Information Asset Inventory Instructions

A. Reason for Inventory

The intent of this Inventory is to be the authoritative list of information assets associated with a project.  This includes the information (data) itself as well as the systems used by project members to interact with and disseminate that information.

Section 1 contains an inventory of the projects information organized by information type.  Section 2 contains an inventory of the physical systems organized by type.

The Inventory tables are an effective way to document exactly what information and information systems a project has.  It is essential that the inventory reflect the existing state of affairs at the time of documentation, rather than what is planned or intended.

It is best practice to update this inventory whenever any of the information contained has changed – this has proven to be lower overhead than doing a monthly or quarterly update to the inventory.

B. Responsible Office and / or Officer

The Project Owner / IT Custodian is responsible for ensuring this Inventory is kept up to date.

The LDEO IT Department is responsible for maintenance of the Inventory templates and these instructions, and for responding to questions regarding them.  

C. Procedure

Download the LDEO Information Asset Inventory template from here: https://www.ldeo.columbia.edu/it/templates/[Project_Name]_Information_Asset_Inventory.ods and fill out a separate copy for each project or combine them all under a group name, or lab.

1. Information

The first section is for listing the information associated with a project.  Information is any communication or representation of knowledge, such as facts, data, or opinions in any form, including textual, numerical, graphic, narrative, or visual.

1.1 Data

This section lists data used and / or generated by this project.

1.2 Credentials

This section lists credentials used to access the data in this project - this includes username / password pairs, cryptographic keys generated for SSH access, AWS instance keys, etc.

1.3 Configuration

This section lists configuration data required for this project.  This includes software settings…

1.4 Licenses

This section lists licenses required for this project.

2. Information Systems

The second section is for listing Information Systems.   An information system is a discrete set of information and related resources (such as people, equipment, and information technology) organized for the collection, processing, maintenance, use, sharing, dissemination, and/or disposition of information.  The entries for these systems include all information required to register the systems with CUIT.

2.1 Servers

This section lists data processing / storage servers for this project, including SAN, cloud instances, Docker containers, etc.  This section is intended for multiple access shared systems.

2.2 Workstations

This section lists personal workstations / PCs used to access data for this project.  This section is for single access systems.

2.3 Mobile Devices

This section lists personal laptops / tablets / smartphones used to access data for this project.

D. Column Instructions

This section describes the expected entries in each column of the Information Asset Inventory.

Asset Name

A short name to unambiguously identify the asset.

Short Description

Describe the asset - if there is no entry in the “Details” column, this should include where it is and how it is accessed.  For hardware, include the type of equipment, model name and serial number, if possible.

Owner

Who is responsible for this asset?

IT Custodian

Who is the IT Custodian in charge of this asset?

Details

Where is there more information about this asset?

Data Classification

This entry provides the Data Classification for the information stored on or accessed by the asset.  If information with more than one Data Classification is present on a system, the higher level of sensitivity and security will apply to that system. See /content/data-classification for more details.

Key

Answer Yes in this column if the Asset is determined to be a key asset in the context of Business Continuity.  In other words, would loss of access to this asset be detrimental to the continued operation of the project?

For further details, see the Business Continuity and Disaster Recovery Procedure here: /content/business-continuity-and-disaster-recovery-procedure.