IT Asset Inventory

Information assets are something an organization needs to keep their information system running. These assets typically consist of more than just hardware and software, including data, network, personnel, site, and the organization’s structure.    

Asset identification should be performed at a level of detail that provides sufficient information for risk assessment. An asset owner should be identified for each information asset, to provide responsibility and accountability for the asset. The asset owner is often the most suitable person to determine the asset’s value to the organization.
    
As a next step, requirements of confidentiality, integrity and availability should be assigned to systems and data. Data should be classified in terms of legal requirements, value, criticality and sensitivity to unauthorized disclosure or modification.    

Make sure that classifications and associated protective controls for information takes account of business needs for sharing or restricting information, as well as legal requirements.     

Develop a classification scheme that includes conventions for classification and criteria for review of the classification over time. Make sure that the scheme is consistent across the whole organization so that everyone will classify information and related assets in the same way, have a common understanding of protection requirements and apply the appropriate protection.    

Verify that the results of classification indicate value of assets depending on their sensitivity and criticality to the organization, e.g. in terms of confidentiality, integrity and availability. Classification provides people who deal with information with a concise indication of how to handle and protect it. Creating groups of information with similar protection needs and specifying information security procedures that apply to all the information in each group facilitates this. This approach reduces the need for case-by-case risk assessment and custom design of controls.    

An example of an information confidentiality classification scheme could be based on four levels as follows: 

a) disclosure causes no harm; 
b) disclosure causes minor embarrassment or minor operational inconvenience; 
c) disclosure has a significant short term impact on operations or tactical objectives; 
d) disclosure has a serious impact on long term strategic objectives or puts the survival of the organization at risk. 

Similar classification levels could be defined for integrity and availability.