Information assets that are important to the delivery of the function (for example, SCADA set points and customer information) are inventoried, at least in an ad hoc manner
Context and Guidance: Assets derive their value and importance through their association with the aspects of the function's operations that they support. Identifying and inventorying high-value information assets helps enable selection and application of appropriate controls. High-value assets may also include information assets that may create financial, regulatory, or liability risks, such as PII, sensitive operational information, and confidential business information. Organisations should consider the different kinds of IT and OT assets that may contain information that is important to the function, such as: • virtualised assets (including dormant and backup assets) • regulated assets • cloud assets • bring your own device (BYOD) assets
• field assets • mobile assets.
Organisations should also consider different potential sources of high value information, such as: • information located off-premises • stored or archived information • backup data • information managed by a third party • information within different classification or sensitivity levels
At MIL1, the inventory may be produced in an ad hoc manner. An inventory is not meant to imply that a single list is required; multiple repositories, documents, or systems may be used to accomplish this practice. Where appropriate, however, organisations should consider whether inventories may be consolidated to avoid potential risks related to managing multiple repositories.
Related Practices • Progression: This practice is part of a practice progression. Practice progressions are groups of related practices that represent increasingly complete or more advanced implementations of an activity. The practices in this progression include: ASSET-2a, ASSET-2b, ASSET-2f, ASSET-2g.