IT Asset Inventory Management Checklist

Pull the current asset register from Intune, Jamf, or your MDM. Capture laptops, servers, network gear, MFPs, and any device that processes nonpublic personal information under GLBA. Printers handling claim packets count — Part 500 §500.11 vendor-risk scope is broader than IT-only.

List all policy admin, AMS, claims, rating, and document systems — Applied Epic, AMS360, EZLynx, PolicyCenter, ClaimCenter, ImageRight, SERFF, NIPR. Include shadow-IT SaaS surfaced by the CASB. Note whether each system stores NPI; that designation drives downstream risk-tier work.

Assign a stable asset ID that survives reimaging and OS reinstalls. Match the convention used by the CMDB so the inventory reconciles cleanly against ServiceNow or Jira tickets.

Owner is the business accountable party (e.g., Commercial Lines Manager); custodian is the technical holder (e.g., IT Ops). Producers using personal devices for binding or quoting need explicit BYOD designation here.

Tier assets High / Medium / Low based on volume and type of NPI processed. Health data on stop-loss or group dental systems pulls in HIPAA scope on top of GLBA. Upload the classified register for the audit trail.

Cross-check Intune/Jamf-enrolled devices against active Applied Epic, AMS360, or EZLynx user sessions. Departed producers whose devices remain enrolled or whose AMS accounts remain active are the most common finding in a Part 500 audit.

Each disposal needs a certificate of destruction with serial numbers — drives that held NPI cannot be donated or resold without sanitization meeting NIST SP 800-88 standards.

True up rater, AMS, and document-management seat counts. Over-licensing wastes budget; under-licensing surfaces during a vendor audit and can jeopardize the renewal terms.

Configure the SIEM to alert on MFA disablement, encryption-policy rollback, or unenrollment from MDM. Part 500 §500.12(b) requires MFA for any external network access — silent disablement is a reportable cybersecurity event.

Vendor-risk scope includes TPAs, claims vendors, document destruction firms, and any printer or mailhouse handling claim packets. SOC 2 Type II reports must be current — expired reports are a common finding.

Run the threat model against assets tagged High in the classification step. Part 500 expects risk assessments to be ongoing, not just biennial — material changes (new product, M&A, major vendor) trigger an interim assessment.

Walk the encryption inventory: BitLocker on laptops, TLS 1.2+ on carrier portals, encrypted backups. Document any exception with compensating controls — Part 500 §500.15 allows exceptions only with CISO-approved alternative controls.

Confirm RTO/RPO targets for PolicyCenter, ClaimCenter, and the AMS. Loss runs and ACORD-form generation must be recoverable within the binding-authority service window — a 72-hour outage during renewal season is a producer-relations problem, not just an IT one.

Check that the asset register matches the Statement of Values endorsed on the firm's cyber and inland marine policies. New servers added mid-term without a property endorsement create a gap at first-party recovery.

A finding is a control gap that needs a remediation plan; a cybersecurity event under §500.1(g) is an actual or suspected unauthorized access — that triggers the 72-hour DOI notification clock.

File each finding as a tracked ticket with an owner and target close date. Open findings without owners are the single most-cited weakness in DOI examiner reports.

NYDFS Part 500 and the NAIC Insurance Data Security Model Law both require notification within 72 hours of determining a cybersecurity event has occurred. Do not default to GLBA's looser timeline or the HIPAA 60-day window — the state DOI clock is the binding one. Attach the filing confirmation.

Tie each High-tier asset to the corresponding control in the firm's Written Information Security Program. GLBA Safeguards Rule expects a documented linkage between asset, risk, and control — not just a control list.

Retention runs 5–7 years for most policy and claim records; workers comp can require life-of-claim retention given lifetime medical exposure. Premature destruction creates discoverable spoliation risk in litigation.

Include asset counts by tier, open findings, vendor SOC 2 status, and license-vs-seat reconciliation. The CISO uses this packet for the annual board certification under Part 500 §500.17(b).

Cover device-loss reporting (24-hour internal SLA), NPI handling on the AMS, and the standard for OFAC screening at claim payment. New producers and CSRs get this in Week 1; everyone refreshes annually.

One source of truth — pick ServiceNow, Jira Assets, or the AMS's asset module and make the others read-only views. Dual-write CMDBs are the second-most-common cause of reconciliation drift after manual spreadsheets.

Surface dormant rater, AMS, and DocuSign seats. Reclaim before renewal — most carrier and SaaS contracts allow seat reductions only at the anniversary.

Independent producers working from home laptops or tablets must enroll in MDM before they touch the AMS. Personal-device exceptions need explicit CISO sign-off and compensating controls under §500.15.

Any new SaaS that touches NPI needs a vendor risk review before procurement signs the order — SOC 2 Type II, breach history, sub-processor list, MFA on admin access. Procurement-led signings without security review are a recurring exam finding.