Re: Data Inventory Form?

["win-hied () bradjudy com" <win-hied () BRADJUDY COM>]

I wrote up this page and provided the linked basic Excel inventory sheets when I
was at UC Boulder: http://www.colorado.edu/its/security/assetinventory/
 
I was surprised how many departments used the supplied templates for their
inventories.  A few extended existing inventory mechanisms to include checkboxes
about sensitive information. 
 
Two caveats: getting people to fill out the information and return it is a
painful and drawn out process, and the reliability of the sensitive information
checkboxes isn't great if you aren't using a data searching tool.  A lot of data
breaches occur in close proximity to the words "I forgot about that old
database/spreadsheet file."
 
Brad J
 


On May 5, 2011 at 9:40 AM Chet Langin <clangin () SIU EDU> wrote:

> Hello,
>
> Can anyone recommend a standardized data inventory form?  What we want to do
> is pass this form around to users and administrators in
> order for them to indicate if they have sensitive information on their
> computer equipment, such as socials, credit card numbers, and
> driver's license numbers, whether or not it is encrypted, what software is
> using the data, who owns the data, who maintains the
> data, and who maintains the systems.  Plus things like the IP addresses,
> domain names, and type of hardware.  They will be returning
> these forms to the information security unit which will then have to maintain
> the data.  Then, are there any ideas on how to store
> this data?  By IP address, LAN admin, dept, or "all of the above"?  We want to
> know where our sensitive data is at!  :-)
>
>
> --
> Chet Langin
> SIU Information Security Analyst