Guidance for Information Governance Guardians
Every business relies on information assets to assist with daily functions. Today’s increased cybersecurity risks call for organizations to monitor their data closely in an effort to classify and protect it. While this is a difficult task to undertake, companies can to utilize an Information Asset Register, an effective and reliable tool to secure their data.
First, a definition: An Information Asset Register (IAR) is a catalogue of the information an organization holds and processes, where it is stored, how it moves and who has access. With increasing and evolving cyber risk, every organization, irrespective of size, needs to know where their data is so that they can classify and protect the data based on how critical it is to their business.
Every organization’s business activities rely on different kinds of information assets, such as software, applications, websites, databases, datasets, analytics in the data warehouse, storage, downloads or extracts from your core systems (e.g., finance, human resources, sales, data warehouse), shared drive content, spreadsheets, emails, paper records, etc.).
Developing an IAR does not require an overhaul of your current cyber risk program; quite the contrary. The most effective method for adopting an IAR is utilizing a risk-based approach. By utilizing a risk-based approach, you can ensure that the appropriate technical and operational measures are implemented to protect your most important information and assets from evolving threats and vulnerabilities. An IAR may sound duplicative to other data management efforts, but our recent experience shows that it is the first step toward providing information assurance. During our work the previous three years with companies located across the U.K., Canada and the U.S., we have worked closely to identify what constitutes a critical asset, and how to protect it. During this work, we have drawn a simple but substantive conclusion: An organization’s most critical asset is its information. Thus, a breach in the integrity, confidentiality or availability of the asset will have significant impact on their operations and reputation.
The IAR becomes more than a roadmap for security measures. The IAR creates a singular, consistent catalogue of the information assets that are protected and meet legal and statutory obligations but, equally important, provides assurance that in case a cyber event occurs, critical business functions will have the information needed to recover operations.
A Regulatory Point Of View
The General Data Protection Regulation (GDPR) is the new data protection ruling U.K. and European Union (EU) companies are required to adopt, regardless of the status of the membership of the U.K., following the Brexit referendum. While there are many similarities with the Data Protection Act, a significant change stipulates that the fines can be imposed when a data controller has demonstrated a lack of compliance, as opposed to evidence of an actual data breach. Record management and retention are under particular scrutiny.
A Technology Point Of View
With the adoption of next-generation technologies such as cloud and other infrastructure optimizations, organizations are implementing configuration management databases (CMDB) to track their physical assets, including products, systems, software and facilities. The CMDB is a repository that holds data relating to a collection of information technology (IT) assets and a description of the relationships between such assets. A CMDB helps an organization understand the relationships between the components of a system as well as track their configurations. The CMDB can be used for many things, including providing assurance that in the case of a cyber event, critical business functions will have the information technology needed to recover operations.
Cataloguing Your Information: The Process
To develop an operational IAR, information assets need to be securely found. Discovering where the assets are may not seem complicated initially, but many organizations have lost the ability to track the assets. In working with organizations, I have found that a three-step plan is simple and effective. The first step is to define the scope of the IAR, what level of information granularity is required, the initial data-gathering instrument and how to manage and protect the IAR. The second step is to gather the data to be placed in the IAR. In many organizations, a simple spreadsheet can be used as the initial IAR gathering tool. The gathering tool will be disseminated to your organizations’ information asset owners and/or data custodians. Once the information has been gathered, the responses will be analysed; risk assessments should be conducted for particular information assets that have potentially higher risks as indicated in the information security or data classification policy. The third and final step is to implement the IAR, hopefully with a commercially available tool, and map the IAR data with a CMDB and the GDPR inventory efforts if both exists.
What Type Of Data: The Scope
It is useful to keep a full asset register that includes all assets, not only ones where the confidentiality classification is high risk or the integrity and availability of the data is critical. We found that not limiting the IAR has the added value of being able to use it to review security measures such as access controls or to validate both the business continuity and disaster recovery requirements. In addition, information was identified that should have been securely destroyed but instead had the incorrect retention classification and misclassified highly restricted sensitive personal data. The IAR also assisted in thinking about resilience and business continuity, prompting us to think about the unstructured data on shared drives that if lost, would be disruptive to a critical business process.
The Value of the IAR
The IAR will provide an institutionwide view of information assets and will provide the insight to improve the management and security of the information with a reasonable and proportionate approach to mitigate risks and minimize the effect of both cyber and business disruptions.