As data protection practitioners we might be accused of not paying enough attention to information assets. Our role is to protect personal data and in doing so we tend to focus only on personal data activities and non-personal data becomes the realm of the wider data governance function.
Consider this; our record of processing activities (ROPA) provides us with a detailed view of personal data processing and there is no denying that a good ROPA is a comprehensive tool for understanding where data is processed. So wouldn’t this be a good place to start if we wanted to know where our information assets were processed?
At ProvePrivacy, we understand that opening the ROPA up to a wider view of both personal and non-personal data processing will no doubt improve our ability to understand risks and plan for the future.
Benefits of Maintaining an Asset Register
To understand how to manage information assets, we first need to understand what an information asset is. A broad definition is any information or data that has value for our organisation. Take for example point of sale data in a retail organisation, without this information the organisation is likely to suffer and maybe even fail.
In data protection terms our information assets reside on our systems, infrastructure, third party providers and paper based systems, and it is these assets that we need to understand and manage.
An information asset register (IAR) is important for many reasons, in the context of data protection, your IAR forms part of your accountability responsibilities. It provides greater visibility of where personal data resides, which in turn ensures that your organisation can demonstrate how it is protected.
An IAR helps to improve information governance by providing a clear overview of the information assets, their ownership, their location, their lifecycle, and their security.
It helps to reduce information risks and costs, by identifying and eliminating redundant, obsolete, or trivial information assets, and by minimising the potential impacts of data breaches, such as financial losses, reputational damages, legal liabilities, or operational disruptions.
It helps to support disaster recover by ensuring that an organisation can identify its critical assets and build a plan to ensure critical infrastructure is restored ahead of noncritical systems. This ensures that effort is focused on business-critical assets first.
The asset register identifies information owners, users, and stakeholders. It allows you to understand which departments and activities use an asset and also which data items are held on an information asset.
So, an information asset register (IAR) becomes an essential tool for understanding our assets, recognising the risks associated with them and for providing assurance that the risks are being managed.
Information Asset Register Contents
An IAR should help to identify, classify, and manage information assets within your organisation. It should contain information such as:
- The name and description of the asset, such as what it is, what it contains, and what it is used for.
- The users of the asset, which processing activities rely upon the asset and which data is processed on the asset.
- The owner and custodian of the information asset, such as who is responsible for creating, maintaining, and disposing of the information asset, and who has access to it.
- The location and format of the information asset, such as where it is stored, how it is structured, and what software or hardware is needed to access it.
- The retention and disposal schedule of the information asset, such as how long it should be kept, when it should be reviewed, and how it should be destroyed.
- The value and risk of the information asset, such as how important it is for the organisation, what benefits it provides, what threats it faces, and what impacts it may have if compromised. This should provide an oversight of the criticality of the asset and enable prioritisation of assets for business continuity purposes.
- The security measures and controls of the information asset, such as what policies, procedures, standards, and tools are in place to protect the information asset from unauthorized access, use, disclosure, disruption, modification, or destruction.
- The support which the asset needs to maintain its operation such as service level agreements, back-up and maintenance procedures.
- Dependencies upon other assets, for example a system assets dependency upon a server, this will ensure that dependent assets are prioritised equally.
Supporting Data Protection
Understanding your information assets will allow you to evidence compliance with the Data Protection Act, it will provide you with a wealth of information to support your Record of Processing Activities (ROPA) and assuming that you have linked your ROPA and IAR together you will be able to identify which assets are supporting which activities and therefore which assets are supporting sensitive personal data assets.
Your IAR, when used to inform security practices, will inform the technical and organisational controls.
Supporting Business Continuity
Business continuity is the ability of an organisation to maintain its essential functions and services during and after a disruption, such as a natural disaster, a cyberattack etc. Business Continuity Management (BCM) is about identifying those parts of your organisation that you can’t afford to lose – such as information, stock, premises, staff – and planning how to maintain these, if an incident occurs. Any incident, large or small, whether it is natural, accidental or deliberate, can cause major disruption to your organisation. But if you plan now, rather than waiting for it to happen, you will be able to get back to business in the quickest possible time.
To ensure business continuity, an organisation needs to identify and prioritise its information assets in order to prioritise them for business continuity purposes. It can do this by following these steps:
- Identify the key products and services that the organisation delivers, and the critical activities and resources required to deliver them. For example, a retail business may need to ensure the availability of its inventory, its online store, its payment system, and its customer service.
- Assess the risks and impacts of losing or compromising the information assets that support the key products and services. For example, a retail business may face financial losses, reputational damages, legal liabilities, or customer dissatisfaction if its inventory, online store, payment system, or customer service are affected by a disruption.
- Classify the information assets according to their importance and urgency for the organisation.
Supporting Information Security
Information asset protection is a very critical aspect of business management process for the successful operations and continuity of any business. Any form of threat to the security of the digital information and its process is a definite threat to the quality of business end result.
An IAR will inform information security by helping to identify and classify the assets according to their value to the organisation. It can help to identify risk, and data sensitivity. By doing this InfoSec teams can apply the appropriate security measures and controls to protect them from unauthorized access etc.
It can help to reduce information risks and costs, by identifying and eliminating redundant, obsolete, or trivial information assets, and by preventing or minimizing the potential impacts of data breaches, such as financial losses, reputational damages, legal liabilities, or operational disruptions.
It can help to support information access, by facilitating the retrieval and sharing of information assets among authorised parties, and by enabling the more effective use of resources.
When properly implemented, robust data security strategies will not only protect an organisation’s information assets against cybercriminal activities, but they’ll also guard against insider threats and human error, which remain among the leading causes of data breaches today.
In order to appropriately manage, understand, access share and dispose of information assets, organisations should document and maintain details about them in an information asset register.
By maintaining an IAR organisations will understand what information assets they use, which are the most critical, which will need to be back online quickly and which contain the highest risk data. The IAR allows us to prioritise and manage our assets in an efficient manner. Maintaining an IAR ensures that we can identify data protection risks and system availability risk, which means an IAR becomes a proactive tool to manage personal and non-personal data assets.
Many organisations will maintain an IAR separate from their ROPA, seeing the IAR as an InfoSec tool and the ROPA as a data protection tool. At ProvePrivacy we believe that they should be linked as they should inform each other. In doing this data protection becomes something which is done by design and by default.
ProvePrivacy now collects information assets as an integral part of its dynamic and intuitive ROPA which in turn automatically identifies and registers key risks to be managed within our Risk Management module.
Copyright ProvePrivacy: The information and opinions expressed in this article should not be considered legal advice.