If you want to apply effective security controls, knowing what assets you have is essential. It’s far easier to protect things that you know about, which is why we have asset registers or lists of our assets so that we know what we have, where it is and who is in charge of it.
Label your stuff
An asset register should contain some key fields to make the tracking and identification of assets easier. Consider developing a system of unique IDs for each item in the register(s), which can save confusion about overlapping technologies or identical multiple items. Asset tags can allow you to label physical devices. For each asset, your records must include at least a category name that groups similar asset types, for examples laptops or staff records.
Know where it is
Are your assets on a local computer, cloud storage, on social media, a member of staff’s computer, a USB stick, a database, or in a filing cabinet? Are they located at home, the main office, or in a storage unit? If the asset is fixed, record the location. If the asset is mobile, record who uses it and/or where it is typically used.
Rate its importance
The relative value and impact of losing the asset can be assessed and recorded. Common systems to rate an asset’s importance include high/medium/low and red/amber/green.
Assign ownership
Having a named owner for each asset ensures that someone is accountable for the activities required to keep it secure. Asset owners should set the rules around assets such as who can access them and the retention period.
Review your asset register
Once you have created your asset register(s), you need to ensure that you regularly review it and ensure that information is kept up to date. When you buy new equipment or software, or change systems, be sure to log it in the asset register, and when you move something or discard it, update your list.
Three types of lists
Identifying and recording of an organisation’s physical assets, software, data, essential staff and utilities is important, but from a data security and protection perspective, we are interested in three types of lists in particular: hardware and software assets; information assets; and records of processing. You can keep separate lists, or registers, or combine them into one document.
Digital asset register (DAR)
This is a list of the digital devices, or hardware, and the computer software that your organisation uses. All of your software needs to be licensed and supported. This means that you have a legal right to use it and that a vendor has committed to support it by providing regular security updates. All software and hardware eventually become out of date. A digital asset register can help organisations identify when systems will reach end of support and plan ahead.
Download and adapt our Digital Asset Register template.
Information asset register (IAR)
To comply with data protection legislation, information needs to be protected and to do so you need to know what data you have, where it is stored, who is responsible for it, what you consider most sensitive, and record the security measures that you apply to protect that information e.g. locked filing cabinet, passwords etc.
Download and adapt our Information Asset Register template.
Record of processing activities (ROPA)
You also need to track the types of personal data that are shared with others, for example assessments, prescriptions, payslips, or care plans. This list is called a record of processing activities and should detail how the data is shared and how your organisation keeps it safe when transferring it.
Download and adapt our ROPA template.
