- Overview | Standards | Resources
- Responsibility for Assets (ISO 7.1)
- Information Classification (ISO 7.2)
An asset is defined as "an item of value". (Source: Merriam-Webster's Online Dictionary) Asset management is based on the idea that it is important to identify, track, classify, and assign ownership for the most important assets in your institution to ensure they are adequately protected. Tracking inventory of IT hardware is the simplest example of asset management. Knowing what you have, where it lives, how important it is, and who's responsible for it are all-important pieces of the puzzle.
Similarly, an Information Asset is an item of value containing information. The same concepts of general asset management apply to the management of information assets. To be effective, an overall asset management strategy should include information assets, software assets, and information technology equipment. In addition, the people employed by an organization, as well as the organization's reputation, are also important assets not to be overlooked in an effective asset management strategy.
An institution should be in a position to know what physical, environmental or information assets it holds, and be able to manage and protect them appropriately. Important elements to consider when developing an asset management strategy are:
- Inventory (do you know what assets you have & where they are?)
- Responsibility/Ownership (do you know who is responsible for each asset?)
- Importance (do you know how important each asset is in relation to other assets?)
- Establish acceptable-use rules for information and assets
- Protection (is each asset adequately protected according to how important it is?)
Top of page
| 27002: Information Security Management
Chapter 7: Asset Management
27005: Information Security Risk Management
| 800-30: Risk Management Guide for Information Technology Systems
800-37: Guide for the Security Certification and Accreditation of Federal
800-53: Recommended Security Controls for Federal Information Systems
| Requirement 9
Top of page
Do you know what assets you have and where they are?
In order to effectively manage an organization's assets, you must first understand what assets you have and where your organization keeps them. Some institutional asset examples are IT hardware, software, data, system documentation, and storage media. Supporting assets such as data center air systems, UPS’s and services should be included in the inventory. All assets should be accounted for and have an owner. If improperly managed, assets can become liabilities.
So where do you begin?
Categorize your assets. Begin by defining distinct categories of the types of assets in your institution. Each category should have its own inventory or classification structure based on the assets that category may contain.
(Category: Data Center Hardware)
Create a list of assets for each category. Creating a list of an institution’s assets and their corresponding locations is the beginning of your inventory. Often, the process of doing so helps identify additional assets that previously had not been considered.
(Category: Data Center Hardware; Asset: Core Network Switches)
Add a location for each asset. Location could be a brick and mortar physical location such as a classroom, data center or office. It could also be collaborative research materials on a file share or financial information stored in a database.
(Category: Data Center Hardware; Asset: Core Network Switches; Location: Einstein Bldg., Rm. 0001)
Because assets can be many things and serve multiple functions, there will likely be more than one inventory process or system used to capture the range of assets that exist at an institution. Make sure you connect with other areas to see what form of hardware inventory already exists. Don't start from zero. Each inventory system should not unnecessarily duplicate other inventories that may exist.
Top of page
Do you know who is responsible for each asset?
Once you have begun to capture an inventory of the potential assets and their locations, start identifying the responsible party, or parties, for each asset. An owner is a person, or persons or department, that has been given formal responsibility for the security of an asset. The owner(s) are responsible for securing asset(s) during the lifecycle of the asset(s).
Identifying the owners will help determine who will be responsible for carrying out protective measures, and responding to situations where assets may have been compromised. You will also quickly realize when it isn't clear who the appropriate responsible party is or when shared responsibility may be an issue.
(Category: Data Center Hardware; Asset: Core Network Switches; Location: Einstein Bldg., Rm. 0001; Owner: Director Thomas Stoltz Harvey)
The owner(s) of the assets should be able to identify acceptable uses or provide information on which institutional policy governs its acceptable use. Work with the responsible owner, if need be, on acceptable uses. The acceptable uses should include items such as who assumes the risk of loss, gives access to the asset and how a critical asset is kept functional during or after a loss. Policies governing the use, preservation and destruction of hardware may originate from your Asset Management Office. Many institutions also find it helpful to document expectations for the acceptable and responsible use of information technology assets in an Acceptable Use or Responsible Use Policy.
Identifying an owner, or responsible party, for physical hardware or software is relatively easy. Information assets may be a bit more difficult to identify, classify, and apply ownership.
Top of page
Do you know how important each asset is in relation to other assets?
All assets add value to an organization. However, not all assets are created equal. Gaining a clear understanding of the relative importance of each asset when compared to other organizational assets is an essential step if you are to adequately protect your assets. The importance of an asset can be measured by its business value and security classification or label.
Create a rating system for the asset. It can be as simple as (highest to lowest)
- 1 – critical this asset is always available and protected
- 2 – very important this asset is available and protected
- 3 – important if this asset is available and protected
- 4 – good if this asset is available with minimal protection
Building on the previous example and adding a rating system, it would look like
(Category: Data Center Hardware; Asset: Core Network Switches; Location: Einstein Bldg., Rm. 0001; Owner: Director Thomas Stoltz Harvey; Rate: 1 (Critical))
A student computer lab machine, depending on its location, may have a lower score given it is good that the asset is available. The computer lab machine may be protected with anti-virus.
Top of page
Do you know how important each information asset is in relation to other assets?
Information assets may not be equally important, nor equally sensitive or confidential in nature, nor require the same care in handling. One common method of ascertaining the importance of assets is data classification. Information assets should be classified according to its need for security protection and labeled accordingly.
So where do you begin?
Start with federal or state laws, regulations, rules or institutional policies that require certain information assets be protected. These could be FERPA, HIPAA, or a state law governing social security number use.
Pick a classification metric. Keep it simple. You may want to use something like (lowest to highest)
- Public, Restricted, Confidential
Perhaps your inventory of information assets might look like
(Category: Information; Asset: Student Records; Location: Banner Cluster 1, database sis_prod; Owner: Dean of Admissions; Rate: 1 (Critical))
This Data Classification Toolkit may be helpful to you in getting started.
Is each asset adequately protected according to how important it is?
Different assets have different impacts on the continuity and reputation of the organization. Once you have determined the importance of your various organizational assets, you can begin the process of determining how best to protect them.
Many methods are employed to protect assets, ranging from legislative mandates (and their enforcement) to policies to technical security controls. Additionally, assets must be protected throughout their life cycle, from creation or purchase through final disposal or long-term storage.
Some institutions have established Data Stewardship policies to help ensure responsibilities for protecting data are effectively accomplished. It is important to note that data custodians/stewards are the decision-makers when it comes to accessing records. There needs to be a process in place for requesting access to both static and live data. The process/policy should include contract language or review to determine what happens to institutional data when a contract with a vendor is no longer in force. The data custodians/stewards can work with you to help develop policies if none are yet in place.
Other institutions conduct regular security assessments of assets considered to be critical for the functioning of an institution. Institutions may also address asset protection through physical security measures, or through background checks for newly hired and continuing personnel.
Top of pageTop of page
Questions or comments? Contact us.
Except where otherwise noted, this work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License.