Information asset inventory
by John Bandler
An information asset inventory is a listing of various information assets of an organization.
What's an information asset?
I think of the term broadly and align it with my Four Pillars of Cybersecurity.
- People (yes, I know people are not property but they are important assets of an organization and the most important part of cybersecurity. We need to manage who has access to what, provide knowledge and the ability to make good decisions, etc.)
- Devices (computer devices, like servers, desktops, laptops, tablets, smartphones, networking devices, etc.)
- Data and online accounts and applications (data stored, data categories, data places, online accounts of all types, applications (which store and use data), and beyond.
- Networks and internet usage (and also communications tools, service accounts)
Wait - "Inventory" sounds like the least fun thing to do
You would have to be a twisted type of person to enjoy doing an inventory, right? A root canal is more fun, isn't it?
Not quite.
First, it doesn't have to be miserable. It is a learning process of discovery and improvement. A scavenger hunt, a puzzle, a magical mystery tour! One way to really learn things is to inventory them, including by putting them into a spreadsheet and analyzing them that way. Personally, I like getting "into the weeds", and it is a way to learn and master the details. It served me well through twenty years in law enforcement investigating criminal conduct, it serves me well in private practice learning so I can protect my clients.
That said, if you are looking for maximum fun and entertainment, that is what your vacation and free time are for!
If you are looking to improve and protect an organization (save money, maximize revenue, comply with legal requirements) that takes work, and work (by definition) is not always fun and excitement.
The main takeaway is this needs to be done, to a reasonable degree, so resolve to do it. Or hire someone to do it or help you with it. Read on to learn why.
My brick-and-mortar analogy
Some people's minds go to jelly when they think about technology. So here is a simple analogy.
When I was a state trooper, I responded to hundreds of burglar alarms, almost always a false alarm, but I needed to do my job and due diligence each time. That meant walking around the entire exterior, seeing if there was a sign of break in, checking each door to see if it was secure, and etc. Not rocket science, just basic diligence.
Now imagine a homeowner calls and asks for help securing their house from future break in. You do the same thing, you walk around the outside of the house, and the inside, and talk about how windows and doors can be secured to delay an attacker's entry.
You can't secure a door or window if you don't know it is there.
You can't secure a valuable asset if you don't know it exists.
An inventory is sort of like that. Identify all of your doors and windows and valuable assets. It is part of cybersecurity. Then the next part is deciding how you want to secure them.
Do we really need to do this?
Yes! It needs to be done. The good news is it can be done at a reasonable pace, and perfection and infinite detail is not required, and certainly not immediately. Your reasonable pace should be prioritized, meaning you list and assess the most important areas first. Don't hold the project up for months because you are trying to include every single possible thing.
Imagine an organization saying this, which is contradictory and implies the organization has work to do.
- "Our cybersecurity is excellent, our management of information assets is excellent. The only caveat is that that we don't know what we are securing and managing [because we never inventoried it]."
When organizations do not inventory, these things happen:
- Domain name stolen, loss of email and website. Some organizations are unaware of where and how their domains are rented and secured. (Unaware until it is stolen, then they become painfully aware.)
- Data breach or ransomware. Imagine not knowing one of your branch offices maintained a local server with personal data on it, and you thought all of your data was stored (securely?) in the cloud. Then you find out there is a server and it might have been breached, and there was personal information on it and that it might be a reportable data breach.
- Lost laptop. Your employee loses a laptop. Now you wish you knew the serial number, what data was on it, and how it was secured.
- Social media accounts dormant and appear abandoned.
- Organization is not really sure which employees are managing which accounts.
- Less than optimal management of cloud accounts, email systems, applications, devices, social media, and more.
- I could continue, but you get the idea.
A process in parallel with the Four Pillars of Cybersecurity
The information asset inventory can be done in parallel with the Four Pillars of Cybersecurity.
It is a process of discovery, improvement, better management and security.
First, let's talk about the process by category:
- First, think people. Who are employees, contractors, service providers, what access to they have to various systems, what training do they have.
- Think computer devices. Servers, desktops, laptops, tablets, smartphones, network devices (or with 4), etc.
- Data and online accounts and applications. Prioritize this and start with what is most important. Data (wherever it is), online accounts (of all types), email, data, documents, cloud, website, social media, service providers, etc.
- Network and internet. Modems, routers, switches, Wi-Fi access points, service providers, internet service, phone service, etc. (PS, while these are a separate fourth pillar, physical networking devices can be tracked with item 2, and internet service accounts with item 3).
Repeat!
Next, let's talk about the process by priority and level of detail:
- Think of your inventory has a process of continual improvement, not something that is never "done"
- Start general, higher priority, basics
- Budget a reasonable amount of time to work on it and do it and finish it (1 hour, 2 hours, 5 hours, etc.)
