Key information assets in organizations data processing environment include:
- Data systems = Technical systems / cloud services / ready-made software where data is processed or stored
- Processes = The operation of the organization, which utilizes different data stores, e.g. to produce services or to support them
- Data stores = Administrative data entities whose content has a common higher-level purpose of use (e.g. "customer data of service X", "employee data"). The data in data stores may actually be located in several different data systems or in several different formats (some electronically, some on paper, etc.)
- Data sets = The more detailed data sets needed to perform a certain task, which the data stores consist of
- Offices = Physical locations where the organization processes data
- Other key assets = For example, an important piece of equipment on which the organization's processes depend
Stakeholders are also a vital part of the data processing environment, but they're not covered in this article.
As a first step, it is important for the organization to identify these assets and designate their owners from the point of view of the ISMS (information security management system).
After this, it is possible to start collecting key information for each asset, which improves the information security level even more and helps the implementation of subsequent measures. Through data systems, e.g. system providers (with whom contractual practices are important), data locations (for privacy communications) or authentication methods used for systems are identified.
Documentation you own is visible on Taskbook
The Taskbook-view lists the documentation items for which your user is marked as the owner. You will also see the items where you have been marked as a participant with a lower priority.
On the right side, you can see the status where the item's documentation was last left. A red mark under the object's name may appear if the object is overdue (but not fully processed) or the related periodic check is overdue.
By clicking the Continue documentation button, you can edit the item's data card.
Filling documentation on the data card
You can go directly from the Taskbook view to the item's data card, where the data fields visible under each question are completed and important data security information related to the item is collected.
Your responsibility as the owner is to (to the best of your ability) implement the following things:
- 1. Fill answers for questions and their data fields
- 2. Update question status from right side (if you manage to fill all parts, choose "Mark as done")
If you don't have some info, you can add an entry e.g. to the event log shown below the item.
Examples of data fields on data cards
Linkblock
In these fields, you can take advantage of information completed by other users. In the field, a link is created from this object to another object in the management system, for example in the image below from the data system to units.
In the linkblock, you can link this object to as many objects as you want. However, aim for meaningful links.
If an item is missing from the list to which the field links, you can add a new item at the same time and create a link using the Add button.
Single answer
Whenever possible, we try to provide users with ready-made alternatives and examples to support the work.
If the question type allows it, you will see the ready answer options in the window, from which you are supposed to choose the best one.
In the single answer field, you will usually see an explanation of what this option means below the different options. So feel free to click, and you will understand the meanings of the different options.
Yes-no -fields
Some of the most important fields on the data cards are short Yes-No questions. These are essential because they can affect the visibility of the following data fields.
If you answer "No" in the question above, a data field will be activated below where you will be asked to name the system providers, i.e. the partners who in this case take care of the development and maintenance of the system.
If you answer "Yes" in the above question, data fields for used backup and logging processes will be activated, as this is an important security responsibility for systems under your own maintenance (but in other cases often the responsibility of partners).
Free text fields
In the free text fields, you can describe the named point with the precision you want.
Remember that in documentation related to information security, a long explanation is often not necessary, but only short, sharp, truthful descriptions. The documentation can always be refined later if a need for it is noticed.
Add new -fields
Certain items (e.g. data sets) can not be linked on some fields, only created as new. This is because e.g. "Customer billing information" data set can be targeted at totally different groups and personal data, when it is connected to a different service's data store.
In these fields you will receive suggestions from the library, based on which a new item will be created. Here, there is no linking to previous items, such as in the linkblock field.
Linking external Files
You can add external files, such as SharePoint folders to your documentation items. To do that, go to the documentation item and then click the three dots on the right and select "Link external files" from the drop-down menu.
You will then be lead directly to the correct spot from which you can add files from the SharePoint folder of your organisation. Make sure you have all the settings fro the SharePoint done beforehand. You can read more instructions about adding SharePoint for your organisation here.
Frequently asked
Q: I don't understand some vocabulary, can I get more instructions?
When you are viewing a specific question, you can click on the ? icon next to the title to get a short explanation of the question in general.
In addition, usually under all data fields you will find a short explanatory text about what is meant in this section. So feel free to click the data field open, and you can find help in the next section.
Q: What if I don't have the info for some fields?
Complete the documentation as well you can. An important first step is to understand what information is available now and what needs to be investigated further.
You should also uses the event log shown below the item for custom additions. With these, you can record that you have searched for some information or thought about it, even if you haven't made any notes on it yet.
