What’s the point of an information security program? The simple answer is to protect all the data from being stolen, misused or compromised. Most business units, when talking about info security, simply state “protect everything all the time”. The question is – how do you know what “everything” is?
Hardware is pretty simple. There’s a record of when it’s purchased and when it’s retired. Software is similar, there’s a record of purchase, and tools to scan what’s installed and even how it’s licensed.
But what about the data? That’s really the lifeblood of an organization and in most cases has more value than the hardware and software. We all know what data is, but where is it? It can be on mobile devices, laptops, desktops, servers, removable media, in the cloud, practically everywhere. How do you keep track of that? And why should you?
Another facet is the value. Some data, like the information on your web page, is public. If that’s stolen, it has little impact to the organization. But what about other data? If a hospital loses a patient’s records that can have a HUGE impact. Or if a certain chicken restaurant had its 11 secret herbs and spices recipe stolen, that would be a major impact. So not all data is created equal.
The Three Types of Assets You Need to Account For
When building an asset inventory, most organizations think about three categories.
Hardware is the most visible. Servers, workstations, laptops, mobile devices, networking equipment, printers — anything physical that connects to your network or stores data. Hardware is relatively straightforward to track because it has a physical presence and typically a purchase record. The challenge is that hardware moves. Laptops go home. Devices get lost. Employees leave and take equipment with them. Your inventory is only as good as your process for keeping it current.
Software is trickier. It includes every application, operating system, and tool installed across your environment — licensed or otherwise. Unauthorized software is a significant security risk because it’s outside your control and often outside your awareness. An employee installs a free utility that hasn’t been vetted, and suddenly you have an unmanaged application with potential vulnerabilities sitting on your network. This is why software asset management is a core component of any serious security program.
Data is the hardest to track and almost always the most valuable. Unlike hardware and software, data doesn’t stay in one place. It moves through email, gets copied to personal devices, lives in cloud storage, gets shared with vendors. A patient record in a hospital, a client contract at a law firm, a proprietary formula at a manufacturing company — this is what attackers are actually after. Knowing where your data lives is the first step to protecting it.
Most organizations do a reasonable job with hardware. Fewer do a good job with software. Almost none have a complete picture of their data. That gap is where breaches happen.
Why Data Classification Matters — And Who Actually Owns the Data
Once you know what data you have and where it lives, the next question is: how sensitive is it?
Data classification is the process of assigning a value or sensitivity level to each type of data your organization holds. A common framework uses four tiers — public, internal, confidential, and restricted — though the specific labels matter less than the principle behind them. Not all data needs the same level of protection, and treating everything as equally sensitive is both impractical and expensive.
Public data is information you’ve already made available externally — your website content, published marketing materials, press releases. If this data were compromised, the impact would be minimal.
Internal data is information that isn’t meant to leave the organization but wouldn’t cause serious harm if it did — general internal communications, non-sensitive operational documents.
Confidential data covers information that would cause meaningful harm if exposed — employee records, financial data, client information, strategic plans.
Restricted data is your highest-sensitivity category — healthcare records, payment card data, trade secrets, anything subject to regulatory requirements like HIPAA or PCI DSS. This data requires the strongest controls, the most limited access, and the clearest incident response procedures.
The classification question that most organizations overlook is ownership. Who is responsible for each dataset? In most companies, data ownership defaults to IT by default — which is both unfair and inaccurate. The HR department owns employee records. Finance owns financial data. Operations owns production data. IT is the custodian that manages the systems, but the business unit that creates and uses the data should be responsible for classifying it and defining who needs access.
Getting this right — identifying assets, classifying data, assigning ownership — is the foundation of a mature information security program. Without it, you’re essentially trying to protect something you can’t fully see.
Asset inventory is a key part of an information security program. So is data classification and valuation, along with establishing who really “owns” a particular dataset. You can learn about all these and more in this week’s featured course on JRobertsonSecurity’s Teachable site:
https://jrobertsonsecurity.teachable.com/p/asset-inventory-data-valuation