the controls; and providing weekly reports on the progress of the document repository.
With the pressure of an internal auditing deadline closing in, the credit union needed to quickly develop an IT governance framework and strategies to demonstrate their ability to report on assets—and they needed to make significant progress toward demonstrating their ability to document them, too. Lacking the bandwidth to perform a detailed gap analysis within the time constraint, the credit union called on their long-time technology partner, Celerity. To meet their deadlines, they would need Celerity’s expertise to manage the project, assemble a team to tackle the reporting and documentation, and build a repository of standard operating procedures (SOPs).
Immersing ourselves in the IT governance process
Celerity's team of analysts and business process engineers immediately got to work building the risk management framework and strategies. We commenced exhaustive discovery sessions with the owners and support teams of the systems that store and provide IT asset information.
For the reporting requirement, we examined existing reports for the required data and estimated their reliability via several methods, including SME interviews. If data was not present, we determined the reason for the gap—everything from the data being in the system but never requested in a report to the system simply not supporting the data. Our business process engineers then mapped out processes for collecting the neglected data. After this, we were able to build a matrix of reporting inventory which resulted in a high-level gap analysis with remediation recommendations for the credit union’s governance board to use to address the reporting requirements that were upon them.
The documentation objective was an even larger project. First, we had to identify and interview the IT support teams who played a role in managing IT assets. We created a dashboard to house all our discovery and documentation, generate status reports, visually demonstrate the scope of the project, and prove to auditors that efforts were in progress and ongoing. The discovery with the support teams allowed us to map the IT asset management process workflows using Business Process Model Notification 2.0 (BPMN 2.0). If no documentation existed, we performed process engineering and vetted it with the credit union’s team. Every step was recorded in the dashboard. Finally, the approved version of the process mapping was made available for reference and updates.
Identifying—and closing—the gaps impeding regulatory compliance
By the time the new risk management framework was complete, Celerity had identified 60 gaps in required data reporting and, from those, 14 were identified and presented to leadership for further internal remediation. The analysis confirmed the credit union’s suspicion that siloed teams, systems and processes were impeding reporting on IT assets and their security controls. As a result, they have since decided to implement ServiceNow®, an enterprise digital workflow management solution, to create an added layer of IT governance and help keep reporting comprehensive and timely.
When it came to documentation, Celerity identified over 140 unique workflows and approximately 20 IT support teams. An assessment of these workflows revealed over 150 gaps of missing documentation and, in some cases, no clear ownership. The existing documentation was standardized to satisfy regulatory requirements and 18 process maps were completed. The rest of the effort was transitioned to the client’s internal teams to complete, as was originally agreed upon. The new dashboard will serve the credit union well as they continue to track their documentation efforts.
No existing and standardized IT governance process or strategy
Inability to reliably report on network assets due to silos and gaps
Limited identification of process owners
No insight into reporting or documentation progress or process
Completed process inventory, standardizing 143 processes and pathways
Reporting issues fixed and 14 high-priority gaps identified
Increased visibility into process accountability with 21 process owners identified and validated
Centralized risk management dashboard detailing progress and regulatory information