25 Exciting things to do with an Information Asset Register
Information is a vital, perhaps
the most vital, business asset for an organisation. Nearly everything an
organisation does involves using information in some way. It is used to support
effective decision making and facilitate ongoing operations and the delivery of
programmes, products and services; it evidences practices and performance,
business activity and transactions, rights and obligations. Information is the
glue that holds an organisation’s structures and processes together.
In
the age of big / dark data and evolving legal obligations, particularly around
privacy, as organisations seek to leverage their information content to unlock
value and identify risk, it is increasingly important for their data to be
fully understood, readily accessible and properly governed. Yet it is a valid
question to ask: Do we know
more about the value of our filing cabinets and computers than about the value
of the information they contain?
Given
our tacit understanding of the importance of importance of information, why is
it the elephant in the room when we look at formal asset management processes?
To change we need to recognise the worth and utility of information as a vital
business asset! Therefore information must be identified, profiled, understood
and proactively managed as a business asset. A comprehensive inventory in the
form of an Information Asset Register (“IAR”) will support this.
Below
I have listed (in no particular order of importance) 25 potentially beneficial
outcomes from populating, maintaining and interrogating an IAR.
1.
Understanding Relationships:
A related series of records sharing the same purpose (a "master
asset" if you will) might have a variety of constituent entities
("sub assets") in different formats - e.g. physical records, digital
content, database records. Identifying these within an IAR will enable an
understanding of their relationships and purpose over time.
2.
Security Classification:
Assets can be classified within the IAR to an approved security classification
/ protective marking scheme, with current protective measures recorded, in
order to identify if there are in any risks relating to the handling of
confidential personal or commercially sensitive information.
3.
Personal Data:
Specifically you can identify confidential personal information to ensure that
data protection / privacy obligations are met, for example in terms of security
and disposal.
4.
Ownership:
The ability to know - who owns what? Also to understand who owns both in terms
of corporate accountability and ownership of the actual information itself.
5.
Business Continuity:
Assets can be classified within the IAR to an approved scheme, with current
protective measures recorded, in order to identify if there are in any risks
relating to business critical ("vital record") information. You can
also identify the Recovery Point Objective (RPO) and Recovery Time Objective
(RTO) for assets to support a disaster recovery or data protection plan.
6.
Originality:
You can identify whether an asset is original or a copy, supporting decisions
on removing duplication and the optimisation of business processes.
7.
Heritage:
You can identify records of historical importance that can be transferred at
some stage to the custody of a corporate or third party archive.
8.
Formats:
The ability to understand the formats used for information, supporting
decisions on digital preservation or migration.
9.
Space Planning:
Data can be gathered for physical assets relating to their volume, footprint,
rate of accumulation, use, filing methods etc., in order to support office
moves and changes.
10.
Subject Matter:
If assets are tagged to a business classification scheme of functions and
activities, as well potentially to a keyword list, the organisation can
understand the "spread" of record types (e.g. who holds personnel,
financial, contractual records) and/or "discover" resources for
knowledge management or eDiscovery purposes.
11.
Archive Management:
The ability to understand what physical records (paper, backup tapes etc.) are
archived, where and when; this might for example identify risks in specific
locations or issues with the regularity of archiving processes. The
organisation can also understand its utilisation of third party archive storage
vendors - potentially supporting decisions on contract management /
consolidation - and maintain their own future-proof inventory of archive
holdings. Archive transactions can be recorded if there is no system to
otherwise do so.
12.
Location:
The "location" of an asset can of course be virtual or physical. The
benefits for archive management are explored above and for maintaining a system
catalogue below. Other examples might be to identify records to gather when
doing an office sweep following vacation of a floor or building, or what assets
are held in the cloud, or asset types within a given jurisdiction.
13.
Retention:
An IAR can be used both to link assets with approved records retention policies
and understand the policies and methods currently applied within the
organisation, therefore identifying queries, risks and issues. The IAR can also
be used to maintain the actual policies (across jurisdictions if applicable)
and their citations; if a law changes or is enacted, relevant assets can be
identified for any process changes to be made.
14.
Disposal:
An IAR can be used both to link assets with approved destruction or transfer
policies and understand the processes and methods currently applied within the
organisation, therefore identifying queries, risks and issues, particularly for
confidential information.
15.
Source:
The source of assets can be identified to understand where information is
derived from and better manage the information supply chain.
16.
Rights:
The rights held in and over assets can be identified, such as copyright and
intellectual property, in order to protect IPR and avoid infringement of the
rights of others.
17.
Applications Catalogue:
The application systems in use (e.g. content management, front and back office)
can be identified and be linked in locations, people, activities and of course
assets. Licensing and upgrade criteria could also be managed. It would also be
possible for example to identify system duplication or the use of home-grown
databases.
18.
Condition:
Both physical and digital assets can degrade: this can be identified for assets
with conservation / preservation actions taken accordingly.
19.
Age: The
age of assets can be established, with decisions made on further retention /
disposal, the need for archiving (historic or business) and potentially whether
they need to be superseded with newer resources.
20.
Organisation:
An understanding can be gained of whether structured systems and approaches are
in place to profile and organise physical and digital assets, identifying if
there are likely to be any issues with the finding information.
21.
Utilisation:
An understanding can be gained of whether assets are proposed, active,
inactive, discontinued / superseded, therefore enabling decision on their
format, storage, disposal etc.
22.
Sharing:
An IAR can be used to identify how information is shared within and without the
organisation, helping ensure that it is available as required, and that
suitable security measures and, where applicable, information sharing
agreements are in place.
23.
Provenance:
Fundamentally an IAR can provide an accountable audit trail of asset existence
and activity, including any changes in ownership and custody of the resource
since its creation that are significant for its authenticity, integrity and
interpretation.
24.
Publications:
Information produced for wider publication to an internal or external resource
can be identified, including for example the audience for whom the resource is
intended or useful, the channels used for distribution and the language(s) of
the content, thus facilitating editorial, production and dissemination
management and planning.
25.
Quality:
Observations can be recorded on the quality of assets (e.g. accuracy,
completeness, reliability, relevance, consistency across data sources,
accessibility), with risks and issues identified and managed.
In
summary, a high-performing organisation consistently improves its use of data
and information to increase its knowledge, thus leading to wisdom, insight and
innovation. Also the organisation is safer and more accountable if there is an
understanding of the legal issues and requirements for the entire corporate
information landscape and when ‘duty of care’ responsibilities are in place. I
see an IAR as a highly valuable tool to help deliver both these outcomes.
Regards
Pralhad Jadhav
Senior Manager @ Library
Khaitan & Co
No comments:
Post a Comment