What’s the point of an information security program? The simple answer is to protect all the data from being stolen, misused or compromised. Most business units, when talking about info security, simply state “protect everything all the time”. The question is – how do you know what “everything” is?
Hardware is pretty simple. There’s a record of when it’s purchased and when it’s retired. Software is similar, there’s a record of purchase, and tools to scan what’s installed and even how it’s licensed.
But what about the data? That’s really the lifeblood of an organization and in most cases has more value than the hardware and software. We all know what data is, but where is it? It can be on mobile devices, laptops, desktops, servers, removable media, in the cloud, practically everywhere. How do you keep track of that? And why should you?
Another facet is the value. Some data, like the information on your web page, is public. If that’s stolen, it has little impact to the organization. But what about other data? If a hospital loses a patient’s records that can have a HUGE impact. Or if a certain chicken restaurant had its 11 secret herbs and spices recipe stolen, that would be a major impact. So not all data is created equal.
Asset inventory is a key part of an information security program. So is data classification and valuation, along with establishing who really “owns” a particular dataset. You can learn about all these and more in this week’s featured course on JRobertsonSecurity’s Teachable site:
https://jrobertsonsecurity.teachable.com/p/asset-inventory-data-valuation
