Information Assets and the Scope of Information Security

When thinking about information security, it’s important to remember that as a discipline and as a profession, information security has a vast scope. Information security involves protecting components as small as tiny integrated circuits all the way up to massive clusters of servers that may involve thousands of unique machines. Information security involves protecting local private networks that people may have in their homes or apartments all the way up to massive wide-area networks or even the entire Internet. Information security involves protecting hardware, software, operating systems, databases, networks, and so forth.

Clearly, the scope of inquiry in information security is vast, continuously changing, and ever-growing. Broadly speaking, however, we can think about information security as being concerned with the protection of information assets. When we say “information assets”, we are referring to the elements of an information system that have value. Since value lies at the core of determining where we should focus our information security efforts, a critical first step is to identify precisely which information assets within our organization have the greatest value, and to whom those items have value.

One good way of thinking about information technology assets is to subdivide those assets into three categories. First, we have hardware assets, which can include computing systems, mobile devices, networks, and communications channels. Second, we have software assets, which can include operating systems, off-the-shelf application programs, mobile apps, as well as custom or customized application programs. Third, we have data assets, which include our files or databases -- that is, the information that we generate in our daily lives or in the process of carrying out our business. As we will see in our discussion of asset valuation, it is often these data assets that have the greatest value of all.