Information asset inventory details

Information asset inventory details

by John Bandler

This article covers some details on creating and improving your organization's information asset inventory.

If you haven't yet, read my more general article on what information asset inventories are and why we need them.

Recap

I think of the term "information asset) broadly and align it with my Four Pillars of Cybersecurity.

• People
• Devices
• Data and online accounts and applications
• Networks

You cannot secure what you don't know about. You can't run your business efficiently if you don't know what you are doing or how. So this is a process of discovery and learning.

• Think of your inventory has a process of continual improvement, not something that is never "done"
• Start general, higher priority, basics
  • Budget a reasonable amount of time to work on it and do it and finish it (1 hour, 2 hours, 5 hours, etc.)
  • Budget a reasonable deadline and stick to it (1 day, 1 week, 2 weeks, etc.)
  • Especially for the first iteration, try avoid getting bogged down in too much detail
  • Small steps and some improvement is the goal (not perfection and not infinite detail)
• Proceed to more detail, lower priorities, more refinement, as time allows
• Periodically review and update the inventory. Try achieve greater precision, accuracy, detail
• Always assess what you learned, and what priority cybersecurity improvements might be next.
• Repeat!

Paid tools or do it yourself?

There are tools to help you inventory. Of course they cost money, require training, and require maintenance. If you are using a separate tool, the rest of this article becomes less important because we get into the nuts and bolts of doing it yourself..

You can also do it yourself. Here we talk through a way to set up your spreadsheet.

Use a spreadsheet

We all have access to spreadsheet applications (Excel, Sheets, Numbers).

We should learn how to use them and efficiently manage our files so that we can:

• Sort
• Filter
• Have appropriate columns
• Have appropriate rows
• Incorporate proper version control and file management
• Use our time efficiently creating, updating, and maintaining the file
• Not lose our data or corrupt it or get it all twisted

Spreadsheets are powerful tools, learn them and improve your knowledge of them.

Create a spreadsheet, and give it an appropriate filename, such as:

• 0 ORGNAME Information asset inventory 2024-MM-DD
• 0 ORGNAME Physical asset inventory 2024-MM-DD

I discuss file naming and file version control more in by book, Policies and Procedures. The zero sorts it to the top of the folder, the date in format YYYY-MM-DD indicates the revision date and helps with version control and also sorting.

Create columns and rows. Columns go horizontally, rows go vertically.

Each row should pertain to one (and only one) asset that you are tracking.

Each column should pertain to a characteristic your are tracking regarding a particular asset.

Methodology and version control

A proper methodology and proper version control is essential. In general, the document should have only one master, and anyone working on it needs to understand the purpose and methodology. If an untrained person starts working in the spreadsheet, it can cost hours of confusion, months of delay, and worse.

One person should maintain the master version, and others can provide data or corrections via worksheets, individually, or other means. For example, I may copy Excel data into Word, and then provide instructions and turn "track changes" to "on". This way, as the Word worksheet is forwarded and returned to me, instructions are available, and changes are tracked, and I can input the changes into the spreadsheet. A few hours of data entry saves more hours of confusion and helps ensure accuracy. Remember that mistakes can be costly.

Columns

Remember that each row should pertain to one and only one asset that you are tracking, and each column pertains to characteristics you need or want to track.

Here are some columns I like to have, and remember that not all columns apply to all items, and each organization is different, and people managing these spreadsheets may have personal preferences too.

Physical assets

If the asset can be touched or held, you want to inventory it. Obviously, start with high priority items (computers, servers, routers, WiFi access points). Save inventorying things like cables, keyboards, mice and chairs for when you have taken care of the more important things.

Physical asset columns may be something like this:

• Item summary (which may incorporate other key characteristics that are also laid out in other columns)
• Priority of asset item
• Asset type 1
• Asset type 2 (subtype)
• Comment
• Location
• Manufacturer (make)
• Model
• Device name (friendly name)
• Serial number
• Operating system
• Assigned user (employee name)
• Date purchased
• Date assigned to current user
• Date disposed of (decommissioned)
• Comment
• Date row updated

I prefer date fields to be "text" and in the format "YYYY-MM-DD". That way you can approximate a date (e.g, 2024-2, or 2017) and the field will accept it and it will sort.

I prefer user names to be "Lastname, Firstname" because otherwise it is confusing with nicknames and etc.

This interacts with "online accounts" because computers may be signed into an online account (e.g. iCloud, Microsoft, Google, etc).

Data, online accounts, applications, services

Here it gets a little more complex. Some data is stored on devices, but more and more data is stored in online accounts and within applications. And organizations need these online accounts and applications to do their business. So we need to assess and inventory them.

Data and online account and application rows may be something like this:

• Data/Account summary (which may incorporate other key characteristics that are also laid out in other columns)
• Priority of asset item
• Asset type 1
• Asset type 2 (subtype)
• Online account?
• Asset manager (administrator employee name)
• User account number/name/email
• Account provider name
• Contact information of provider
• 2FA/MFA enabled?
• Comment
• Date account opened/application installed
• Date account closed
• Date row updated

Some applications have user lists, and that impacts the next category of People.

