IT security professionals can get caught up in the physical asset world. But what intangible assets should we be tracking?
An important part of IT security is maintaining an asset inventory. The inventory should document owners, data classification and other pertinent information. Consider cost and metrics associated with the asset’s lifetime. A physical asset inventory enables an IT department to have security management and oversight of its fleet of assets.
It’s also necessary for certain compliance frameworks such as ISO 27001 (Annex A 8.1.1) and others. You could argue that without an inventory of physical devices, there is no way to reduce the associated risks down to an acceptable level.
This begs the question: are there other things that should live in an inventory of their own? When you think of the word “asset”, I assume more than laptops and servers come to mind. There are likely many types of assets throughout your business that contribute to the value it holds and produces for clients. An excerpt from the ISO 27002 (page vi) documentation puts it well:
“…knowledge, concepts, ideas and brands are examples of intangible forms of information. In an interconnected world, information and related processes, systems, networks and personnel involved in their operation, handling and protection are assets that, like other important business assets, are valuable to an organization’s business and consequently deserve or require protection against various hazards.”
Intangible asset tracking improves security posture and defends against unexpected threats.
Are you able to sit down and, within 10 minutes, name every single intangible asset that you’d consider significantly valuable to the organization?
Without an inventory or a photographic memory, it’s difficult. Unexpected threats can consume a lot of mental RAM and make this even harder to do. Ironically, this is the time when you need that list the most.
The goal of any information security program is to mitigate risks to the overall business objectives in a fiscally logical way. When threats emerge, we must move quickly and effectively. The ability to do so will likely depend on the planning and effective implementation efforts that have gone into the program so far.
Ineffective responses to risk can seriously degrade the health of your business.
So how do we manage risks associated with intangible assets?
Some intangible assets’ risks have standard solutions. A brand, logo or product name, for example, can be protected with a copyright. Not protecting it can present a threat, but the solution is straightforward.
But other intangible assets are not so simple.
How do you guard against crucial employees crushing the business when they decide to leave and take their hard-earned tribal knowledge with them? Or your newly opened office on the opposite coast completely shifting the culture of the company, which is central to your execution strategy?
The purpose of this blog is not to offer solutions to each intangible asset’s potential risks. It’s to illustrate that without identifying intangible assets, you can’t protect them. Once identified, management can create effective risk treatment plans.
It all comes back to the risk assessment and the ability to prioritize effectively.
Management backing and decision-making are central to the effectiveness of information security. Not everything requires management input. But risks with moderate to high impact potential and likelihood do. The annual risk assessment should be where the bulk of this decision-making takes place.
Depending on your organization, creating an intangible asset inventory may be challenging. You’ll likely need to gather lots of input from each department to build a comprehensive list. The list should contain subjective values listed next to each asset. The inventory should be presented to management during the risk assessment.
Risks associated with the highest valued assets should receive risk treatment.
No program is perfect. It simply can’t be – it’s the nature of the beast, so to speak. But that is never an excuse to forego ways to mitigate risks in a reasonable way. If you are looking for help on this topic or other information security-related topics, let us know.