Make a List, Check It Twice
By Sandra Nunn, MA, RHIA, CHP
For The Record
Vol. 28 No. 12 P. 20
Taking inventory of information assets can help a health care organization get its house in order.
Like any other management initiative, an information asset inventory project must set clear goals and carefully define its scope to ensure adequate resources are available to complete the work. In that vein, it's important to understand what an information asset inventory is and what it is not.
What It's Not
To conduct an effective information asset inventory, it's important to understand what it is not. HIM professionals are familiar with the term information management, defined by PC Magazine as "the discipline that analyzes information as an organizational resource. It covers the definitions, uses, value, and distribution of all data and information within an organization whether processed by computer or not. It evaluates the kinds of data/information an organization requires in order to function and progress effectively."
Likewise, IT has its own set of definitions. IT asset management can be defined as a set of business practices that, along with financial, contractual, and inventory functions, supports lifecycle management as well as strategic decision-making for the IT environment. Assets can include any elements of software and hardware that are aspects of the business environment.
An IT asset is classified as any company-owned information, system, or hardware used in the course of business activities. The IT asset management process, according to TechTarget.com, typically involves "gathering a detailed inventory of an organization's hardware and software and then using that information to make informed decisions about IT-related purchases and redistribution."
Digital asset management is "a business process for organizing, storing, and retrieving rich media and managing digital rights and permissions. Rich media assets include photos, music, videos, animations, podcasts, and other multimedia content," according to TechTarget.com. It's important to note that the value of assets such as these are more difficult to quantify than assets in areas such as property, equipment, bank accounts, stocks, and bonds. It's more complicated to ascertain the appreciation or depreciation of information assets that require their own measures and are unlikely to be measured by accountants.
What It Is
A query into the WhatIs website yields a simple definition of an information asset: "a body of knowledge that is organized and managed as a single entity." This definition progresses away from the old view of an information asset being an entry on a list or an Excel spreadsheet. In that typical scenario, an IT-designated person tracks and reports the hardware purchased, updated, and destroyed while maintaining the inventory of all software applications plus the current licensing compliance documentation. Tallying up the assets in IT is a subset of a full information asset inventory.
Today's organizations are increasingly executing information asset inventories to accomplish the following objectives:
• more completely understand the organization's financial value;
• enable audit activities;
• create a support framework for those professionals responsible for business continuity and disaster recovery functions, and policies and procedures;
• establish ownership, accountability, and responsibility for information domains, including financial, clinical, human resource, and IT;
• build a support framework for information retention and disposition;
• develop resources for compliance, legal services, and risk management to meet discovery requests; and
• comply with information security requirements under ISO27K provisions through an information security management system (ISMS).
It has always been good business practice to maintain a current inventory of information assets. Now, however, compliance with security standards provides CIOs with additional incentive and a compelling argument to conduct such an inventory. CIOs cognizant of their confidentiality, integrity, and availability responsibilities under HIPAA and their other compliance duties will likely implement an ISMS which, according to WhatIs, "is a set of policies and procedures for systematically managing an organization's sensitive data. The goal of an ISMS is to minimize risk and ensure business continuity by proactively limiting the impact of a security breach."
ISO 27001, formerly ISO/IEC 27001:2005, is a technology-neutral specification for creating an ISMS. The standard includes suggestions for documentation (including inventories), internal audits, continual improvement, and corrective and preventive action. A thorough ISMS framework includes all policies and procedures that ensure the comprehensive legal, physical, and technical controls in an organization's risk management processes. Therefore, an information asset inventory encompasses all hardware and software assets—which are difficult enough to account for—plus the policies and procedures that govern them, hopefully indexed and up to date in a content management system.
An information asset inventory is actually one of the first steps toward meeting the ISMS' information security function. It's difficult to develop adequate levels of protection for company assets without accounting for all of the most critical assets and establishing the level of protection each requires in terms of value and sensitivity. In terms of implementing an ISMS, the information asset inventory should quickly follow defining an enterprise security policy and the development of a scope document, which provides information managers the means to establish a budget and create a project plan.
The Information Governance Role
An information asset inventory can be conducted even if an organization is not developing an information governance (IG) strategy. As noted above, an information asset inventory can be developed to meet ISO 27001 standards. However, an organization with an IG plan will have a leg up in the development of an information asset inventory. Such an organization will have developed the human and financial resources to execute an inventory. In addition, a mature IG organization can create the knowledge worker positions to maintain and update the asset inventory going forward. AHIMA's Information Governance Toolkit emphasizes the need for organizations to be thoroughly prepared prior to undertaking an IG effort. An information asset inventory can address many of AHIMA's preparatory assessments, including the following:
• What information exists, and where is it located?
• Who "owns" the source data? Which department or functional area is the primary owner?
• How is the information protected?
An information asset inventory also helps to develop a profile of the organization's information asset domains, identify storage methods (electronic, physical), and determine how long assets may need to be retained, the type of future dispositions, and who makes the most suitable data steward.
