IT Asset Inventory Management Checklist

Quarterly asset inventory workflow for an insurance carrier or agency, aligned to NYDFS Part 500 and the NAIC Insurance Data Security Model Law. Run by IT operations, the CISO's office, and compliance to keep the asset register, NPI mapping, and vendor inventory examiner-ready.

5 sections 25 steps Collects data
1

Asset Identification

  1. Catalog hardware that touches NPI

    • Pull the current asset register from Intune, Jamf, or your MDM. Capture laptops, servers, network gear, MFPs, and any device that processes nonpublic personal information under GLBA. Printers handling claim packets count — Part 500 §500.11 vendor-risk scope is broader than IT-only.

  2. Inventory licensed software and SaaS apps

    • List all policy admin, AMS, claims, rating, and document systems — Applied Epic, AMS360, EZLynx, PolicyCenter, ClaimCenter, ImageRight, SERFF, NIPR. Include shadow-IT SaaS surfaced by the CASB. Note whether each system stores NPI; that designation drives downstream risk-tier work.

  3. Tag each asset with a unique ID

    • Assign a stable asset ID that survives reimaging and OS reinstalls. Match the convention used by the CMDB so the inventory reconciles cleanly against ServiceNow or Jira tickets.

  4. Record owner and custodian for each asset

    • Owner is the business accountable party (e.g., Commercial Lines Manager); custodian is the technical holder (e.g., IT Ops). Producers using personal devices for binding or quoting need explicit BYOD designation here.

  5. Classify assets by NPI sensitivity tier

    • Tier assets High / Medium / Low based on volume and type of NPI processed. Health data on stop-loss or group dental systems pulls in HIPAA scope on top of GLBA. Upload the classified register for the audit trail.

    Collects file
2

Inventory Tracking

  1. Reconcile MDM against the AMS access list

    • Cross-check Intune/Jamf-enrolled devices against active Applied Epic, AMS360, or EZLynx user sessions. Departed producers whose devices remain enrolled or whose AMS accounts remain active are the most common finding in a Part 500 audit.

  2. Log acquisitions, transfers, and disposals

    • Each disposal needs a certificate of destruction with serial numbers — drives that held NPI cannot be donated or resold without sanitization meeting NIST SP 800-88 standards.

  3. Audit license counts against active seats

    • True up rater, AMS, and document-management seat counts. Over-licensing wastes budget; under-licensing surfaces during a vendor audit and can jeopardize the renewal terms.

  4. Set alerts for unauthorized configuration changes

    • Configure the SIEM to alert on MFA disablement, encryption-policy rollback, or unenrollment from MDM. Part 500 §500.12(b) requires MFA for any external network access — silent disablement is a reportable cybersecurity event.

  5. Confirm vendor inventory under Part 500 §500.11

    • Vendor-risk scope includes TPAs, claims vendors, document destruction firms, and any printer or mailhouse handling claim packets. SOC 2 Type II reports must be current — expired reports are a common finding.

3

Risk Management

  1. Assess risk for High-tier NPI assets

    • Run the threat model against assets tagged High in the classification step. Part 500 expects risk assessments to be ongoing, not just biennial — material changes (new product, M&A, major vendor) trigger an interim assessment.

  2. Verify encryption of NPI in transit and at rest

    • Walk the encryption inventory: BitLocker on laptops, TLS 1.2+ on carrier portals, encrypted backups. Document any exception with compensating controls — Part 500 §500.15 allows exceptions only with CISO-approved alternative controls.

  3. Review the disaster recovery plan

    • Confirm RTO/RPO targets for PolicyCenter, ClaimCenter, and the AMS. Loss runs and ACORD-form generation must be recoverable within the binding-authority service window — a 72-hour outage during renewal season is a producer-relations problem, not just an IT one.

  4. Reconcile scheduled property on the cyber policy

    • Check that the asset register matches the Statement of Values endorsed on the firm's cyber and inland marine policies. New servers added mid-term without a property endorsement create a gap at first-party recovery.

  5. Record the risk assessment outcome

    • A finding is a control gap that needs a remediation plan; a cybersecurity event under §500.1(g) is an actual or suspected unauthorized access — that triggers the 72-hour DOI notification clock.

    Collects list
  6. Open remediation tickets for findings

    • File each finding as a tracked ticket with an owner and target close date. Open findings without owners are the single most-cited weakness in DOI examiner reports.

  7. File the 72-hour DOI cybersecurity event notice

    • NYDFS Part 500 and the NAIC Insurance Data Security Model Law both require notification within 72 hours of determining a cybersecurity event has occurred. Do not default to GLBA's looser timeline or the HIPAA 60-day window — the state DOI clock is the binding one. Attach the filing confirmation.

    Collects file
4

Compliance and Reporting

  1. Map the register to WISP control requirements

    • Tie each High-tier asset to the corresponding control in the firm's Written Information Security Program. GLBA Safeguards Rule expects a documented linkage between asset, risk, and control — not just a control list.

  2. Maintain the audit trail for the next exam

    • Retention runs 5–7 years for most policy and claim records; workers comp can require life-of-claim retention given lifetime medical exposure. Premature destruction creates discoverable spoliation risk in litigation.

  3. Generate the quarterly CISO inventory report

    • Include asset counts by tier, open findings, vendor SOC 2 status, and license-vs-seat reconciliation. The CISO uses this packet for the annual board certification under Part 500 §500.17(b).

    Collects file
  4. Train staff on asset-handling and NPI procedures

    • Cover device-loss reporting (24-hour internal SLA), NPI handling on the AMS, and the standard for OFAC screening at claim payment. New producers and CSRs get this in Week 1; everyone refreshes annually.

5

Technology Integration

  1. Sync the register with the CMDB

    • One source of truth — pick ServiceNow, Jira Assets, or the AMS's asset module and make the others read-only views. Dual-write CMDBs are the second-most-common cause of reconciliation drift after manual spreadsheets.

  2. Pull license-utilization analytics

    • Surface dormant rater, AMS, and DocuSign seats. Reclaim before renewal — most carrier and SaaS contracts allow seat reductions only at the anniversary.

  3. Verify MDM coverage on remote and BYOD devices

    • Independent producers working from home laptops or tablets must enroll in MDM before they touch the AMS. Personal-device exceptions need explicit CISO sign-off and compensating controls under §500.15.

  4. Evaluate new vendor tools against §500.11

    • Any new SaaS that touches NPI needs a vendor risk review before procurement signs the order — SOC 2 Type II, breach history, sub-processor list, MFA on admin access. Procurement-led signings without security review are a recurring exam finding.

Use this template

Copy it to your account, customize the steps, and run it with your team in minutes.

Use this workflow Start free trial
Sections 5
Steps 25
Category Insurance
Price Free to start
Need a different process

Browse hundreds of free templates across every team and industry.

Back to template library

Related templates

More workflows your team can run.

Insurance

Risk Assessment Checklist

View
Insurance

Policy Administration Checklist

View
Insurance

Claim Processing Checklist

View
Insurance

Insurance Marketing Campaign Checklist

View

Run IT Asset Inventory Management Checklist with your team

Customize the steps, assign roles, set a schedule, and keep a complete record for every run.

Use this workflow Start free trial