Information Asset Management

Part 1 – Identifying Information Assets

Steve Simpson CISSP

 Identifying Information Assets

Introduction
Why do any of us need security? When it comes right down to basics, we need
security to protect assets. These assets may be in physical or logical form. The
physical assets are to a certain extent, easy to identify and therefore relatively easy
to protect. However, when it comes to logical or information assets, how many of us
know the full extent of the assets that we have responsibility for? So without knowing
what information assets we have, how can we expect to be able to secure or protect
them?
This document is designed to provide those persons with responsibilities for the
security of information assets with a basic understanding of information assets and
how they can be managed to the benefit of an organisation.
Information assets are all around us we cannot run a business without them and if
they get into the wrong hands they can do enormous amounts of damage. All
organisations and establishments have information assets that are handled and
communicated on a regular basis, and each organisation has an obligation to protect
those assets. Would you do business with an organisation that did not offer at least
some form of protection for the information regarding your relationship with them?
When you deal with another company or organisation you pass on information assets,
almost without realising it, Names, appointments, contact details and frequently,
banking or payment details. All of these items are information assets and must be
given a reasonable and appropriate degree of protection.

What is an Information Asset

‘An information asset is any piece of information in any form, that either
provides a benefit to the organisation possessing it, and/or has a potentially
damaging effect if revealed outside that organisation.’

Compliance
By far the most effective way of promoting how serious you are about protecting
information assets is through either certification or compliance with a national or
international standard such as ISO27001. Declaring compliance or certification to
such standards broadcasts an affirmation of your commitment to securing all
information assets entrusted to you.
However, before such compliance programmes can be considered, and in order for
an organisation to consider protecting their assets, the full extent of those assets
must be identified. Once identification has been completed and we understand fully
the extent of the information that needs to be protected, we can look seriously at the
threats posed to those assets. Only then can we accurately analyse the risks to these
valuable pieces of information.
Sounds really simple to state, but in practice the identification of all organisational
information assets is often, far from easy to achieve. To complicate matters further,
once an asset has been identified, both its quantity and value across the whole
organisation is required. This difficult task is one that cannot be effectively completed
by a single person alone. By far the most effective way to initially assess the scope of
an organisations information assets is through a collaborative process which needs

Page 2 of 7

Steve Simpson – Principal Consultant Infosec Plus Consulting

to include representatives from each and every department within the organisation.
Each department will have a different viewpoint on what information is available and
what value should be placed on an asset. Each of these viewpoints needs to be
considered in order to have the most holistic view possible when valuing the assets
and analysing the risks to them.
The process for identifying assets to the degree that the information gathered, can be
used to develop an effective analysis of the risks posed to it, needs to be achieved in
stages as follows:
 Identify all information assets
 Defining the asset groups
 Assess the value and impact of an asset
 Identification of threats to assets
Only when the risks to information assets have been assessed can a targeted
security strategy be developed. Without the risk assessment, applying security is
going to be a hit and miss affair which will not provide confidence in its application
and will not be cost effective.

Identification of assets
The usual conception in this technologically obsessed world is to automatically
assume that all valuable information assets are those stored on the organisations
ICT systems. The important point to note here is in the use of the term information
asset, rather than referring to data. In reality this is only one of three broad groups of
information assets that we need to establish.
 Non-Computer based records
 Computer (online) based records
 Computer (offline) based records

Non-Computer based records

The group most likely to be omitted without prompting by the review organiser is that
of non-Computer based records. This asset group actually requires the most thought
during the information gathering phase. Good old fashioned paper needs to be
included in the gathering of asset information. An organisations paper based filing
and archiving system is easily identified and the chances are that information within
that filing system already has further categorisation included that will be of assistance
in coming phases of this activity. It is also likely that they may have been considered
as physical assets and may already be protected by some physical measures.
However there are many other sources of non-computer based information within an
organisational environment that are of equal and sometimes greater value. The
following non-exhaustive list contains just a few examples of non-computer based
records that would need to be considered when gathering information about an
organisations assets:
 Network or system diagrams, system configuration documentation and other
technical information sheets – These may be found on the walls of the engineers
department or contained in tubes for ease of storage or just kept in the desk
drawers in the engineering or IT departments. However the contents of these

Page 3 of 7

Steve Simpson – Principal Consultant Infosec Plus Consulting

 documents and diagrams could be of immense value to a person wishing to find
out more about an organisation or worse, wishing to damage that organisation.
 Admin assistant’s minute books or sheets – The minutes of meetings that
have been noted down in note books or individual sheets are likely to contain
information that senior management would not wish to leave the organisation.
 Consultant’s or engineer’s day books – Consultants, engineers, techys etc
often carry day books in order for them to keep track of what instructions they
have been given, technical details, notes from meetings and much, much more.
This information is highly likely to provide an advantage to any would be attacker.
 Personnel – What about the in-depth knowledge that your skilled staff walk
around with everyday locked in their heads. It’s not easy to manage but there are
means of mitigating potential loss. A prime and typical example here is as
follows:
o It is not uncommon for an organisation when having a new application
or system installed to have only one member of staff trained by the
vendor in this topic. This at first glance is an understandable cost
saving for the organisation. That staff member returns from training
and goes about his business configuring the application for optimal
benefit to his organisation. The information he gained in training and
then furthered in practice is an asset to the organisation. There is a
risk associated that the staff member may become incapacitated or
leave, and this would be likely to result in an immediate and
measurable impact on the organisation.
 Audio – Many executives now use portable audio devices to store information
that they need to access at a later date. This information is likely to be of the
utmost importance to the organisation and must be considered during this
exercise. Also, do not overlook the recordings of telephone conversations which
are frequently made ‘for training purposes’. Again this media may have very large
amounts of valuable information.

