Asset and Data Management
An asset is defined as "an item of value". (Source: Merriam-Webster's Online Dictionary) Asset and data management is based on the idea that it is important to identify, track, classify, and assign ownership for the most important assets in your institution to ensure they are adequately protected. Tracking inventory of IT hardware is the simplest example of asset management. Knowing what you have, where it lives, how important it is, and who's responsible for it are all-important pieces of the puzzle.
Similarly, an Information Asset is an item of value containing information. The same concepts of general asset management apply to the management of information assets (e.g., data). To be effective, an overall asset management strategy should include information assets, software assets, and information technology equipment. In addition, the people employed by an organization, as well as the organization's reputation, are also important assets not to be overlooked in an effective asset management strategy.
An institution should be in a position to know what physical, environmental or information assets it holds, and be able to manage and protect them appropriately. Important elements to consider when developing an asset and data management strategy are:
Inventory (do you know what assets you have & where they are?)
Responsibility/Ownership (do you know who is responsible for each asset?)
Importance (do you know how important each asset is in relation to other assets?)
Establish acceptable-use rules for information and assets.
Establish procedures for the labeling of physical and information assets.
Establish return of asset procedures (do you have an employee exit procedure?)
Protection (is each asset adequately protected according to how important it is?)
It is well known that you cannot secure what you do not know exists. Asset and data management is all about discovery, ownership, value, acceptable use, protection, and disposal of information-related assets. Assets can be tangible, like hardware, or intangible, like software and data. Whether you are with a small or large institution, a good place to start is:
- Know What You Have
- Know Where It Is
- Know Who Owns It and Who Maintains IT, and
- Know How Important It Is To The Institution.
Develop the 4 "knows" for a great start and, perhaps, successful finish to your asset and data management initiative. Each of the "knows" are expanded upon below.
Know What You Have
- Review potential institutional sources of information assets. A holistic perspective that includes data centers, hardware, software, and data may require various sources including:
Institutional asset inventory reports from departments responsible for purchasing and equipment asset inventory.
Institutional information security risk assessments.
Business Continuity and Disaster Recovery plans (good source for critical systems).
Visit your institution’s CIO and data center management and discuss what information resources are under their custody.
Visit major stakeholders (senior staff, administrative department heads, etc.,) and discuss what information systems and data their department handles.
Create a spreadsheet of the items.
List the assets for each category.
Define distinct categories for the types of assets in your institution (e.g., infrastructure, data center hardware, information systems/applications, data).
Know Where It Is
Record the physical location of the asset in your spreadsheet. You may want to divide them into Local and Hosted.
Include under Local institutional brick and mortar physical locations such as classrooms, data centers, labs, or offices. Example: the location of collaborative research materials on a file share may be Primary Data Center X.
Include under Hosted third-party vendor data centers and other remote locations not owned by the institution. Example: the location of the learning management system is Vendor X data center located in Address.
Know Who Owns It and Who Maintains It
Identify and record in your spreadsheet the Owners and Custodians for each of the assets listed in your spreadsheet. Most of the times, the individuals responsible for the security of the asset and ensuring compliance are not the same as the individuals responsible implementing security controls and day-to-day operations.
Example 1 (Local): the owner of the Information System may be the Registrar and the custodian may be the institution’s IT department.
Example 2 (Local): the owner of the network switches may be the Director of Office of Network and Telecommunications and the custodian may be the same department.
Example 3 (Hosted): the owner of the Learning Management System may be the Dean of the School of Business and the custodian may be Vendor X.
Know How Important It Is To The Institution
Review the federal or state laws, regulations, rules or institutional policies that require protection of information resources. These could be FERPA, HIPAA, or a state law governing social security number use.
Review your institution’s Data Classification Policy.
Determine from your sources from Step 1 whether your institution’s assets are classified in accordance with the Data Classification policy. If not,this Data Classification may be helpful to you in getting started.
Create a simple classification schema (e.g., Public, Restricted, Confidential).
Create a criticality rating for the assets. For example (highest to lowest):
1 – critical is always available and protected
2 – very important this asset is available and protected
3 – important if this asset is available and protected
4 – good if this asset is available with minimal protection