Asset and Data Management

data and Asset Management for Cybersecurity Protection

Tracking inventory of IT hardware is the simplest example of asset management. Knowing what you have, where it lives, how important it is, and who's responsible for it are all-important pieces of the puzzle.

Similarly, an Information Asset is an item of value containing information. The same concepts of general asset management apply to the management of information assets (e.g., data). To be effective, an overall asset management strategy should include information assets, software assets, and information technology equipment. In addition, the people employed by an organization, as well as the organization's reputation, are also important assets not to be overlooked in an effective asset management strategy.

Our IT asset management program allows your company to maintain an accurate, documented IT environment outlining asset and data owners, and pinpointing risk and security issues across the network. Allowing organization to with these requirements which may lead fines or other penalties.

DLP-Data-Protection-Application-Monitoring-File-Monitoring.png

Why Does Asset Management Matter for Cybersecurity

An organization should be in a position to know what physical environmental or information assets it holds, and be able to manage and protect them appropriately. Important elements to consider when developing an asset and data management strategy are:

management is all about discovery, ownership, value, acceptable use, protection, and disposal of information-related assets. Assets can be tangible, like hardware, or intangible, like software and data. Whether you are with a small or large institution, a good place to start is:

  1. Know What You Have

  2. Know Where It Is

  3. Know Who Owns It and Who Maintains IT, and

  4. Know How Important It Is To The Institution.

How Asset & Data management help with cybersecurity

Develop the 4 "knows" for a great start and, perhaps, successful finish to your asset and data management initiative. Each of the "knows" are expanded upon below.

Know What You Have

  1. Review potential institutional sources of information assets. A holistic perspective that includes data centers, hardware, software, and data may require various sources including:

    1. Institutional asset inventory reports from departments responsible for purchasing and equipment asset inventory.

    2. Institutional information security risk assessments.

    3. Business Continuity and Disaster Recovery plans (good source for critical systems).

    4. Visit your institution’s CIO and data center management and discuss what information resources are under their custody.

    5. Visit major stakeholders (senior staff, administrative department heads, etc.,) and discuss what information systems and data their department handles.

  2. Create a spreadsheet of the items.

    1. List the assets for each category.

    2. Define distinct categories for the types of assets in your institution (e.g., infrastructure, data center hardware, information systems/applications, data).

    Know Where It Is

  3. Record the physical location of the asset in your spreadsheet. You may want to divide them into Local and Hosted.

    1. Include under Local institutional brick and mortar physical locations such as classrooms, data centers, labs, or offices. Example: the location of collaborative research materials on a file share may be Primary Data Center X.

    2. Include under Hosted third-party vendor data centers and other remote locations not owned by the institution. Example: the location of the learning management system is Vendor X data center located in Address.

    Know Who Owns It and Who Maintains It

  4. Identify and record in your spreadsheet the Owners and Custodians for each of the assets listed in your spreadsheet. Most of the times, the individuals responsible for the security of the asset and ensuring compliance are not the same as the individuals responsible implementing security controls and day-to-day operations.

    • Example 1 (Local): the owner of the Information System may be the Registrar and the custodian may be the institution’s IT department.

    • Example 2 (Local): the owner of the network switches may be the Director of Office of Network and Telecommunications and the custodian may be the same department.

    • Example 3 (Hosted): the owner of the Learning Management System may be the Dean of the School of Business and the custodian may be Vendor X.

    Know How Important It Is To The Institution

  5. Review the federal or state laws, regulations, rules or institutional policies that require protection of information resources. These could be FERPA, HIPAA, or a state law governing social security number use.

  6. Review your institution’s Data Classification Policy.

  7. Determine from your sources from Step 1 whether your institution’s assets are classified in accordance with the Data Classification policy. If not, this Data Classification may be helpful to you in getting started.

    1. Create a simple classification schema (e.g., Public, Restricted, Confidential).

Create a criticality rating for the assets. For example (highest to lowest):

  • 1 – critical is always available and protected

  • 2 – very important this asset is available and protected

  • 3 – important if this asset is available and protected

  • 4 – good if this asset is available with minimal protection

Asset & Data management

Our software as a service solution helps enable data and assets collection for your organization data, which is key in the data asset management process. Businesses must maintain databases of everything from product details to customer information.