Developing corporate information security – Step 2: Identify assets

This post is part of the Developing information security series. Please, start reading from the first post.

What is really important for your company?  What are the information assets that your business is most dependent on?

Information assets  include documents, data and information systems. It is crucial that company knows what to protect. Every company have different assets to protect and assets may vary during the different phases of the company.

Typical assets to protect are:

  • Business information
  • Customer information
  • Product development information
  • Sales information
  • Production information
  • Human resources information
  • Critical information systems
  • Etc.

Let’s take a look at what is important for our case company DeepWhite Software.

Case DeepWhite Software – Identifying assets

DeepWhite gathers cross organisational team for identifying important assets.

Current business is based on customer deliveries. Although most of the projects are done in customer premises, there are cases that are developed in DeepWhite premises. DeepWhite has own development environment for these cases. The company doesn’t have own production servers; part of the customer deliveries are hosted at 3rd party cloud service and managed by DeepWhite.

Projects that are done in customer premises are all hosted by customer’s IT department. As described in first post, DeepWhite is launching own product development and this requires separate development environment. 

DeepWhite’s information security team identifies following assets during their sessions:

  • Customer project development information and systems (including development servers, testing servers, version control system, source code, design documents etc.)
  • Product development information and systems
  • Bug tracking / ticketing system
  • Production servers
  • Finance information (billing, bookkeeping etc.)
  • Human Resources system

These are information assets that DeepWhite is most dependent on. These shall be protected at required level.

Step 2: Identify critical information assets

What risks and threats are identified assets facing? Next step is concentrating on threats and risk management.

Do you think that DeepWhite should have identified more assets? Please, feel free to share your own experience.

Posted on November 24, 2013, in Corporate security and tagged , , , . Bookmark the permalink. Leave a comment.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: