Friday, October 21, 2016

25 Exciting things to do with an Information Asset Register



25 Exciting things to do with an Information Asset Register

Information is a vital, perhaps the most vital, business asset for an organisation. Nearly everything an organisation does involves using information in some way. It is used to support effective decision making and facilitate ongoing operations and the delivery of programmes, products and services; it evidences practices and performance, business activity and transactions, rights and obligations. Information is the glue that holds an organisation’s structures and processes together.

In the age of big / dark data and evolving legal obligations, particularly around privacy, as organisations seek to leverage their information content to unlock value and identify risk, it is increasingly important for their data to be fully understood, readily accessible and properly governed. Yet it is a valid question to ask: Do we know more about the value of our filing cabinets and computers than about the value of the information they contain?

Given our tacit understanding of the importance of importance of information, why is it the elephant in the room when we look at formal asset management processes? To change we need to recognise the worth and utility of information as a vital business asset! Therefore information must be identified, profiled, understood and proactively managed as a business asset. A comprehensive inventory in the form of an Information Asset Register (“IAR”) will support this.

Below I have listed (in no particular order of importance) 25 potentially beneficial outcomes from populating, maintaining and interrogating an IAR.

1. Understanding Relationships: A related series of records sharing the same purpose (a "master asset" if you will) might have a variety of constituent entities ("sub assets") in different formats - e.g. physical records, digital content, database records. Identifying these within an IAR will enable an understanding of their relationships and purpose over time.

2. Security Classification: Assets can be classified within the IAR to an approved security classification / protective marking scheme, with current protective measures recorded, in order to identify if there are in any risks relating to the handling of confidential personal or commercially sensitive information.

3. Personal Data: Specifically you can identify confidential personal information to ensure that data protection / privacy obligations are met, for example in terms of security and disposal.

4. Ownership: The ability to know - who owns what? Also to understand who owns both in terms of corporate accountability and ownership of the actual information itself.

5. Business Continuity: Assets can be classified within the IAR to an approved scheme, with current protective measures recorded, in order to identify if there are in any risks relating to business critical ("vital record") information. You can also identify the Recovery Point Objective (RPO) and Recovery Time Objective (RTO) for assets to support a disaster recovery or data protection plan.

6. Originality: You can identify whether an asset is original or a copy, supporting decisions on removing duplication and the optimisation of business processes.

7. Heritage: You can identify records of historical importance that can be transferred at some stage to the custody of a corporate or third party archive.

8. Formats: The ability to understand the formats used for information, supporting decisions on digital preservation or migration.

9. Space Planning: Data can be gathered for physical assets relating to their volume, footprint, rate of accumulation, use, filing methods etc., in order to support office moves and changes.

10. Subject Matter: If assets are tagged to a business classification scheme of functions and activities, as well potentially to a keyword list, the organisation can understand the "spread" of record types (e.g. who holds personnel, financial, contractual records) and/or "discover" resources for knowledge management or eDiscovery purposes.

11. Archive Management: The ability to understand what physical records (paper, backup tapes etc.) are archived, where and when; this might for example identify risks in specific locations or issues with the regularity of archiving processes. The organisation can also understand its utilisation of third party archive storage vendors - potentially supporting decisions on contract management / consolidation - and maintain their own future-proof inventory of archive holdings. Archive transactions can be recorded if there is no system to otherwise do so.

12. Location: The "location" of an asset can of course be virtual or physical. The benefits for archive management are explored above and for maintaining a system catalogue below. Other examples might be to identify records to gather when doing an office sweep following vacation of a floor or building, or what assets are held in the cloud, or asset types within a given jurisdiction.

13. Retention: An IAR can be used both to link assets with approved records retention policies and understand the policies and methods currently applied within the organisation, therefore identifying queries, risks and issues. The IAR can also be used to maintain the actual policies (across jurisdictions if applicable) and their citations; if a law changes or is enacted, relevant assets can be identified for any process changes to be made.

14. Disposal: An IAR can be used both to link assets with approved destruction or transfer policies and understand the processes and methods currently applied within the organisation, therefore identifying queries, risks and issues, particularly for confidential information.

15. Source: The source of assets can be identified to understand where information is derived from and better manage the information supply chain.

16. Rights: The rights held in and over assets can be identified, such as copyright and intellectual property, in order to protect IPR and avoid infringement of the rights of others.

17. Applications Catalogue: The application systems in use (e.g. content management, front and back office) can be identified and be linked in locations, people, activities and of course assets. Licensing and upgrade criteria could also be managed. It would also be possible for example to identify system duplication or the use of home-grown databases.

18. Condition: Both physical and digital assets can degrade: this can be identified for assets with conservation / preservation actions taken accordingly.

19. Age: The age of assets can be established, with decisions made on further retention / disposal, the need for archiving (historic or business) and potentially whether they need to be superseded with newer resources.

20. Organisation: An understanding can be gained of whether structured systems and approaches are in place to profile and organise physical and digital assets, identifying if there are likely to be any issues with the finding information.

21. Utilisation: An understanding can be gained of whether assets are proposed, active, inactive, discontinued / superseded, therefore enabling decision on their format, storage, disposal etc.

22. Sharing: An IAR can be used to identify how information is shared within and without the organisation, helping ensure that it is available as required, and that suitable security measures and, where applicable, information sharing agreements are in place.

23. Provenance: Fundamentally an IAR can provide an accountable audit trail of asset existence and activity, including any changes in ownership and custody of the resource since its creation that are significant for its authenticity, integrity and interpretation.

24. Publications: Information produced for wider publication to an internal or external resource can be identified, including for example the audience for whom the resource is intended or useful, the channels used for distribution and the language(s) of the content, thus facilitating editorial, production and dissemination management and planning.

25. Quality: Observations can be recorded on the quality of assets (e.g. accuracy, completeness, reliability, relevance, consistency across data sources, accessibility), with risks and issues identified and managed.

In summary, a high-performing organisation consistently improves its use of data and information to increase its knowledge, thus leading to wisdom, insight and innovation. Also the organisation is safer and more accountable if there is an understanding of the legal issues and requirements for the entire corporate information landscape and when ‘duty of care’ responsibilities are in place. I see an IAR as a highly valuable tool to help deliver both these outcomes.

Regards

Pralhad Jadhav
Senior Manager @ Library
Khaitan & Co

No comments:

Post a Comment