What are information assets and why are they important?
Information assets are any data, information, knowledge, software, hardware, IT service, data storage, IT equipment that has value to the company and its loss, theft or misuse would be a problem for the company because without information assets, processes, decision-making and company management cannot work.
- Every organization needs information assets for its functioning and decision-making. Companies cannot exist without information.
- Every information asset is vulnerable and thus should be protected. So it is an object of information security.
How to divide information assets
Information assets vary in importance, kond and are interconnected, rather than existing as a flat list. The loss of one asset can impact the value of another. For instance, flooding a server room can damage the servers and the data stored on them. Therefore, it is crucial to protect not only the software through cybersecurity measures (against cyber attacks) but also the physical infrastructure, such as the server room, against threats like flooding, fire, or theft.
Primary information assets: what you must protect and secure
- Primary information assets are data, information or knowledge, which has value, is organized and managed and
- Enables the organization to operate business processes and decision making
- Situated at the top of the pyramid
Supporting, secondary information assets: what must work and you must protect and secure
- Secondary, supporting information assets are essential for making data and information available. These include:
- Software: software or applications where data is stored or processed
- Hardware: Any other IT or other equipment
- People: as carriers of knowledge and information, also as a source of risk or failure
- Physical infrastructure: Any physical equipment, location on which other assets depend, such as a server room
- Processes: Processes such Access Control Processes or Incident Response Processes
- Purchased Services: IT services, external, for example cloud data storage, electricity supply
Examples of information assets
- Personal customer data
- Login data
- Backup of data
- Business plans
- Payroll processing applications
- Server running enterprise software
- Employee's laptop
- Employee's mobile phone
- Any hardware (printers, network elements, etc.)
- Services (cloud services, electricity supply, air-conditioning etc.)
- Cloud storage
- VPN's
- Access management processes
How to keep an information asset inventory
Creating the asset inventory is one of the first actions for information security management. The inventory is the essential foundation for other information security data. The information asset inventory should be validated regularly by the management and the asset owners.
- for keeping an information asset inventory, use Information asset organizers for primary and supporting assets
- maintain an overview of information assets, divided according to the above methodology or according to your own methodology
- for each asset, you keep key information such as type, confidentiality, etc.
- you can link each individual asset to others to keep them related
- the inventory should be updated when additional assets are uncovered.
Creating information asset inventory step-by-step
When we help teams with information security, we often start with a workshop with the information security team and management representatives responsible for individual information assets. With the team, we create a list of information assets in the following way:
1. Start with primary assets (data)
- First, focus on your primary information assets, i.e. your data
- Identify the key information that your organization cannot function without. Help yourself with the phrase "if we lose them, we're done" or "if someone abuses them, we have a big problem"
- List 3-10 core information assets, this will help you not drown in detail
- Name the impact of the destruction or loss for each primary asset. Help yourself imagine what the consequence of their loss will be for you on a scale from within "we don't know" until "it will ruin us"
- Assess whether it is really a primary asset and not a supporting one
- Repeat points 2-5 until you have a satisfactory result, being careful not to include supporting assets.
2. Create a list of supporting assets to the primary assets
- Identify the key systems, software, hardware or infrastructure where your data (primary assets) is stored
- Proceed from each primary asset with the question "where and how is the data stored"
- Name the impact for each one. How will their unavailability affect you? On a scale from "nothing happens" to "nothing will work"
- Repeat points 1-3 until you have a list of everything that must work for your company to work
Maintaining information asset inventory
- Information asset register should be continuously updated by the information security team based on new assets, risks, workshops, incidents and inquiries from other employees
- It should be validated regularly by management and asset owners, every six months or once a year.
- We recommend planning regular meetings on the topic of information security, where one of the items on the agenda is a review of the list of your information assets
- Top management should check that all information assets they know and care about are present
- Information assets owners should verify that they recognize and understand all assets assigned to them and are willing to take responsibility