Since the first step towards securing anything is understanding what you have, an Information Asset Register is crucial.
Grant McGregor explains what an Information Asset Register is – and why your organisation needs one.
The first thing to note is that an Asset Register in an information sense is different to the fixed asset register that you may know from accounting.
Instead, an Information Asset Register (IAR) is a database which holds details of all the information assets within your organisation. This can include listing physical assets such as paper files, computer systems and even people as well as, importantly; the data itself, and how you store, process and share it.
Creating an IAR helps to make information assets easy to find, share and maintain. It is also a vital first step to protecting the information assets your organisation holds.
The key benefit of creating an IAR is the improved understanding and visibility it gives an organisation over the information assets it holds.
Having a well-maintained IAR will also play an important role in being able to demonstrate you took steps to understand and protect those assets, as required under GDPR.
In addition, having an IAR increases visibility of data flows and this can further help to mitigate the risk of data breaches. It is a vital tool for businesses that need to share their own data with third parties. GDPR places the responsibility to protect shared data on the original holder of that data. This means if any of the companies with which you share data are victim of a data breach, your organisation will be able to assess exactly what data has been compromised and what further steps must be taken to reduce any financial and reputational damage.
Therefore, creating an IAR is not only important to help your organisation protect its data, it is important to help you minimise any subsequent business risks that arise from GDPR, e.g. the hefty fines you may suffer if you can’t adequately demonstrate you took steps to protect data that was compromised.
If you already have some existing financial asset registers within your business, these can be a good place to start to avoid the duplication of effort.
Otherwise, start by interviewing each head of department and asking them to list all the information assets their department uses. Each department head can cascade the request down, eventually to user level. By aggregating information about assets collected from local users, you can build up a clear and complete picture.
Not only will this approach help you quickly develop a register of assets, but you will have made the first steps towards defining ownership of those assets.
IASME Governance underlines the need to assign an “asset owner” to each asset. Typically, this will be the person using the asset (if only one person uses it), or, in the case of shared assets, the person who has the responsibility across the whole organisation (e.g. the department head, or Chief Information Officer).
The next step is to assess the risks to each asset – whether from malicious activity, malfunction, human error, or environmental factors – and their likely probability and business impact.
Following from this, you will need to consider how to balance the need to protect resources against the probability and perceived business impact of potential threats.
All of this information should be recorded within your IAR.
Your IAR must be a living record, given the rapid way information is gathered, shared and updated. Fast-growing organisations or organisations undergoing significant change, in particular, will need to work to maintain their IAR.
Assets should be periodically reviewed, to ensure their classification, ownership and any restrictions are still in line with business needs and perceived risk, and that effective deletion / deployment processes are in place and enacted when the asset is no longer required.
The importance of adopting good policies around deletion of assets is also imperative under GDPR. As well as offering individuals the opportunity to request to view or delete the data your organisation holds on them, GDPR shifts the emphasis towards defensible deletion. In other words, if you haven’t got a good reason to be holding data on individuals – whether customers, employees, or other business contacts – you shouldn’t be holding it.
Maintaining an Information Asset Register is also the first step to achieving an ISO 27001 accreditation. While ISO 27001 is an important accreditation for organisations in which holding or managing data is a core business function, it can be unnecessarily onerous for the majority of small to medium-sized businesses.
For this reason, the UK Government developed the IASME Governance standard. IASME is a cyber security standard which is an affordable and achievable alternative to the international ISO 27001 standard.
Grant McGregor believes that IASME enables organisations to demonstrate good cyber security at a level better suited to most small and medium-sized businesses. Here too, developing and maintaining an Information Asset Register can help enormously if you decide to go for IASME accreditation.
Holding an IASME accreditation is highly recommended and helps prove your organisation’s commitment to cyber security. This is important in winning new business, especially government contracts. Plus, by demonstrating your commitment to good cyber security you are also insulating your organisation from GDPR fines.
For more information about how to create an Information Asset Register for your organisation, or about obtaining the IASME accreditation, speak with a Grant McGregor consultant today on 0808 164 4142.
Image source: Freerange Stock