No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Data Privacy

Why Organizations Need an Information Asset Register

by Warren Zafrin
April 11, 2018
in Data Privacy, Featured
file folders connected by a server

Guidance for Information Governance Guardians

Every business relies on information assets to assist with daily functions. Today’s increased cybersecurity risks call for organizations to monitor their data closely in an effort to classify and protect it. While this is a difficult task to undertake, companies can to utilize an Information Asset Register, an effective and reliable tool to secure their data.

First, a definition: An Information Asset Register (IAR) is a catalogue of the information an organization holds and processes, where it is stored, how it moves and who has access. With increasing and evolving cyber risk, every organization, irrespective of size, needs to know where their data is so that they can classify and protect the data based on how critical it is to their business.

Every organization’s business activities rely on different kinds of information assets, such as software, applications, websites, databases, datasets, analytics in the data warehouse, storage, downloads or extracts from your core systems (e.g., finance, human resources, sales, data warehouse), shared drive content, spreadsheets, emails, paper records, etc.).

Developing an IAR does not require an overhaul of your current cyber risk program; quite the contrary. The most effective method for adopting an IAR is utilizing a risk-based approach. By utilizing a risk-based approach, you can ensure that the appropriate technical and operational measures are implemented to protect your most important information and assets from evolving threats and vulnerabilities. An IAR may sound duplicative to other data management efforts, but our recent experience shows that it is the first step toward providing information assurance. During our work the previous three years with companies located across the U.K., Canada and the U.S., we have worked closely to identify what constitutes a critical asset, and how to protect it. During this work, we have drawn a simple but substantive conclusion: An organization’s most critical asset is its information. Thus, a breach in the integrity, confidentiality or availability of the asset will have significant impact on their operations and reputation.

The IAR becomes more than a roadmap for security measures. The IAR creates a singular, consistent catalogue of the information assets that are protected and meet legal and statutory obligations but, equally important, provides assurance that in case a cyber event occurs, critical business functions will have the information needed to recover operations.

A Regulatory Point Of View

The General Data Protection Regulation (GDPR) is the new data protection ruling U.K. and European Union (EU) companies are required to adopt, regardless of the status of the membership of the U.K., following the Brexit referendum. While there are many similarities with the Data Protection Act, a significant change stipulates that the fines can be imposed when a data controller has demonstrated a lack of compliance, as opposed to evidence of an actual data breach. Record management and retention are under particular scrutiny.

A Technology Point Of View

With the adoption of next-generation technologies such as cloud and other infrastructure optimizations, organizations are implementing configuration management databases (CMDB) to track their physical assets, including products, systems, software and facilities. The CMDB is a repository that holds data relating to a collection of information technology (IT) assets and a description of the relationships between such assets. A CMDB helps an organization understand the relationships between the components of a system as well as track their configurations. The CMDB can be used for many things, including providing assurance that in the case of a cyber event, critical business functions will have the information technology needed to recover operations.

Cataloguing Your Information: The Process

To develop an operational IAR, information assets need to be securely found. Discovering where the assets are may not seem complicated initially, but many organizations have lost the ability to track the assets. In working with organizations, I have found that a three-step plan is simple and effective. The first step is to define the scope of the IAR, what level of information granularity is required, the initial data-gathering instrument and how to manage and protect the IAR. The second step is to gather the data to be placed in the IAR. In many organizations, a simple spreadsheet can be used as the initial IAR gathering tool. The gathering tool will be disseminated to your organizations’ information asset owners and/or data custodians. Once the information has been gathered, the responses will be analysed; risk assessments should be conducted for particular information assets that have potentially higher risks as indicated in the information security or data classification policy. The third and final step is to implement the IAR, hopefully with a commercially available tool, and map the IAR data with a CMDB and the GDPR inventory efforts if both exists.

What Type Of Data: The Scope

It is useful to keep a full asset register that includes all assets, not only ones where the confidentiality classification is high risk or the integrity and availability of the data is critical. We found that not limiting the IAR has the added value of being able to use it to review security measures such as access controls or to validate both the business continuity and disaster recovery requirements. In addition, information was identified that should have been securely destroyed but instead had the incorrect retention classification and misclassified highly restricted sensitive personal data. The IAR also assisted in thinking about resilience and business continuity, prompting us to think about the unstructured data on shared drives that if lost, would be disruptive to a critical business process.

The Value of the IAR

The IAR will provide an institutionwide view of information assets and will provide the insight to improve the management and security of the information with a reasonable and proportionate approach to mitigate risks and minimize the effect of both cyber and business disruptions.


Tags: Data GovernanceGDPR
Previous Post

So You Want to Become a Whistleblower? 5 Things to Consider Before Doing So

Next Post

Navigating Harassment Claims

Warren Zafrin

Warren Zafrin

Warren Zafrin is a leader of the management and technology group at UHY Advisors. He has over 25 years of industry experience including capital markets and technology strategy. Over the course of his career, Mr. Zafrin has supported many of the top 10 companies in the world and has managed project teams across the US, Canada, Europe and Asia.

Related Posts

banks information sharing_f

Sharing Is Caring? Lessons From Dutch Banks’ Data-Sharing Program

by Sukirt Singh
March 22, 2023

With federal investigations pending, the autopsy of Silicon Valley Bank and resulting cascade of bank failures is only just beginning....

risk tunnel

From Regulation to Volume, There Is No Light at the End of the Data Privacy Tunnel

by Jim DeLoach
March 15, 2023

Data proliferation and data privacy regulatory activity across the globe have created the need for focused boardroom discussions. An underpinning...

gdpr

UK Resurrects Data Protection Reforms, EU Court Rules on GDPR in Civil Cases

by Jonathan Armstrong and André Bywater
March 15, 2023

Recent courtroom and legislative action in Europe will likely have ripple effects around the world for companies subject to regulations...

data breach

Sobering Reality: Drizly Order Indicates Officers May Face Personal Liability for Data Breaches

by Baker Donelson
February 1, 2023

The FTC says Drizly’s CEO James Cory Rellas was alerted to a potential security loophole two years before a data...

Next Post
yellow line dividing employer from employee

Navigating Harassment Claims

Compliance Job Interview Q&A

Jump to a Topic

AML Anti-Bribery Anti-Corruption Artificial Intelligence (AI) Automation Banking Board of Directors Board Risk Oversight Business Continuity Planning California Consumer Privacy Act (CCPA) Code of Conduct Communications Management Corporate Culture COVID-19 Cryptocurrency Culture of Ethics Cybercrime Cyber Risk Data Analytics Data Breach Data Governance DOJ Download Due Diligence Enterprise Risk Management (ERM) ESG FCPA Enforcement Actions Financial Crime Financial Crimes Enforcement Network (FinCEN) GDPR HIPAA Know Your Customer (KYC) Machine Learning Monitoring RegTech Reputation Risk Risk Assessment SEC Social Media Risk Supply Chain Technology Third Party Risk Management Tone at the Top Training Whistleblowing
No Result
View All Result

Privacy Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2022 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe

© 2022 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT