Risks associated with creating a new information asset

The creation of new information assets (e.g. databases) offers the potential for greater collaboration, efficient work, new discoveries, and accomplished objectives. These benefits often overshadow the risks arising from a lack of due consideration about resource availability, privacy, business continuity, and organizational reputation.

Before a new information asset is created, it is important to properly evaluate the associated risks. Once these risks have been enumerated and estimated, they can be weighed against the potential benefits. Depending on the outcome of this risk assessment, it might be more appropriate to seek approval to repurpose an existing asset or to identify an alternative activity to achieve the same objective.

This article is intended to offer a starting point from which to evaluate the risks associated with the creation of an information asset. It is not meant to replace other valuable risk-management tools.

Information assets must have a clear accountability structure. This structure begins with a person who is responsible for day-to-day activities, and ends with a person who is accountable for the asset. Within this governance structure, there must be designated authority for making decisions about who can have access, what constitutes an acceptable use, what information the asset will contain, and when it will be destroyed. It is also important for the accountable person to know about other information assets that could be linked to the new asset, including public databases and other information assets held by the accountable person or custodian.

Do the stakeholders support the governance structure?

Consideration should also be given to who will host and maintain the information asset. Hosting and maintenance can be done either internally or externally. Each option has its pros and cons; however, this choice will affect many other risks associated with the creation of the asset.

Is it less expensive or more convenient to have it hosted externally?

Are there considerations that rule out one of the hosting options?

Are there organization policies that place restrictions on hosting information assets externally?

If it is hosted externally, have the roles of the custodian and the information manager been agreed upon in writing?

Does this agreement specify who is the custodian of the asset and the information contained within?

Every information asset contains useful information that reveals facts about something; as such, it should be protected accordingly. Sufficient resources must be allocated to ensure protection, whether the asset is hosted internally or externally.

How will access be restricted to those who are authorized?

Will authorized individuals need to complete confidentiality agreements?

What protocol must be followed if there is a security breach?

If the asset is hosted externally, how do you ensure that any claims made about information protection are being met?

Information assets are copied with alarming frequency. Every copy made increases the likelihood of information theft or loss, or inappropriate use or disclosure.

Can a protocol be established to regulate when a copy can be made?

Can copies be protected to the same extent as the original?

To ensure business continuity, information assets need to be backed up. If the loss of the asset has the potential to cause harm to an individual or group of individuals, backup procedures should be established and sufficient time, personnel, and storage resources should be allotted. In addition, since the backup is a copy of the asset, it will also require sufficient protection.

Does it allocate sufficient time, personnel, and storage resources?

Can sufficient measures be taken to protect the backup from theft, loss, or destruction?

Some information assets are meant to represent a moment of time: once the information is added, it never changes. Other information assets are intended to be dynamic—their utility depends on regular updates. Compared to static information assets, dynamic assets require significantly more effort to ensure that the information is up to date and accurate. Conclusions drawn from inaccurate information are incorrect and, in some cases, harmful.

By itself, the content of an information asset may present little threat to individual privacy or corporate confidentiality; however, when the information is linked with information from other sources, some of which might be publicly available, the level of threat can increase substantially.

Can suitable mechanisms be established to prevent or reduce the number of linkages?

Information assets are valued differently by different people. Even after all the possible uses of an asset have been considered, there may be others that arise, not all of which may be appropriate.

Can inappropriate uses be controlled?

Once an information asset is created, others will want to have access to its contents. Before information can be shared, it is important to understand what regulations and policies provide authority to disclose information; as well, it is important to understand what agreements might limit the ability to disclose certain information. In some cases, regulations and policies might compel certain information to be disclosed to authorities or reporting organizations.

What conditions might need to be placed on disclosures?

Is the party receiving the information allowed to disclose it to someone else?

Has a process been established to respond to, vet, and audit requests to disclose information?

Does the process allocate sufficient time and personnel resources?

What agreements might govern the ability to disclose certain information?

Are the original sources of information known?

What regulations and policies might compel disclosure?

If the asset is hosted externally, can it be accessed to facilitate disclosure?

Depending on the nature of the information asset and the custodian’s policies around transparency, a profile may need to be made public or disclosed to a regulating body. Some individuals or groups may not understand why the information asset has been created, or they might disagree with the reasoning, possibly causing damage to the custodian’s reputation. Moreover, if the asset is dynamic, this profile may need to be updated on a regular basis.

Might individuals or groups disagree with the creation or proposed uses of the asset?

With very few exceptions, individuals have the right to see the information held about them whenever that information is available in an identifiable or re-identifiable format. Procedures must be established to allow an individual to receive a copy of this information upon request.

Does the process allocate sufficient time and personnel resources?

Are the regulations and response timelines pertaining to access requests well-understood?

Can sufficient measures be taken to confirm the identity of individuals who request access?

Is it necessary to record when someone accesses an individual’s information and/or when the information is disclosed?

In the event of bankruptcy, insolvency, or closure, a custodian may want or need to sell or transfer its information assets. In some cases, selling or transferring information assets might be prohibited, while in others it may be required. The level of risk associated with closure will depend on the nature of the information asset and who is in possession of it; if the asset is hosted externally or on infrastructure owned by another organization, contractual arrangements may be necessary to ensure that it is safely returned and to prevent it from being sold.

There may come a time when the information asset is no longer needed or permitted; at that time, the asset should be destroyed. Unfortunately, information destruction is complex: assets are regularly copied and backed-up, and information may have been extracted to share with others.

Will all copies, backups, and extracts of the asset need to be destroyed

as well?