AHIMA's IG work also includes the development of a scaffold of extensive principles to support the initiative. The Specification of Business Requirements for AHIMA Information Governance Principles for Health Care was created by the AHIMA Standards Task Force, a multidisciplinary group of HIM professionals.
Examples of how an information asset inventory supports the business requirements include the following:
• identifies, locates, and retrieves the information required to support an organization's ongoing activities via queries and access to data across various systems;
• searches for information in continually expanding volumes of data across multiple electronic and manual systems;
• assembles information from disparate electronic systems, both internal and external to the actual or virtual location(s) of the organization;
• ensures appropriate levels of protection from breach, corruption, and loss of private and essential information;
• provides security, business continuity, and disaster recovery processes to ensure continued operation and protection during and after periods of failure or disruption; and
• provides physical safeguards for computing and access devices or any equipment containing confidential information or the organization's intellectual property.
The Information Asset Inventory Process
An IG group has the power to make decisions about the importance and value of some information assets. In the health care industry, it is a bit easier to determine which information assets are the most important. For example, those relating to patient care will trump all others. However, a weighing and ordering process must take place to determine what sectors of the organization will be inventoried first.
Information asset classification methods can be used to weigh the assets. Typical questions to answer include the following:
• How often is the information asset used and by how many users?
• What are the important information asset topics?
• When was the asset created and is it still relevant?
• In which domain does the asset fit?
• Is the asset critical to safety and compliance?
• Does the asset affect the brand?
An IG committee can create a grid of such considerations against which information assets can be graded and weighed.
Information assets can be classified to multiple categories. The ISO 27001 information asset inventory/register document suggests classification methods, including the following:
Pure Information Assets
• Digital data include personal, financial, legal, research and development, strategic and commercial, e-mail, voicemail, databases, personal and shared drives, backup tapes/CDs/DVDs, digital archives, and encryption keys.
• Tangible information assets include microfiche, journals, and books.
• Intangible information assets include knowledge, business relationships, trade secrets, trademarks, accumulated experience, general know-how, ethics, and productivity.
• Application software includes in-house/custom-written systems, client software, databases, software utilities and tools, and middleware.
• Operating system software includes provisions for servers, desktops, mainframes, network devices, handhelds, and embedded systems (including BIOS and firmware).
Physical IT Assets
• IT support infrastructure includes data centers, server/computer rooms, LAN/wiring closets, media storage rooms, safes, personnel identification and authentication control devices, and other security devices.
• IT environmental controls include fire alarm systems, fire suppression systems, uninterruptible power supplies, power and network feeds, power conditioners/filters/transient suppressors, air conditioners, and water alarms.
• IT hardware includes computing and storage devices such as desktops, workstations, laptops, handhelds, servers, mainframes, modems, and line terminators.
• IT service assets include user authentication services, hyperlinks, firewalls, proxy servers, network and wireless services, spyware, and intrusion detection/prevention.
Human Information Assets
• employees, including staff and managers, particularly those in key knowledge management roles; and
• nonemployees, including temporary workers, external consultants, specialist contractors, suppliers, and business partners.
Managing intellectual capital assets is becoming increasingly important for organizations, but it is challenging to make them part of an information asset inventory. Because intellectual capital assets reside in people, communities, and organizations, their management requires creating an environment in which the intellectual capital is constantly replenished and relevant to the immediate needs of current users. According to information science expert Denise Bedford, PhD, intellectual capital assets—the intangible assets—are amortized to expense over five to 40 years.
To inventory and manage intangible intellectual assets, organizations must establish a baseline. However, because the value of intellectual capital is never stable and its location can be mobile, this can be a difficult task. Therefore, it is necessary to routinely audit intangible intellectual assets, including tacit assets likely to be inside people's heads.
A model for examining the structure of intellectual capital, attributed to Daniel Andriessen, PhD, is generally regarded as being the gold standard. Andriessen breaks intellectual capital into the following three branches:
• Human assets contain implicit knowledge, skills that create organizational advantage, and attitudes that enhance the achievement of organizational goals.
• Structural assets, such as policies and procedures, processes, and culture, are the most familiar.
• Relational capital includes assets such as organizational reputation and social networks.
Numerous factors must be considered when creating an information asset inventory. Policy and procedure development, information asset lifecycles, granularity levels, and liability concerns must all be taken into account. Other possible policies include how to enter and remove information assets. The risk of asset loss, tampering, low data integrity, and inappropriate disclosure must also be weighed.
Other questions that should be addressed include the following:
• Should the context of the information asset be managed and retained in order to keep the value of the asset itself?
• How will assets that reference other assets be kept in sync?
• How will assets be grouped? This includes spreadsheets, project plans, e-mails, images, and interviews with all of the employees associated with the project to support knowledge transfer.
• How will assets be converted from one medium to another?
• How will assets be transferred live to legacy systems?
Inevitably, the most complex considerations will come with greater management of intellectual capital assets, a process that involves tapping into tacit knowledge and figuring out how to transition it into forms accessible to others in the organization.
— Sandra Nunn, MA, RHIA, CHP, is a contributing editor at For The Record and principal of KAMC Consulting in Albuquerque, New Mexico.