INFORMATION IS AN ASSET

Written By Tandi McCarthy

Executives, Directors you know more than you think!

Information is just another asset and a company must maintain a clear asset register and optimise the asset lifecycle. As an executive or director, managing your financial assets is a fundamental skill—it's essential knowledge that you possess. Therefore, I believe you already have the skills and knowledge to protect your company from the severe impacts of cyber attacks by managing information as an asset. To be clear, you still may have cyber attacks, but the impact should be lower.

Information is an intangible asset. Its value drives a number of critical business processes, such as business continuity planning, data processing and storage, as well as rating and mitigating security risks and access management. 

Just as a lack of cash can halt a business, a loss of vital information can equally stop operations immediately. So do you take note of how your information is being managed, nearly as much as how your money is being managed? You should.

Here is how to do that: Treat it like an asset, just like you do in financial management. Make sure you know its value to your business operations. Make sure you govern its use and management. Make sure you receive reporting on it. Your management should:

  1. Have a senior manager or executive own the information set for accountability of its protection. And identify custodians and users of the information.

  2. Understand what the information sets are and how they are created, processed and stored and who has access to them.

  3. Understand how valuable your information sets are. What information is critical to ensure your business keeps operating.

  4. Be able to tell you what you need to invest in to protect your information.

  5. Understand what information sets would result in significant business impact if they were lost, stolen, inaccurate or accessed without authorisation.

  6. Have clear effective procedures in place to detect and respond if the information is compromised. 

Key questions to put to your management team

Here are just a few questions to ask your senior management team.

Do we have an information asset register?

Are our critical information assets covered in our response process in our BCP and DR plans?

Do we track security risks to our information? Or have a security risk register?

Do we know which third parties process and store our information? Have they had due diligence?

Do we have a Privacy Officer, who understands where all the information on people is stored and how secure it is? Do they understand the 12 principles in the Privacy Act 2020, or maybe also the Privacy Acts of other jurisdictions that you do business in?

Do our staff have policy and guidance on how they manage the company's information? These should include handling processes such as access, storage, encryption, transfer/transit, retention and disposal.

Where to start

Here is a short starter for 10 list of the information sets that most businesses have and some that certain industries have. Chuck it in a table and fill in a heap of columns on key concerns (because it is a going concern… see what I did there).

Column headers could be ‘Owner’, ‘Custodians’, ‘Location’, Retention, Privacy impact, Confidentiality impact, Integrity impact, Availability impact, BCP ref and whatever else you measure its value against.

Information sets:

  • Staff data

  • Financial information

  • Client information

  • Business policy and process/SoPs

  • Public information / Marketing / Branding 

Some industry specific examples include:

  • Software / SaaS providers: Source code, SDLC and/or CI/CD pipeline

  • Manufacturing/construction: Product design or Architecture

  • Research/Education: Research Project data, Analysis data, or split into the layers of data structure. 

  • Utilities: Physical infrastructure data

  • Information sets can also be categorised into Technical, Financial and Operational if it makes sense for the company to take that approach to how it is managed.

Reporting that should go to Executives and Directors

Think about the reasons financial reporting is important. Compliance obligations, strategic decision making, risk management, and stakeholder accountability. Now think about the value of information and those same reasons.

At a minimum, reporting to the executives and the board must include:

  • Any legal or regulatory breaches e.g. privacy breach, or industry specific regulation breaches like inaccurate client data

  • Security Audit plan and findings

  • Key security programme initiatives

  • Threats to information ( for example, emerging risks, intelligence from monitoring)

  • Security risk profile and progress on mitigation

In the event that your organisation suffers from a cyber attack and one or more of your information sets is compromised, your response can be calibrated based on the value of the compromised data

Information: Manage it like money!


Tandi McCarthy