Workflow Templates for Insurance: IT Asset Inventory Management Checklist

Asset Identification

Catalog hardware that touches NPI

Pull the current asset register from Intune, Jamf, or your MDM. Capture laptops, servers, network gear, MFPs, and any device that processes nonpublic personal information under GLBA. Printers handling claim packets count — Part 500 §500.11 vendor-risk scope is broader than IT-only.

Inventory licensed software and SaaS apps

List all policy admin, AMS, claims, rating, and document systems — Applied Epic, AMS360, EZLynx, PolicyCenter, ClaimCenter, ImageRight, SERFF, NIPR. Include shadow-IT SaaS surfaced by the CASB. Note whether each system stores NPI; that designation drives downstream risk-tier work.

Tag each asset with a unique ID

Assign a stable asset ID that survives reimaging and OS reinstalls. Match the convention used by the CMDB so the inventory reconciles cleanly against ServiceNow or Jira tickets.

Record owner and custodian for each asset

Owner is the business accountable party (e.g., Commercial Lines Manager); custodian is the technical holder (e.g., IT Ops). Producers using personal devices for binding or quoting need explicit BYOD designation here.

Classify assets by NPI sensitivity tier

Tier assets High / Medium / Low based on volume and type of NPI processed. Health data on stop-loss or group dental systems pulls in HIPAA scope on top of GLBA. Upload the classified register for the audit trail.

Inventory Tracking

Reconcile MDM against the AMS access list

Cross-check Intune/Jamf-enrolled devices against active Applied Epic, AMS360, or EZLynx user sessions. Departed producers whose devices remain enrolled or whose AMS accounts remain active are the most common finding in a Part 500 audit.

Log acquisitions, transfers, and disposals

Each disposal needs a certificate of destruction with serial numbers — drives that held NPI cannot be donated or resold without sanitization meeting NIST SP 800-88 standards.

Audit license counts against active seats

True up rater, AMS, and document-management seat counts. Over-licensing wastes budget; under-licensing surfaces during a vendor audit and can jeopardize the renewal terms.

Set alerts for unauthorized configuration changes

Configure the SIEM to alert on MFA disablement, encryption-policy rollback, or unenrollment from MDM. Part 500 §500.12(b) requires MFA for any external network access — silent disablement is a reportable cybersecurity event.

Confirm vendor inventory under Part 500 §500.11

Vendor-risk scope includes TPAs, claims vendors, document destruction firms, and any printer or mailhouse handling claim packets. SOC 2 Type II reports must be current — expired reports are a common finding.

Risk Management

Assess risk for High-tier NPI assets

Run the threat model against assets tagged High in the classification step. Part 500 expects risk assessments to be ongoing, not just biennial — material changes (new product, M&A, major vendor) trigger an interim assessment.

Verify encryption of NPI in transit and at rest

Walk the encryption inventory: BitLocker on laptops, TLS 1.2+ on carrier portals, encrypted backups. Document any exception with compensating controls — Part 500 §500.15 allows exceptions only with CISO-approved alternative controls.

Review the disaster recovery plan

Confirm RTO/RPO targets for PolicyCenter, ClaimCenter, and the AMS. Loss runs and ACORD-form generation must be recoverable within the binding-authority service window — a 72-hour outage during renewal season is a producer-relations problem, not just an IT one.

Reconcile scheduled property on the cyber policy

Check that the asset register matches the Statement of Values endorsed on the firm's cyber and inland marine policies. New servers added mid-term without a property endorsement create a gap at first-party recovery.

Record the risk assessment outcome

A finding is a control gap that needs a remediation plan; a cybersecurity event under §500.1(g) is an actual or suspected unauthorized access — that triggers the 72-hour DOI notification clock.

Open remediation tickets for findings

File each finding as a tracked ticket with an owner and target close date. Open findings without owners are the single most-cited weakness in DOI examiner reports.

File the 72-hour DOI cybersecurity event notice

NYDFS Part 500 and the NAIC Insurance Data Security Model Law both require notification within 72 hours of determining a cybersecurity event has occurred. Do not default to GLBA's looser timeline or the HIPAA 60-day window — the state DOI clock is the binding one. Attach the filing confirmation.

Compliance and Reporting

Map the register to WISP control requirements

Tie each High-tier asset to the corresponding control in the firm's Written Information Security Program. GLBA Safeguards Rule expects a documented linkage between asset, risk, and control — not just a control list.

Maintain the audit trail for the next exam

Retention runs 5–7 years for most policy and claim records; workers comp can require life-of-claim retention given lifetime medical exposure. Premature destruction creates discoverable spoliation risk in litigation.

Generate the quarterly CISO inventory report

Include asset counts by tier, open findings, vendor SOC 2 status, and license-vs-seat reconciliation. The CISO uses this packet for the annual board certification under Part 500 §500.17(b).

Train staff on asset-handling and NPI procedures

Cover device-loss reporting (24-hour internal SLA), NPI handling on the AMS, and the standard for OFAC screening at claim payment. New producers and CSRs get this in Week 1; everyone refreshes annually.

Technology Integration

Sync the register with the CMDB

One source of truth — pick ServiceNow, Jira Assets, or the AMS's asset module and make the others read-only views. Dual-write CMDBs are the second-most-common cause of reconciliation drift after manual spreadsheets.

Pull license-utilization analytics

Surface dormant rater, AMS, and DocuSign seats. Reclaim before renewal — most carrier and SaaS contracts allow seat reductions only at the anniversary.

Verify MDM coverage on remote and BYOD devices

Independent producers working from home laptops or tablets must enroll in MDM before they touch the AMS. Personal-device exceptions need explicit CISO sign-off and compensating controls under §500.15.

Evaluate new vendor tools against §500.11

Any new SaaS that touches NPI needs a vendor risk review before procurement signs the order — SOC 2 Type II, breach history, sub-processor list, MFA on admin access. Procurement-led signings without security review are a recurring exam finding.