Information Asset Inventory Instructions
A. Reason for Inventory
The intent of this Inventory is to be the authoritative list of information assets associated with a project. This includes the information (data) itself as well as the systems used by project members to interact with and disseminate that information.
Section 1 contains an inventory of the projects information organized by information type. Section 2 contains an inventory of the physical systems organized by type.
The Inventory tables are an effective way to document exactly what information and information systems a project has. It is essential that the inventory reflect the existing state of affairs at the time of documentation, rather than what is planned or intended.
It is best practice to update this inventory whenever any of the information contained has changed – this has proven to be lower overhead than doing a monthly or quarterly update to the inventory.
B. Responsible Office and / or Officer
The Project Owner / IT Custodian is responsible for ensuring this Inventory is kept up to date.
The LDEO IT Department is responsible for maintenance of the Inventory templates and these instructions, and for responding to questions regarding them.
C. Procedure
Download the LDEO Information Asset Inventory template from here: https://www.ldeo.columbia.edu/it/templates/[Project_Name]_Information_Asset_Inventory.ods and fill out a separate copy for each project or combine them all under a group name, or lab.
1. Information
The first section is for listing the information associated with a project. Information is any communication or representation of knowledge, such as facts, data, or opinions in any form, including textual, numerical, graphic, narrative, or visual.
1.1 Data
This section lists data used and / or generated by this project.
1.2 Credentials
This section lists credentials used to access the data in this project - this includes username / password pairs, cryptographic keys generated for SSH access, AWS instance keys, etc.
1.3 Configuration
This section lists configuration data required for this project. This includes software settings…
1.4 Licenses
This section lists licenses required for this project.
2. Information Systems
The second section is for listing Information Systems. An information system is a discrete set of information and related resources (such as people, equipment, and information technology) organized for the collection, processing, maintenance, use, sharing, dissemination, and/or disposition of information. The entries for these systems include all information required to register the systems with CUIT.
2.1 Servers
This section lists data processing / storage servers for this project, including SAN, cloud instances, Docker containers, etc. This section is intended for multiple access shared systems.
2.2 Workstations
This section lists personal workstations / PCs used to access data for this project. This section is for single access systems.
2.3 Mobile Devices
This section lists personal laptops / tablets / smartphones used to access data for this project.
D. Column Instructions
This section describes the expected entries in each column of the Information Asset Inventory.
Asset Name
A short name to unambiguously identify the asset.
Short Description
Describe the asset - if there is no entry in the “Details” column, this should include where it is and how it is accessed. For hardware, include the type of equipment, model name and serial number, if possible.
Owner
Who is responsible for this asset?
IT Custodian
Who is the IT Custodian in charge of this asset?
Details
Where is there more information about this asset?
Data Classification
This entry provides the Data Classification for the information stored on or accessed by the asset. If information with more than one Data Classification is present on a system, the higher level of sensitivity and security will apply to that system. See /content/data-classification for more details.
Key
Answer Yes in this column if the Asset is determined to be a key asset in the context of Business Continuity. In other words, would loss of access to this asset be detrimental to the continued operation of the project?
For further details, see the Business Continuity and Disaster Recovery Procedure here: /content/business-continuity-and-disaster-recovery-procedure.