Information Security

by Andy Taylor

Step 1 – Identify the information assets

Information assets are all those items of data on which an organisation relies to carry out its business. The identification of these assets must be undertaken by personnel within the business and it is critical that those with the real knowledge are directly involved. It is not good enough for the managers to decide in isolation what they believe the critical information assets to be. It is the people who use the information assets on a daily basis who will have the best idea of the criticality of the assets.

Assets will include key systems for the processing of information. It is no good having a super database of all the clients’ information if the system used to access it is unavailable.

One approach is to take each business division or department and define the information it needs to do the job. In the marketing department, this might include customer lists and stock items, complete with the prices and availability schedules. In the finance department, cash flow details based on clients’ orders and payments, together with staff salaries, might be included. Already, it is possible to see some overlap: the pricing details the marketing department needs are the same as those required by the finance department.

It may help to set up some types of information as a starter. These categories could be information relating to clients, staff, marketing, finance, production and so on. Once again, double counting needs to be watched, but it is often helpful to identify who is the one person accountable for a specific area of information being correct and properly looked after. They can then be made the authority for it and others can fit in with their requirements.