Ngā rawa mōhiohio - Te Tautuhi
Information assets - Identification
There is no set process on how an organisation defines what is and what isn’t an information asset. Discovery is the first step to identifying what information assets are held by an organisation, who is responsible for them, how they are held and managed, what strategic and operational objectives they support, and how they are used throughout the organisation and its ecosystem.
A public sector organisation may already have existing resources it can use to help in this discovery, for example, an approved disposal authority, business process maps, and information audit reports or surveys.
Information asset checklist
Organisations are encouraged to use the following steps when identifying their information assets, as well as when assessing and determining their preliminary value and risk. These steps can be used during an information audit, profiling exercise, or as a quality assurance mechanism prior to documenting in an information asset register.
An information asset should be documented even if the status of the information grouping remains unclear. Even with the best guidelines, areas of ambiguity and doubt about the status of some groupings may exist. Ultimately, if an organisation is in doubt about the status of a particular grouping of information and records, it is recommended to treat them as a single asset and document this in the information asset register. Subsequent review will allow for further refinement if required.
Step 1: Assessing
To determine whether something is an information asset or not, ask the following questions:
Does the asset have a value to the organisation? Will it cost money to reacquire? Would there be legal, reputational or financial repercussions if it cannot be reproduced on request? Would there be an effect on operational efficiency if it could not be accessed easily? What would be the consequences of not having it?
What is the level of risk associated with the asset? Risks may include: loss, inaccuracy, tampering, or inappropriate disclosure.
Does the organisation understand the content of the asset and what it is for? Does the asset include all the context necessary to understand and identify it?
Does the asset have a manageable lifecycle? Were all the constituent parts created for a common purpose? Can they be disposed of in the same way and according to the same rules?
Questions
Question 1a: Are the digital records used as input or output of a business process? Yes/No
Question 1b: Are the digital records used in a decision-making process? Yes/No
Question 1c: Are the digital records used to evaluate a rule or condition? Yes/No
Question 1d: Are the digital records subject to a typical lifecycle (i.e., create, store, access, use, maintain and dispose)? Yes/No
Question 1e: Are the digital records received from an external organisation or source and exchanged on a regular basis? Yes/No
If the answer to any one of the questions in step 1 is ‘Yes’, a potential information asset has been identified and can be grouped under step 2. If the answer is ‘No’ to all questions, this is probably reference information that need not be documented.
Step 2: Grouping
An information asset is a grouping of information, records and/or data with a logical, dominant concept having a common purpose or function, rather than determined by related applications or technologies.
Assessing every individual file, database entry or piece of data an organisation holds as an information asset isn’t realistic or useful. Aggregate or group information and records into manageable units - an information asset is defined at a level of granularity that allows its constituent parts to be managed usefully as a single unit.
If the information grouping is too broad, there will not be enough detail to manage the asset, too fine and there will be too many assets to manage effectively. Similarly, if identifying the dominant concept is difficult, it may indicate that the asset is too large and needs to be split into smaller, more conceptually distinct groupings. If only one concept can be identified, the asset may be too narrowly scoped.
Points to note:
Organisations should group information assets according to their business needs and objectives, not by their technology requirements.
If a piece of information could logically belong within two different assets, to avoid conflicts of ownership and control, choose one.
If information assets contain other assets, clear rules are needed for their different management and retention.
Information groupings may change over time, for example, one asset may contain items that will be archived.
Questions
Question 2a: Does the information asset represent a collection of business information and records?
No – Go to Q2b.
Yes – Go to Q2c.
Question 2b: Are the digital records part of an existing information asset?
No – Identify any other information that comprises the asset as in step 1. Then go to Q2c.
Yes – Merge the information assets and adjust the description. Return to step 1.
Question 2c: Does the digital records contain a logical, dominant concept?
No – Divide the information asset into smaller groupings and adjust the description. Return to step 1.
Yes – Go to step 3.
Step 3: Naming
In the majority of cases, a single system or application will contain multiple information assets. Information assets are considered to be conceptually separate from, and exist independently of, the system or application that contains them.
Questions
Question 3a: Is the information asset already named independently of any system or application?
No – Revise the name in consultation with business representatives.
Yes - Document the information asset in an information asset register.
Question 3b: Is the information asset named using the organisation’s common business terminology?
No – Revise the name in consultation with business representatives.
Yes - Document the information asset in an information asset register.