I recently corresponded with Marc Chisinevski about his open source ITAM Software project.
Q. What is your current role?
An important part of my role as security manager is to identify, evaluate, track and classify company assets. These assets can be physical ones such as servers but also business processes or information. Risk assessments for these assets and safeguard implementations are equally part of my tasks.
Q. What exactly does your open source ITAM software do?
The main benefits of the application are a coherent global view and management of partners, contracts, licenses and assets while ensuring separation of duties. The application allows multiple views and analysis:
Q. How long did it take you develop the software?
The design and development of the software took around 5 months.
Q. Does it integrate with other systems or ITAM Tools?
It would be quite easy to integrate it with the OCS Inventory Management (Open Source IT Inventory Management Software) or OSSIM Open Source Security Information Management system.
Q. Why not buy ITAM software off the shelf?
We wanted to have a system which offered all the functionalities detailed above for our Legal, HR, IT, Information Assurance and Security users. With current off the shelf solutions, we would have been forced to deploy several different applications for each user category (OCS for IT, OSSIM for information assurance and security management and another system for Legal and HR).
Q. How has your company supported you in this project?
The decision was made by top management and was motivated by the fact that this software is not related to the company’s core activities. In addition, it can be useful for any company that has to manage clients, contract, licenses, servers etc… Our end users have expressed their needs in a clear and exhaustive fashion to help with requirements.
Q. What platform does it require – are there any prerequisites for installing?
The platform functions on Windows and Linux; thanks to the underlying framework, it can be deployed on any database supported by Django (Currently PostgreSQL, MySQL, SQLite and Oracle. MS SQL ).
Q. How can people build on it?
People can easily extend the application’s model to add new concepts and functionalities (for example adding Threats for each Asset type and implementing Risk Assessment functionalities). It is also extremely easily to build new reports, graphs and email alerts.
Q. What is planned for the future?
We plan to add the concepts of Threat and that of Safeguard in order to be able to model the cost effectiveness of existing and future defenses. This is another situation where a coherent global view between Legal, HR, IT, Information Assurance and Security is essential. The Legal department can propose creative ways of dealing with risk or threats, for example by negotiating new contracts or modifying existing partner or insurance deals as well as non-disclosure agreements and internal rules and regulations.
If you have any other questions for Marc please post them below or contact me directly.