Probably the first task in planning to protect information assets is to first make an inventory of information assets an organization needs to protect. In a recent seminar I attended, the speakers gave some pointers on how an organization can draw up an inventory of information assets. Before proceeding to that, let me just make things a little clearer. The main purpose of inventorizing information assets is not to make a laundry list of all assets that an organization has, but to give adequate protection to assets based on its value and importance to the enterprise. Some examples of information assets can be:

- Physical information assets like computer equipment, madems, laptops, computers, communication equipment, telephones, fax machines, technical equipment such as power supplies, air conditioning, humidity control etc.

- Software assets such as applications, development tools, software copyrights etc.

- Information assets such as databases, data files, system documentation, user manuals, business continuity plans, disaster recovery plans etc.

Coming to inventoring these information assets. While inventorizing information assets, each asset should be clearly identified alongwith its location, number and other details. Every asset should be assigned an owner. Similarly, a security classification should be assigned to all assets depending on the security risk. Thus, confidential documents / data would have a much higher security classification than documents / data used in the normal course of business.

Related Posts

Return on Security Investment ROSI
Database Replication
ISO OSI Transport Layer
Spoofing Attack