The IT inventory list can be broken down into three main topics:
- What data your business has
- Who can access your data
- Establishing how your organization manages data access
It’s easy for a small-to-medium business to have a relaxed attitude towards IT security because criminals historically tend to go after large organizations. As a result of many high-profile hacks, larger corporations have put in the effort to bolster security to make themselves significantly harder targets. Because of this change, cybercriminals who used to target large businesses are now starting to go after comparatively easier to target SMBs because they haven’t invested as many resources in security.
Identify Your Company’s Data
Before your business can protect its data, you need to determine what data you have. This may sound easy at first, but determining where all your information is stored can be a very long process and it’s easy to overlook places your information might be hiding. Create a list of all places you have data stored while keeping in mind these places can be physical and digital.
Some common places you have data stored include:
- Local Servers
- Cloud Storage
- Mobile Devices
- External Hard/Flash Drives
- Online Service Accounts with Login Credentials
- Email Accounts
- Building Access Management
When compiling your list, be on the lookout for “Comatose Servers” and other data storage that exists, but is no longer in use.
Determine Who Has Access to What Data
The next part of the process is to compile a list of everyone who can access your business’s data. Then, establish who on that list has access to what data under what circumstances. Finding people employed by your company is the easy part, but keeping track on anyone outside your company who has access to some information is more difficult to track and arguably more important to keep tabs on. Giving external groups access to your business’s information creates additional risks which require extra management attention.
Your list of people may include:
- Business Partners
Establish and Implement Access Management Policy
The final part of the process involves determining how data is handled and protected. Your business can use the lists to establish who has access to specific data and under what circumstances that person is allowed to access that information. With the collected information, your business can implement methods of controlling, managing, and tracking access privileges on a case-by-case basis. Managing access may involve running access control software, removing account access when employees quit, and enforcing access policies. Controlling access can be an incredible tool for preventing information leaks from both accidental and deliberate actions.
An IT inventory assessment is primarily a planning process that makes implementing other practices easier. Businesses will see the benefits of conducting an IT assessment immediately; however, the assessments need to be run on a regular basis to keep up-to-date with changes. Your list will likely be sizable, so using a secure, group accessible spreadsheet like a private Google Doc can be an easy option so multiple employees at the company can work with it simultaneously and everyone always has the most recent version. The information your business gains from an IT assessment will make it easier to implement security practices, pinpoint areas where your business needs to improve security, and identify breaches if they occur.