The benefits that can be derived from Software Asset Management are often forgotten in the chase to produce licence compliance reports. However, it is worth taking a moment to consider the role software asset management can play in other areas of IT – most notably, information security.
Best practice advocates of information security will be well aware that one of the mandatory requirements of ISO 27001 is the creation and maintenance of a scope or domain that an ISMS (Information Security Management System) applies to. One of the practices that seeks to verify the scope of a SAM estate can easily be applied to the scope verification of the ISMS also. SAM is keen to ensure that it captures all devices for the purposes of licensing, information security wishes to make sure it captures all devices to ensure appropriate security control – a simple comparison of devices from the inventory system and the Anti-Virus System, should produce three primary findings:
*Devices in the SAM and ISMS scope
*Devices only in the SAM scope
*Devices only in the Info Sec scope
While I fully agree with the above perspective, there is sometimes a perception that SAM has some accountability for IT security, which is not the case. SAM practices, including as to technology and data, facilitate and support IT security, but IT security does not fall within SAM’s mandate.