Networks and internet

These items can actually be tracked in the preceding two categories for devices and accounts.

• Physical network devices (modems, routers, switches, firewalls) can be tracked with the physical asset inventory.
• Internet and phone services can be tracked with the data/applications/services inventory.

People

People need user accounts and access to various systems and applications. They should have the proper level of access, what they need but not more than they need (according to the "principle of least privilege").

You need to inventory them and assess things.

Consider who has:

• User accounts with main cloud provider (Microsoft, Google, Apple, etc)
• Access to the website
• Access to contact management system
• Access to various categories of organization files

Rows

Remember (again) that each row should pertain to one and only one asset that you are tracking, and each column pertains to characteristics you need or want to track.

Since each row pertains to one asset or item, it is easy to reassign it, deactivate it, sort it, filter it, etc.

Depending on what you are tracking, a row might pertain to a:

• Computer
• Physical item
• Online account or online service provider
• Type of data
• Application
• Service provider (internet, phone, etc.)

Using rows like an index, or pointer

Rows can act like an index, with pointers, for example:

• "Domain registrars" can be a row that says "See GoDaddy, See Google" and then you have rows for each of those laying out the domain registration account.'
• "Email providers" can be a row that says "See Microsoft/M365/O365, See Google, See Apple" and then you have rows for each of those.
• "Website" can be a row that says "See JohnBandler.com, See Bluehost for domain registration, See WordPress for website management", and then you have rows for each of these.

Using rows to leave notes and other rules for rows

Rows can also contain notes. For example, some of my spreadsheets contain notes such as:

• 00 note: Rev 2024-MM-MM, Rough draft requires review and further correction and refinement
• 00 Example:  provide an example of what the data field should look like
• 00 note: Do not delete any rows. Annotate a row if it becomes inapplicable, if the device is taken out of service, etc.
• 00 This spreadsheet is also like a book index. For general categories, it may provide a pointer to another row
• 00 All data should be considered draft. Data within this spreadsheet is only as good as the provided to JB. Input and data merge errors may have occurred as well. Next inventory round should ask organizational units to review all information and update, while following instructions and format.
• 00 Before making the first change to this spreadsheet, consider who will do future updates.
  John recommends that he do the next set of updates.
• 00 This spreadsheet contains confidential and sensitive information. It may contain attorney-client privileged material. It may contain attorney work product.
  Before updating or distributing, evaluate these issues and plan accordingly
• 00 Do not delete any rows. Even if the device is taken out of service, or other issue, don't just delete the row because it prevents continuity and raises questions that become hard to answer.
  Instead, annotate a row if it becomes innaplicable, if the device is taken out of service, etc.
  The row stays, we can, shade, filter, sort. etc. to keep it out of the way
• 00 Cross reference: see separate spreadsheets
  FILENAMES

In any organization, individuals may have varying experience with spreadsheets, version control information security, and asset inventories, so notes help ensure everyone is on the same page. Trust me when I say that minor misunderstandings can waste time and have even more serious effects.

In general, rows should not be deleted, but properly annotated.

For example, if you dispose of a computer, or close an online account, don't delete that row, but annotate it to indicate this disposition and the date. That way you maintain a record of what happened.

This is too much!

If this seems like too much, you have two good options:

1. Start small, take a step

• Reread my more general article on information asset inventories
• Reread this article
• Take another step
• Repeat

2. Hire someone to guide and help

Rule out your third option, which is "do nothing".

Disclaimer

This article is (of course) not tailored to your circumstances, nor is it legal or consulting advice.

This is to inform and you assume all risk for cybersecurity decisions you make. This is an introduction and more can be written on this topic.

I may explain nuances further in other articles, or one of my books. Other experts may have differing opinions.

Ask ten different IT or IS experts, you will get ten or more different definitions for a term, and as many different recommendations for cybersecurity posture. Cybersecurity is about decisions and risk management.

Conclusion

An information asset inventory is essential, and is a process of discovery and improvement, and does not have to be like root canal.

If your organization needs help with improving its cybersecurity, feel free to contact me.

Additional reading

• Information asset
• Information asset inventory
• Information asset inventory - the details (this article)
• Bandler's Four Pillars of Cybersecurity
• Cybersecurity Policy (Free Version) (with an incident response plan)
• The Three Priority Cybercrime Threats
• Identity theft
• Cybercrime
• Five Components for Policy Work
• Cybersecurity and Privacy for You and Your Organization
• Policies and Procedures Book
• Cybersecurity for the Home and Office (book)
• Cybersecurity Asset Inventory Forms for the Home

This article is hosted at https://johnbandler.com/information-asset-inventory-details, copyright John Bandler, all rights reserved.

Originally posted 5/6/2024, updated 5/15/2024.