Handling assets the right way | Asset classification & management (2024)

Anything that is of value to you is an asset. Anything that you would like to protect is an asset.

This definition is crucial, because it will help you recognize assets in such a manner that you can fit them into your 3P framework. So, what are some of the assets you know?

• The building your office is in
• The computer you use
• The antivirus software your sysadmin installs
• The software you use to manage your business
• The code you develop
• The printer you use

If you want to list all the assets you would like to protect, it will become a laborious, complicated task. Where do you start, and how do you go about it? Two things will come to your rescue:

• Asset classification
• Its relation to the 3P framework

Asset classification

There is no single right way to classify and manage assets, and it depends on the nature of your organization. However, for aiding compliance, the method of classification below might serve you well:

Information, being the focal point of your classification, will help you make some crucial calls regarding which assets should be protected the best.

All non-information assets can be protected physically or procedurally depending on which ones are most critical. However, in terms of compliance, information assets require a more elaborate approach. But first, we must understand what personal data is.

Note: While creating the list of all assets in your company, the assets can be tagged to indicate which category they fall under. This can be done with the help of a unique symbol or a color code that indicates various categories of data.

Personal data

Article 4 of the GDPR defines personal data as "any information relating to an identified or identifiable natural person."

What we consider personal data depends on how we analyze this definition.

For example, the monetary value of a house is:

• Personal data, if it is used for tax purposes.
• Not personal data, if it is used for real estate purposes.

As you can see, data can be personal depending on the situation. To be on the safe side, it’s best to treat all data with the same importance as personal data.

Personally identifiable information (PII): Any information about an individual, maintained by a person or an organization, that can be used to distinguish or trace an individual either directly or indirectly.

PII is a subset of personal data and has more implications if it is breached since it can be used to directly identify an individual and could lead to the compromise of that individual’s rights and freedom. Here are some examples:

• Name, such as full name, maiden name, mother’s maiden name, or alias
• Personal identification number, such as Social Security Number (SSN), Aadhar number, passport number, driver’s license number, taxpayer identification number, financial account number, or credit card number
• Address information, such as street address or email address
• Personal characteristics, including photographic image (especially of face or other identifying characteristic), fingerprints, handwriting, or other biometric data (e.g. retina scan, voice signature, facial geometry)
• Information about an individual that is linked or linkable to one of the above examples

Information asset register (IAR)

The systematic recording and maintaining of all information assets is know as the IAR. This database is the single most effective tool to comply with the accountability principle of the GDPR, and it will greatly simplify your compliance with many other laws and standards.

For each activity, the accountable person should be in charge of creating and maintaining the IAR.

The are two components that form the IAR:

• Activity register and the RACI matrix
• Data flow diagrams

The activity register and RACI matrix form the base of the IAR, which is then built upon with the help of data flow diagrams.

Data flow diagrams (DFDs)

The activity register and RACI matrix should give you the list of all activities.

Each activity in that list will involve information assets.

• How is the information asset treated?
• How is it captured?
• Where does it originate from?
• Where does it get stored?
• How does it get processed?
• Whom is it shared with?

A pictorial representation of the answer to all the above questions is a DFD.

Data:

It can be one asset like an email address or phone number, or it can be a list of assets if all of them are going to receive the same treatment.

For example, Zylker's marketing team performs the activity of collecting the list of participants for a corporate event. This is what the data involved will look like:

Origin:

Where this activity acquired the data from. It can be from a customer, a database, another organization, or publicly available sources. Zylker collects this information directly from customers.

Capture:

The means through which the data was acquired.

The data could also be captured through emails, interviews, a cloud application, or any other means.

Process:

How this data is utilized in the activity.

The data could be emailed, used to run a machine learning algorithm, used for analytics, or used for any other process.

Share:

The data can be shared internally with other employees or teams, or with third parties. In this example, the data is shared with an event management company.

Purpose

Identifying the purpose of processing data is helpful for complying with most standards. In the example above, the summary of data collected was displayed. What is the purpose of that? Likewise, what is the purpose of sharing data with third parties or other internal groups?

The purpose can either be a part of the DFD, or it can be mentioned along with the RACI matrix. The latter option is recommended, as it makes it easier to compile all your information into a single document that can be submitted to the authorities when required.

Scope of an IAR: Process and product

Chapter 4 of the GDPR clearly provides the obligations of controllers and processors. More than just listing out rules, this part of the GDPR can help you derive clarity into what your IAR should look like.

There are two ways to create DFDs for your processes:

• DFD for the process
• DFD for the product

Both of these are equally important, as they are useful during different times when you're in the middle of an audit.

Process DFDs are created from the standpoint of your company's functions. This is where you are the controller—you own the information assets and can decide how they are processed. The above example of Zylker's event management DFD is a typical one for process DFDs.

Product DFDs are created from the standpoint of your product. Here, the information assets are inside your product and they belong to your customers and/or users of the product. You might still find these assets in your data center or somewhere you can access, but they do not belong to you.

This point becomes critical when you do risk analysis.

Product DFDs

If we were to create a DFD for Zylker's Think platform, it would be from the universe of the platform itself. In fact, each feature can have a DFD. Lisa Bingel's test module will have the following DFD:

Each feature for which a person is accountable should have a DFD. The collection of all such DFDs will be the product DFD.

It is preferable to maintain separate IARs for your processes and your products.

IARs and the 3P framework

In a 3P framework, the right-most entity is the product. The list of all instances of this entity will give you the list of products. The entity in the middle is the process. We have already framed this as the list of activities, and if you've been following along in this guide, you will have already mapped it to the employees in your organization.

As a result, you now have documents that will describe your process and your product. The challenge now is maintaining this documentation by capturing any changes.

Non-information assets

The most practical way to deal with these assets is the same as how you handle information assets: mapping them to the 3P framework.

In a few simple steps, you can get the list of all the assets in your organization:

• Accountable people in the RACI matrix list out the assets involved in the activities they are accountable for. They can do this by simply adding a column to the RACI matrix.
• With Illustration 8 as the reference, each asset is tagged.

If you filter out the unique elements of the Asset column, you have the list of non-information assets.

The SPA touch

When those accountable for a process need help, there's no better team to offer assistance than the SPA team. However, the SPA team should offer more than just clarification on accountable individuals’ doubts; it should also provide:

• Templates for DFDs for different kinds of activities.
• Tools to make creating the IAR easier.
• A comprehensive IAR for one team so that everyone else can use it as an example.
• Constant follow-up and review of IARs.