View analyst contact information
- ITAM and cyber risk management
- Common goal, different systems
- ITAM data
- Scarcity and inefficiency increase risk
- Related studies
- IT Asset Management (ITAM) is the practice of monitoring and managing hardware, connected devices, software and networks throughout their lifecycle.
- ITAM is the foundation of effective cyber security. Its absence in the organization may indicate poor cyber risk management and may affect the entity's credit rating by S&P Global Ratings.
- ITAM is especially important for time-critical cybersecurity deployments that include identifying assets with critical vulnerabilities, searching for compromised hardware or systems, and managing lifecycles.
For a cybersecurity system to be effective, it must know what it is supposed to protect. Large organizations may have thousands of connected devices, such as laptops and mobile phones, as well as multiple operating systems, software systems and networks.
The process of recording, monitoring and managing these assets is commonly referred to as IT Asset Management (ITAM) and its effective practice is fundamental to good cyber defence.
S&P Global Ratings believes that a strong ITAM is critical to an entity's ability to proactively manage vulnerabilities, respond effectively to incidents and minimize the financial impact of cyberattacks. In addition, we view the absence of an ITAM as potentially indicative of poor cyber risk management, which, when combined with other factors, may affect our assessment of entity management and operational risk.
Reputational damage and financial losses from cyberattacks associated with bad ITAM can be significant. In July 2017, the US credit reporting service Equifax agreed to pay at least $575 million to resolve a complaint filed by the Federal Trade Commission (FTC) after inaccurate inventory of online systems contributed to a data breach that affected approximately 147 million people . Further investigations and the cost of remediation and safety improvements are estimated to have brought the total cost to over $1.4 billion.
ITAM and cyber risk management
The National Institute of Standards and Technology (NIST), an agency of the US Department of Commerce, in a September 2018 report highlighted the importance of ITAM to cyber security in a report detailing the benefits of strong ITAM, including:
- Faster response to security alerts (thanks to knowing device location, configuration and ownership).
- Increased cyber resilience by focusing more on valuable and critical assets.
- Better cost management.
- Less attack surface with better patches and updates.
ITAM can also play an important role in facilitating asset prioritization. Not all IT systems are created equal, and the failure of a critical system can have serious consequences for the entire organization. A system that helps organizations monitor the "crown jewels" of their networks, simplifies risk assessment and helps prioritize security efforts.
NIST and the Center for Internet Security (CIS), a nonprofit consulting and benchmarking organization, have identified a detailed list of hardware and software as the starting point for an effective cybersecurity and risk management program.
The framework provided by NIST and other organizations contributes to the framework that guides our analysis of integrating an organization's cybersecurity into its overall risk management. As such, we view ITAM as a key component to the successful conduct of many key cyber activities, including vulnerability management, incident response, and cyber risk management (see Figure 1).
Common goal, different systems
In general, entities are expected to update risk management policies and practices as threats evolve, and responding to changes in cyberspace should be no different. ITAM plays a key role in managing these changes, ensuring that inventories remain accurate (when assets are replaced or new assets are introduced) and that asset protection (including software updates and patching) evolves with the threat environment.
While ITAM systems share a common goal, they can vary significantly in structure and function across organizations. These differences generally reflect the entities' IT environments and cybersecurity needs. For example, manual ITAM systems (such as spreadsheets) may make sense for organizations with small or low-complexity IT structures. Meanwhile, entities that manage complex IT systems (spanning multiple locations, departments, and different assets) will likely require some level of automation to effectively manage their IT assets.
Tailor-made ITAM tools can provide an easy path to this automation. For example, these tools typically allow you to store relevant information about each IT component (including location, system owner, and software version). As such, they are a ready way of gathering information into a repository, facilitating IT risk assessment.
Regardless of the system chosen, for ITAM to fulfill its function and provide the necessary foundation for other elements of cybersecurity, ITAM must fulfill a minimum number of functions and be supported on an ongoing basis. For example, an ITAM developer must correctly identify the assets that need to be protected. ITAM must also be comprehensive enough to effectively track assets, and processes must be in place to ensure that this tracking is up-to-date.
ITAM systems typically consist of software and processes that store key information about potential vulnerabilities of an asset throughout its life cycle. Across your organization, this information may include:
- Network addresses
- Hardware type (eg laptop, desktop or server)
- Software (also for operating systems and applications)
- Property details
- configuration settings
- Resource criticality
ITAM is usually the responsibility of the IT department, but to ensure efficiency it is best to share ownership and management between different teams. For example, security teams may have data that can help IT teams create accurate inventories, which is important for a strong ITAM program. In our view, ITAM should be guided by clear policies that give authority to ensure system effectiveness and assign clear roles and responsibilities.
