Inventorying Your Information
You will need to prepare a list of the various types of information your business owns or manages and identify the Information Owner and where the information is stored or transmitted. As you compile the inventory, you should also work with the Information Owner to determine the classification.
Some suggestions for preparing the inventory:
- Never conduct an inventory by yourself. No one person in a business can know where all the information is located or be able to assess its importance. Put together a team from the various units within your business and make sure the team spans as many levels as possible. You will need input from both managers and administrators to obtain a complete perspective.
- Be creative. Sensitive information can be stored in places that may not be obvious. For example, emails are a major source of information and should always be included in the inventory. However, you should look further. Does your business use the Microsoft Outlook "Public Folders" functionality to share information across the corporation? Most of the information in these folders will probably look innocuous, leading you to conclude that most is either classified Public or Internal and not worth further investigation. However, if you look further you will likely find that employees place inappropriate information in Public Folders such as detailed Calendar information for senior executives, customer service issues (including Social Security Numbers and account numbers) that are freely shared by members of the service team, trouble tickets, client presentations, product development discussions, etc.
- Look for sources of "Knowledge". The phrase "Data Center" or the name of your company are not sources of sensitive information. However, combine the two on a prominent sign outside your data processing center and you have just provided knowledge to the outside world where the crown jewels are hidden. Granted, a persistent criminal will find your data center, regardless of whether you suppress all public information about it. The point is that a sign advertising the location of a sensitive building is important information and the business needs to consider the risks related to it.
- Use a checklist as a guide. Keep a checklist with you as a reminder of all the potential sources for information. For a sample, click here. You can also use the checklist to document the information you identified.
- Look for alternative media formats. Data stored on company computers and in file cabinets are obvious sources for information. However, data comes in all shapes and sizes. Your voicemail system stores information. Does your business maintain an electronic or microfiche storage system? Do you store your documents with an off-site storage vendor? Do your employees work from home and store company information on their home PC's? Do people in your business use PDA's, BlackBerries, or flash memory devices to store corporate information? Does your business use Instant Messaging, erooms, Web conferencing or other collaborative applications to share information?
- Inventory your vendors. Many businesses rely on third parties to store or process company data. Does your business use a third party Internet service provider or other vendor to provide company applications on the Internet? Has your business outsourced its helpdesk or security administration functions? Do you use applications on the Internet to process company transactions?
©2009 ISRMC, LLC