- Budget a reasonable deadline and stick to it (1 week, 2 weeks, etc.)
- Especially for the first iteration, try avoid getting bogged down in too much detail
- Small steps and some improvement is the goal (not perfection and not infinite detail)
- Proceed to more detail, lower priorities, more refinement, as time allows
- Periodically review and update the inventory. Try achieve greater precision, accuracy, detail
- Always assess what you learned, and what priority cybersecurity improvements might be next.
How do I know how what exactly to do? This could go forever...
Questions or comments some people might have include:
- How do I know exactly what to do?
- Can you provide a sample so I know how to do it?
- How do I know exactly how to do it?
- This could go on forever, when do I stop?
- You gave too many instructions
- You didn't give enough instructions
The point is to prioritize, start somewhere, get a reasonable amount done, get a step forward taken.
So think of it this way:
- Start with high priority items
- If you are not sure what is a high priority, think about what could damage your organization
- See my Three Priority Cybercrime Threats
- See my Introduction to Cybersecurity
- Or just start inventorying, and perhaps someone else might be able to identify priorities
- If you are not sure what is a high priority, think about what could damage your organization
- Spend a reasonable amount of time and effort on it
- Ask of others to also spend a reasonable amount of time and effort
- Set a reasonable deadline to do the work, discovery, brainstorming, and communication
- Get it done and meet that deadline
- Take a step forward
- Be reasonable and diligent to discover your information assets, systems, and who does what
- Return to it periodically.
Here's what you don't do:
- Don't do nothing (excuse the double negative)
- Don't do a sloppy, negligent job
- Don't do an unreasonably paltry minimal job
- Don't try to do so much you never get it done
- Don't do an unreasonably excessive job
- Don't abandon all other responsibilities in the pursuit of this
- Don't try to reach infinite detail, you will never get there
- Don't take forever with the iteration.
In other words, try find that reasonable middle ground, and make progress!
Ways this helps the organization
- We need to know what we have to make good decisions about how to protect it, how to manage it effectively, what services and products to buy
- Helps with short term tactical decisions
- Helps with long term strategy and legal advice
- What do we protect and with what level of priority?
Examples
- An inventory can help with a process for bringing a new device into service securely, and for decommissioning an old device.
- If a device is lost or stolen, our inventory helps.
- If an account were compromised, or the service has an issue, our inventory with contact information helps us know who to contact to correct things.
- If a key employee leaves or is unavailable, the inventory helps others act
- Organizations often do not realize what accounts are there, being used or not, what needs renewal, etc.
Paid tools or do it yourself?
There are tools to help you inventory. Of course they cost money, require training, and require maintenance.
You can also do it yourself.
Deciding which route to take requires evaluating costs, pros, cons. A large enterprise is going to need to devote personnel to the task, and employ tools to track the voluminous assets. A small startup is going to do it themselves. Everywhere in between requires balancing.
I can work a spreadsheet, and that is sufficient for many small to mid sized organizations. But there needs to be a process in place, and it can be a learning curve to properly identify and manage these assets.
This is too much! This is not enough!
If this seems like too much, you have two options:
- Hire someone
- Start small, take a step, revisit this, take another step, repeat.
Rule out your third option, which is "do nothing".
If this is not enough, see my next article with more details.
Disclaimer
This article is (of course) not tailored to your circumstances, nor is it legal or consulting advice.
This is to inform and you assume all risk for cybersecurity decisions you make. This is an introduction and more can be written on this topic.
I may explain nuances further in other articles, or one of my books. Other experts may have differing opinions.
Ask ten different IT or IS experts, you will get ten or more different definitions for a term, and as many different recommendations for cybersecurity posture. Cybersecurity is about decisions and risk management.
Conclusion
An information asset inventory is essential, and is a process of discovery and improvement, and does not have to be like root canal.
If your organization needs help with improving its cybersecurity, feel free to contact me.
Additional reading
- Information asset
- Information asset inventory - the details
- Bandler's Four Pillars of Cybersecurity
- Cybersecurity Policy (Free Version) (with an incident response plan)
- The Three Priority Cybercrime Threats
- Identity theft
- Cybercrime
- Five Components for Policy Work
- Policies and Procedures Book (includes information on cybersecurity)
- Cybersecurity for the Home and Office (book)
- Cybercrime Investigations (book)
- Cybersecurity Asset Inventory Forms for the Home
This article is hosted at https://johnbandler.com/information-asset-inventory, copyright John Bandler, all rights reserved.
Originally posted 6/27/2023, updated 5/15/2024.