The key to creating an effective information asset register is the involvement of the business and this means correctly identifying and allocating, then training and supporting, information asset owners (IAOs) throughout our organisations.
In doing so, it is absolutely vital that businesses do not make the mistake of confusing information ownership with system ownership. The information assets could take many forms, and they all need to be considered and added to the register. IAOs are the people who can ultimately answer the following key questions relating to these assets:
1. What information do I have?
The IAO is the person who can best answer this. They are the ones keeping or storing this information and using it in whatever format that might be; electronic or paper, for instance. This is the first step in establishing an effective information asset register.
2. Why have I got it?
This is pivotal. What is the purpose of this information? When we define the purpose of the information, all the tenets of confidentiality, integrity and availability are realised and will fall out of the clear understanding of the answer to this question. For instance, there are times we identify information and cannot clearly answer why we have it; holding on to it “just in case”, or in some cases when we had not even realised we were storing or keeping it in the first place.
3. Should I have it?
Not all information is good or necessary, and let’s not forget it is a key tenet of the Data Protection Act (1998) to only keep information for as long as is necessary for the purpose for which it was collected in the first place. It sometimes happens that an organisation may be keeping information without realising or perhaps in the belief that it was acceptable to hang on to data assets and then subsequently find themselves in a disclosure situation. Business information needs to be kept in line with a retention policy, this could be personnel records, board minutes, all sorts of things. However the retention policy should not be to keep everything forever.
The more information we have and the longer we want to keep it, the more cost we are generating associated with information protection. So there are solid commercial reasons for ensuring the retention policy is fit for purpose, as well as maintaining information security best practice.
Once we know what we have and why we have it, and we are confident that we ought to have it or have a definite purpose for it, then we can establish its value to us, and the impact of the compromise of confidentiality, integrity and availability. In short, we can start managing the risk and protecting the information pragmatically, proportionately and cost-effectively.
Once this information asset register is up and running, it needs to be continually, checked, improved and updated as a living part of the business. IAOs should have a mechanism and process in place for this and be certain of their accountability. This will mean some information assets may no longer be required. If you need to delete information, it should be securely removed and sanitised in accordance with its sensitivity and value, and in line with the organisation’s data retention policy.
Mike Gillespie is director of cyber research and security at The Security Institute.
This was first published in November 2015