Identify the organisation’s deliverables, information systems and supporting ICT functions

Organisation must maintain a listing of used data systems and their owners. Owner is responsible for completing the related documentation and possible other security actions directly related to the data system.

Data system documentation must include at least:

• System purpose and linked responsibilities
• System's data location (covered in a separate task)
• System's maintenance and development responsibilities and linked partners (covered in a separate task)
• When necessary system's access roles and authentication methods (covered in a separate task)
• When necessary systems interfaces to other systems (covered in a separate task)

The organization has a clear process, according to which it identifies the most critical functions in terms of its operations (e.g. services offered to customers), which are subject to the highest continuity requirements.

Items in the IT environment that are necessary for these activities (such as information systems, data reserves, operating processes, partners, units, hardware) are classified as critical.

Critical functions are considered with the highest priority, e.g. in continuity planning, and stricter safety requirements can be applied to them than to other objects in the environment.

Organisation should identify and document dependencies between its assets.

In Cyberday dependencies between asset elements are created when creating and linking documentation. Procedure can be expanded according to organisation's own needs.

The organization must maintain a list of digital services provided and the owners designated for them. The owner is responsible for completing the information in the service and for any other security measures that are closely related to the service.

The documentation related to the digital service includes e.g. the following information:

• The type of digital service offered, the service category and the purpose of use
• Data controller and related processing agreements
• Key partners in the service supply chain and the distribution of security responsibilities (discussed in more detail in a separate task)

The organization shall list all relevant protected assets to determine ownership and to ensure that security measures cover all necessary items.

A large portion of the protected assets (including data sets, data systems, personnel / units, and partners) are treated through other tasks. In addition, the organization must list other important assets, which may be, depending on the nature of its operations, e.g. hardware (servers, network equipment, workstations, printers) or infrastructure (real estate, power generation, air conditioning). In addition the organization should make sure that relevant external devices are documented.

On average, the IT administrator estimates that staff use about 50 cloud services when the actual number is 1,000. Many of these are important for staff productivity and are used outside the organization’s network, so firewall rules do not solve the challenge.

Systems that focus on identifying and managing cloud services allow you to identify the cloud services used by your staff and monitor users of different services. This helps e.g.:

• determine our own level of risk with respect to data in cloud services
• review used services in regard to security
• be able to report as required, e.g. on the location of data and data processors