Identification of information assets

Organisation must maintain a listing of used data systems and their owners. Owner is responsible for completing the related documentation and possible other security actions directly related to the data system.

Data system documentation must include at least:

• System purpose and linked responsibilities
• System's data location (covered in a separate task)
• System's maintenance and development responsibilities and linked partners (covered in a separate task)
• When necessary system's access roles and authentication methods (covered in a separate task)
• When necessary systems interfaces to other systems (covered in a separate task)

Organisation must maintain a listing of controlled data stores and their owners. Owner is responsible for completing the documentation and other possible security actions directly related to the data store.

Data store documentation must include at least:

• Connected responsibilities
• Data processing purposes (covered in a separate task)
• Data sets included in the data store (covered in a separate task)
• Data disclosures (covered in a separate task)
• When necessary, data stores connections to action processes

The organization shall maintain a list of data sets contained in the data stores it manages.

The documentation shall include at least the following information:

• Data systems and other means used to process the data sets
• Key categories of data in the data set (and whether it contains personal data)
• Data retention period (discussed in more detail in a separate task)
• Information on archiving / disposal of data (discussed in more detail in a separate task)

Assets to be protected related to information and data processing services should be inventoried. The purpose is to ensure that the cyber security is focused on the necessary information assets.

Inventory can be done directly in the management system, but an organization may have other, well-functioning inventory locations for certain assets (including code repositories, databases, network devices, mobile devices, workstations, servers, or other physical assets).

Describe in this task, which lists outside the management system are related to protection of information assets.

The organization shall list all relevant protected assets to determine ownership and to ensure that security measures cover all necessary items.

A large portion of the protected assets (including data sets, data systems, personnel / units, and partners) are treated through other tasks. In addition, the organization must list other important assets, which may be, depending on the nature of its operations, e.g. hardware (servers, network equipment, workstations, printers) or infrastructure (real estate, power generation, air conditioning). In addition the organization should make sure that relevant external devices are documented.

The organization must maintain a list of digital services provided and the owners designated for them. The owner is responsible for completing the information in the service and for any other security measures that are closely related to the service.

The documentation related to the digital service includes e.g. the following information:

• The type of digital service offered, the service category and the purpose of use
• Data controller and related processing agreements
• Key partners in the service supply chain and the distribution of security responsibilities (discussed in more detail in a separate task)