Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Introduction
Why do any of us need security? When it comes right down to basics, we need
security to protect assets. These assets may be in physical or logical form. The
physical assets are to a certain extent, easy to identify and therefore relatively easy
to protect. However, when it comes to logical or information assets, how many of us
know the full extent of the assets that we have responsibility for? So without knowing
what information assets we have, how can we expect to be able to secure or protect
them?
This document is designed to provide those persons with responsibilities for the
security of information assets with a basic understanding of information assets and
how they can be managed to the benefit of an organisation.
Information assets are all around us we cannot run a business without them and if
they get into the wrong hands they can do enormous amounts of damage. All
organisations and establishments have information assets that are handled and
communicated on a regular basis, and each organisation has an obligation to protect
those assets. Would you do business with an organisation that did not offer at least
some form of protection for the information regarding your relationship with them?
When you deal with another company or organisation you pass on information assets,
almost without realising it, Names, appointments, contact details and frequently,
banking or payment details. All of these items are information assets and must be
given a reasonable and appropriate degree of protection.
Compliance
By far the most effective way of promoting how serious you are about protecting
information assets is through either certification or compliance with a national or
international standard such as ISO27001. Declaring compliance or certification to
such standards broadcasts an affirmation of your commitment to securing all
information assets entrusted to you.
However, before such compliance programmes can be considered, and in order for
an organisation to consider protecting their assets, the full extent of those assets
must be identified. Once identification has been completed and we understand fully
the extent of the information that needs to be protected, we can look seriously at the
threats posed to those assets. Only then can we accurately analyse the risks to these
valuable pieces of information.
Sounds really simple to state, but in practice the identification of all organisational
information assets is often, far from easy to achieve. To complicate matters further,
once an asset has been identified, both its quantity and value across the whole
organisation is required. This difficult task is one that cannot be effectively completed
by a single person alone. By far the most effective way to initially assess the scope of
an organisations information assets is through a collaborative process which needs
Page 2 of 7
Identification of assets
The usual conception in this technologically obsessed world is to automatically
assume that all valuable information assets are those stored on the organisations
ICT systems. The important point to note here is in the use of the term information
asset, rather than referring to data. In reality this is only one of three broad groups of
information assets that we need to establish.
Non-Computer based records
Computer (online) based records
Computer (offline) based records
Page 3 of 7
Page 4 of 7
Conclusion
At the end of your asset gathering exercise the chances are that you have now
identified a list of assets that could be well in excess of twice that which was
originally considered. However, this means that you should also have a much better
idea of the range and quantity of the information assets that make your business run.
From this knowledgeable standpoint you are in a much better position to take on the
next stages of asset management which include assessing the value of the assets
and identifying the threats to those assets. When these stages are complete you will
be in an excellent position to perform an informed risk analysis of your assets.
Without which, you are at the mercy of the advertisers and salesmen as to what
security you need. With the risk assessment you can be assured that you are only
paying for the security you need, not just the latest security fashion accessories.
Page 5 of 7
Page 6 of 7
Page 7 of 7