Scarcity and inefficiency increase risk
The absence of an ITAM can create gaps and dead spots in an organization's cyber risk management, leading to increased vulnerabilities, compliance issues, inefficiencies and suboptimal incident response. Ineffective ITAM can also cause similar problems and be a gateway to security incidents. For example, the FTC's complaint against Equifax highlighted its failure to "maintain an accurate inventory of publicly available technology assets" contributing to the company's poor patching of "fundamental security vulnerabilities."
There is no doubt that other organizations are also at risk due to poor ITAM. According to the UK government's National Cyber Security Centre, IT oversight gaps and their potential to grow are a common risk. “Many organizations have significant gaps in their understanding of their environment. The result is a weakening of the level of cyber security,” the May 2021 asset management article states.
These gaps likely reflect the lack of attention and resources some organizations devote to ITAM, but also the inherent difficulties in meeting the customized needs of different ITAM systems—which are determined by factors such as complexity, size, and operational area. However, ITAM's central place in any effective cyber security system means that organizations cannot afford to ignore it. Starting your journey towards a solid ITAM is a positive step towards mitigating cyber threats.
- Cyber Threat Intelligence: New Regulations Will Increase Resilience, Included, 3 August 2023
- Cyber Threat Intelligence: Detection is key to defense, May 10, 2023 r
- Cyber Insights: Addressing Digital DisruptionFebruary 22, 2023
- Cyber risk management is credit risk managementsays seminar, November 1, 2022
- How cyber risk impacts credit analysis for global corporate issuers, March 30, 2022 r
Screenplay: Paul Whitfield
This report is not an audit activity.
No Content (including ratings, analysis and credit-related data, quotes, models, software or other applications or their results) or any part thereof (Content) may be modified, revised, revised or modified in any way or in any way that involves reproduction or distribution. or stored in any database or retrieval system without the prior written consent of Standard & Poor's Financial Services LLC or its affiliates (collectively, S&P). The content may not be used for illegal or unauthorized purposes. S&P and its third party providers, and their respective directors, officers, shareholders, employees or agents (collectively, the S&P Parties) do not guarantee the accuracy, completeness, timeliness or availability of the Content. The S&P Parties are not responsible for any errors or omissions (negligent or otherwise), howsoever caused, for the results resulting from the use of the Content or for the security or maintenance of user input data. The content is provided "as is". THE S&P PARTIES DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR USE, FREEDOM OF ERRORS, ERRORS OR DEFECTS GUARANTEE IN THE SOFTWARE THAT THE CONTENT WILL RUN UNINTERRUPTED OR THIS PREDICTION IMAGE. In no event shall the S&P Parties be liable to any party for any direct, indirect, incidental, exemplary, compensatory, punitive, special or consequential damages, costs, expenses, legal fees or damages (including, without limitation, profits). and opportunity costs or losses caused by negligence) in connection with any use of the Content, even if you have been advised of the possibility of such damages.
Credit and other analyses, including ratings, and statements contained in the Content are opinions as of the date expressed and not statements of fact. S&P's opinions, analyzes and ratings confirmation decisions (described below) are not recommendations to buy, hold or sell securities or make investment decisions and do not address the suitability of any security. S&P undertakes no obligation to update the content in any shape or form after posting. The Content should not be relied upon and is not a substitute for the skill, judgment and experience of you, your management, employees, advisors and/or clients in making investment and other business decisions. S&P does not act as a fiduciary or investment adviser unless registered as such. Although S&P has obtained information from sources it believes to be reliable, S&P does not control and assumes no obligation to perform due diligence or independently verify the information it has received. Publications related to the assessment may be published for a variety of reasons not necessarily attributable to the actions of the assessment committees, including but not limited to the publication of periodic assessment updates and related analyses.
To the extent that regulators permit a credit rating agency to recognize in one jurisdiction a credit rating issued in another jurisdiction for specific regulatory purposes, S&P reserves the right to withdraw such recognition at any time in its sole discretion. discretion, to reject, withdraw or suspend . The S&P Parties disclaim any liability arising from the transfer, withdrawal or suspension of any credit, and any liability for any damages that may arise as a result thereof.
S&P separates certain activities of its business units to maintain the independence and objectivity of their individual activities. As a result, some S&P business units may have information that is not available to other S&P business units. S&P has established policies and procedures to maintain the confidentiality of certain non-public information obtained in connection with any research process.
S&P may receive commissions for its ratings and some analyses, typically from issuers or underwriters of securities or obligors. S&P reserves the right to disseminate its opinions and analyses. S&P's public ratings and analyzes are available on its websites,www.spglobal.com/ratings(free), awww.ratingsdirect.com(subscription) and may be distributed in other ways, including through S&P Publications and third party redistributors. Additional information about our appraisal fees can be found on the websitewww.spglobal.com/usratingsfees.