02) Does your organisation keep an up-to-date inventory of all data repositories (such as databases) with assigned owners?
IT Operations Data Repository Inventory
Written by Haydn Brooks
Created on March 18, 2019
Modified on February 25, 2020

Answer yes if your organisation keens an up-to-date inventory of all data repositories within your IT estate. The inventory must list an owner against each asset.

The first step to implementing and maintaining an effective security programme is understanding what assets your company has to protect. Your company should therefore keep track of both its physical hardware (this is covered by the previous control in this domain, control G1) and all of its data assets (which is what this control covers).

An inventory of all of your data repositories is a spreadsheet or database that lists all of the data repositories within your organisation, the type and classification of data they hold, and an owner who is responsible for each. It is important that the list covers all of your data repositories that contain Client data or business critical data, including any third party services that may be acting as a data repository (Google Drive for example).

A data repository inventory helps to ensure that you keep track of all of your company’s data and helps the security team to keep track of what they need to protect. It helps the team make sure that all of the company’s repositories have up-to-date security configurations and can help in an incident response scenario in the cleaning and recovering all of your company’s data.

A data repository is usually part of the output from a “crown jewels” assessment. This is an assessment in which your company understands which assets it owns that have value to the company, what those assets are, and how valuable they are.

How to implement the control:

For organisations that are small in size (up to 50 devices) a data register can be implemented and maintained using an excel spreadsheet or Microsoft Access database.

A template excel spreadsheet for a small organisation can be requested at info@riskledger.com.

It is important to keep your data register up to date. Make sure to add all new databases to the to the register and ensure that your staff input any new data stores when they are created – this is especially important within cloud environments as it prevents staff from creating and saving data without the correct oversight from the Company.

For larger organisations we would recommend using a dedicated piece of software. Most IT Service Management (ITSM) software suites include a feature to help manage and track IT assets.

If you would like to contribute to this article or provide feedback, please email knowledge@riskledger.com. Contributors will be recognised on our contributors page.