The document outlines a 5 step framework for managing an organization's information asset register. Step 1 involves defining key stakeholders like privacy, compliance, and information security teams. Step 2 has organizations create an information asset register and supplier register. Step 3 maps current assets to suppliers and information sharing agreements. Step 4 establishes relevant processes around risk assessment, projects, and third parties. Step 5 involves a phased rollout of the solution across business units. The overall framework provides guidance on classifying, risk assessing, and tracking an organization's information assets and how they are shared.
1. Managing Information Asset Register
By
Ben Oguntala. LLB, LLM
Ben.oguntala@dataprotectionofficer.com
How many Information data do you have, what are they and with whom are they shared?
1
2. Our 5 simple steps
1 Define the key stakeholders
2 Create your IAR & supplier register
3 Map current IAR to Suppliers & ISA
4 Create the relevant processes
5 Solution roll out
2
3. Overview of the framework
Privacy Compliance Information THE KEY STAKEHOLDERS
Business units
team team security Access given these teams
to ensure a consolidated
coverage.
www.dataprotectionofficer.com CREATE YOUR IAR/PR/3PR & ISA
The databases provided:
- IAR – information Asset register
3rd party
register
register
Project
- Project register
IAR
ISA
- 3rd party register
- ISA – information sharing agreements
Business unit 1 Business unit 2 Business unit 2
Projects IAR 3rd parties ISA Projects IAR 3rd parties ISA Projects IAR 3rd parties ISA
13 9 12 6 13 9 12 6 13 9 12 6
3
Business units can be structured according to the hierarchy of your organisation
4. 1 Define the key stakeholders
Team Role Benefits
Procurement Procurement are best placed
Supply of the list of
team to know which suppliers you
suppliers
deal with
As part of compliance the ISA
Privacy team Supply the ISA template,
is used with all 3rd party data
PIA & approval
exchanges.
Compliance Compliance ensures all
Supply compliance
team policies and procedures are
baseline
adhered to.
Information Play an operational role in
Supply risk assessment
security assessing projects & changes
function
to your organisation
Business units Supply Information All business units listed
Assets projects & including sub business units
changes and Partners
4
5. 2 Create your IAR & supplier register
Team Role
3rd party
register
Procurement Supply of the
team list of
suppliers
Supply the ISA
Privacy team template, PIA
ISA
& approval
Compliance Supply
team compliance
IAR
baseline
Information Supply risk
security assessment
function
register
Project
Supply
Business units Information
Assets
projects &
changes 5
6. 2 Create your IAR & supplier register
Business unit: Organisation hierarchy
6
7. 2 Create your IAR & supplier register
The Asset Register
Buena Ventura
7
8. 2 Create your IAR & supplier register
Editing the Information Asset Register
Risk impact assessment
Asset details include format, location, input & output. 8
9. 3 Map current IAR to Suppliers & ISA
List of 3rd parties that the
information asset is shared with
Detailed view
3rd
parties
9
10. 3 Map current IAR to Suppliers & ISA
Details of the Asset Register
3rd
parties
10
Each asset is risk assessed, classified, owner assigned and no. of 3rd parties shared with listed
11. 4 Create the relevant processes
List of Information
Assets
IAR
New information
IAR
Asset registration
Project/Asset IAR 87
mapping
Projects 32
Business Projects
Projects
New/change
units project
Project/asset/sup
3rd parties plier mapping
parties
3rd
New supplier
registration
Project
ISA
Compliance
ISA
Information asset
11
12. 4 Create the relevant processes
Risk rating Incident
Types of assets management
Information
Business
3rd party
supplier
register
Information security
Asset
unit
3rd parties
Total no. of Assets compliance
Project/Asset Data Protection
officer
Types of assets
Project/Asset
• Privacy impact assessment
• contract
• Information sharing agreement
Privacy team
Business units Asset ID Owner Classification Record type ISA Suppliers Review date
HR 901 A smut Restricted Full customer info 5 MOJ 23/09/10
Sales 789 S Red Unrestricted Customer financials 7 OMG 13/12/10
Marketing 456 N Ball financial Customer 3 Detica 02/06/11
Procurement 123 W Ed Restricted Record type 1 Logica 04/01/11
12
13. 5 Solution roll out
Business unit 1 Stakeholders
Projects IAR 3rd parties ISA
Procurement
13 9 12 6
team
Business unit 2
Privacy team
Phased roll out
Projects IAR 3rd parties ISA
Operation
13 9 12 6
Pilot
Business unit 3 Compliance
team
Projects IAR 3rd parties ISA
13 9 12 6
Information
Business unit 4 security
Projects IAR 3rd parties ISA
13 9 12 6 Business units
13
14. Contact details
To know what Information Assets you have and
with whom you are sharing them, contact
• Ben Oguntala, LLB, LLM
• Ben.oguntala@dataprotectionofficer.com
• 07812 039 867
• www.dataprotectionofficer.com
14