On more than one occasion, I have stood before senior management and posed the question “what are your information assets?” – and in each case, they didn’t know.
The GDPR regulation introduced last year prompted much change in the landscape of privacy and data protection. Perhaps one of the most interesting of these changes was how it led data owners to think about their information and where it was located.
This was a positive effect of change, however discovering what your key information assets are and neatly categorising them is often seen as a complex piece of work – prompting much ‘head scratching’ when senior management ask about them.
What do we need to know about information assets to successfully protect them? What is the asset?
In short, without this knowledge, it becomes very difficult to adequately protect the assets – which can lead to under or over engineering of security controls.
When it comes to protecting information assets, we’re not just talking about the obvious suspects such as valuable customer information or your primary business system. Information assets could include:
The list isn’t exhaustive, and all require protection either from malicious or accidental attack, or damage. Then we need to factor in the supporting infrastructure, servers, networks – and who you share the information with, who has access to it and who owns it.
GDPR prompted a lot of activity to understand personal data, with many organizations kicking off a data discovery exercise by sending out questionnaires to staff, looking to find what personal data they held, why they held it, the legal basis for processing and so on. Which was all good – useful, even if somewhat uncoordinated.
However, for many, a similar exercise is required for all other information assets, especially if they don’t have a fully structured system that forces users to save data in the right place.
So back to my opener: On more than one occasion, I have stood before senior management and posed the question “what are you information assets?” – and on each occasion, they didn’t know – yet 30 minutes later (after a lot whiteboard scribbling), they had identified many of their information assets, worked out why they were important to them, what infrastructure they relied on, where they came from, where they went and who owned them.
It is having that confidence to start these discussions, to wade in and find the information you REALLY need, that makes all the difference. Without doing this you could have the most sophisticated cyber security technology available – without making the slightest difference in protecting what really counts. You might receive flak for taking up senior management time on what they might initially see as an unnecessary diversion, but it’s a step in the process you can’t afford to skip. In short, you cannot risk failing to discover and protect what you don’t know you have.
And believe me, I know from experience, once you’ve worked out where your REAL information assets live – and who owns them (AND you keep this up to date), the rest of your cyber security programme will be a whole lot easier to manage.
For more information as critical asset protection, click here.
About the author
Principal Consultant, CRMG
Former Cyber Security Policy Manager, Bank of England
Industry of Expertise: Banking, Healthcare
Areas of Specialism: Cyber Security Governance & Policy Management