Computer (online) based records

The group of Computer (online) based records includes all the information that is
stored in your live computer systems. This is the area that will be foremost on the
minds of those responsible for identifying information assets. The difficulty here is
ensuring that all online computer based records are included throughout the
organisation. The obvious areas that need to be considered will include:
 Central system file storage areas
 Outsourced file storage areas
 Central databases
 Messaging information
 Online archives
However, despite the obviousness of this broad asset group there are also areas that
could easily be missed during the asset roundup and these include:
 Information stored on standalone computers
 Information stored on users desktop computers

Page 4 of 7

Steve Simpson – Principal Consultant Infosec Plus Consulting

  Information in non centrally stored databases
 Information duplication
 Information published on corporate websites

Computer (offline) based records

The final broad asset group to consider is that of Computer (offline) based records.
The most obvious examples of offline information assets are backup tapes or other
media; these are a highly important asset to any organisation when considering their
contribution to the business continuity or disaster recovery strategies. However it is
for these same reasons that it is equally attractive to any potential attacker. Therefore
it is essential that all backup media be accounted for within the asset gathering
exercise.
Another area of offline computer based records that has received a lot of press in
recent years is the data that is stored on the hard disk drives of PC’s which are no
longer in use, or on old hard disk drives removed during an upgrade operation. There
have been far too many organisations embarrassed by having their sensitive and
valuable information assets distributed externally when old computer equipment has
been sold off or otherwise disposed of.
What other offline information assets do we have? Writable magnetic and optical
media has always been a concern to CIO’s in that it is so easy to remove information
from an organisations premises. The current fear for CIOs and risk owners is that of
thumb or pen drives. These flash memory devices are available anywhere and
provide a very cheap means of storing large amounts of information assets. A quick
surf of the net whilst writing this shows that flash memory drives are already available
up to 64Gb. How many of your valuable information assets would fit onto a memory
stick of that size? Pocket sized external hard drives with enormous capacities are
easily available in the High Street. In addition to the potential for loss of data there
have been some recent worrying adware/spyware attacks developed, that are being
launched through the use of USB flash memory devices.
On top of this, your Write Once Read Many (WORM) media items such as COTS
software packages are also assets to the organisation that require a degree of
protection. These too must be included when gathering information on the total
quantity of an organisations information assets.

Conclusion
At the end of your asset gathering exercise the chances are that you have now
identified a list of assets that could be well in excess of twice that which was
originally considered. However, this means that you should also have a much better
idea of the range and quantity of the information assets that make your business run.
From this knowledgeable standpoint you are in a much better position to take on the
next stages of asset management which include assessing the value of the assets
and identifying the threats to those assets. When these stages are complete you will
be in an excellent position to perform an informed risk analysis of your assets.
Without which, you are at the mercy of the advertisers and salesmen as to what
security you need. With the risk assessment you can be assured that you are only
paying for the security you need, not just the latest security fashion accessories.

Page 5 of 7

Steve Simpson – Principal Consultant Infosec Plus Consulting

 Page intentionally blank

Page 6 of 7

Steve Simpson – Principal Consultant Infosec Plus Consulting

Based in Perth, Western Australia, Infosec Plus Consulting is able to provide tailored,
vender neutral information security business advisory services. Services include:

 Data Loss Assessments – Data loss is a serious concern for all

organisations. Many organisations each year never manage to recover
from a security breach. Infosec Plus can provide you with assurance
through a holistic review of your business policies, processes and
procedures to establish where you may be susceptible to data loss
allowing you to establish where you may be susceptible to dat loss
allowing you to access the risks and apply targeted risk mitigation controls.
 Holistic Security Review – A holistic review of your organisations
information security including, technology, procedural, physical and
personnel security measures.
 Risk Assessment/Management – Assessing the risk from specific threats
will give you the ability to apply the most efficient and cost effective
security measures. The introduction of a risk management program can
considerably reduce operational costs.
 PCI Compliance Review – All organisations that store, process or transmit
credit card information must comply with the Payment Card Industries
Data Security Standard (PCI-DSS). Infosec Plus can guide you through
this process and provide you with the information you need to gain and
maintain compliance with this exacting standard.
 Security Awareness – The single most effective way to reduce data loss
and increase the security standing of your organisation is through the
introduction of a security awareness program. Infosec Plus can guide you
through the development of an awareness program and can provide one
to one or one to many training sessions to get the security message
across.
 Network Access Control – All organisations need to protect their valuable
business and personal data from the ever increasing need for system
interconnectivity. Infosec Plus can guide you through the process for
developing a Network Access Control policy that will allow day to day
business continue in the safest possible manner.
 Project Augmentation – If you are running or planning a project that needs
to include security representation, Infosec Plus can provide a consultant
to join your team providing expert security advice to ensure that the
project provides the security that your business information assets require.

Page 7 of 7

Steve Simpson – Principal Consultant Infosec Plus Consulting