Add your Information Assets to your CMDB!

For decades, we in information technology have been dealing with Configuration Management (CM) and the necessary Configuration Management Databases (CMDB).

The current status of ITIL dedicates a separate practice description to CM:

?‘The purpose of the service configuration management practice is to ensure that accurate and reliable information about the configuration of services, and the configuration items that support them, is available when and where it is needed. This includes information on how configuration items are configured and the relationships between them.’

Collecting, managing, and providing configuration information are activities that cannot be performed in isolation. It is important to ensure that the relevant elements of the service configuration management practice are included in the organization’s value streams and consistently applied in line with the organization’s approach to service configuration management.

Today, the practice of configuration management is lived more or less successfully in practically all larger companies. Various levels of maturity have been reached, and more and more IT organizations are gradually discovering that the abstract idea of distributed configuration management systems can be solved in practice in a much more practical and cost-effective way via one central CMDB. Many different data registers from related practices such as software asset management (SAM), hardware asset management (HAM), but also enterprise architecture (EA), information security (IS), and data privacy (DP) are being replaced and operated fully integrated into the CMDB.

However, many of these registries also require the holistic management of information assets, which has been less of a focus in many CMDB implementations.?

The unknown entity Information Asset

The EU regulation on digital operational resilience for the financial sector (DORA) defines in Article 3 (6): ‘information asset’ means a collection of information, either tangible or intangible, that is worth protecting'

More specifically defines the EU General Data Protection Regulation (GDPR) in Article 4 (1): ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person'

Control 5.9 in the revised ISO 27002:2022 describes how an inventory of information and other associated assets, including owners, should be developed and maintained.

What is Control 5.9 Inventory of Information and Other Associated Assets?

In order to carry out its activities, the organization needs to know what information assets it has at its disposal. An inventory of information assets (IA) is a list of everything an organization stores, processes, or transmits. It also includes the location and security controls for each item. The goal is to identify every single piece of data. You can think of it as the financial accounting equivalent for data protection.

?An IA can be used to identify gaps in your security program and inform cyber risk assessments where you may have vulnerabilities that could lead to a breach. It can also be used as evidence during compliance audits that you’ve done due diligence in identifying your sensitive data, which helps you avoid fines and penalties.The inventory of information assets should also include details of who owns each asset and who manages it. It should also include information about the value of each item in the inventory and how critical it is to the success of the organization’s business operations.

According to control 5.9, the inventory of information and other associated assets should be accurate, up to date, consistent and aligned with other inventories. Options for ensuring accuracy of an inventory of information and other associated assets include:

1. conducting regular reviews of identified information and other associated assets against the asset inventory;
2. automatically enforcing an inventory update in the process of installing, changing or removing an asset.

?Anyone who has studied CMDBs in depth can clearly see here that this inventory of information assets described in ISO 27002 is a clear candidate for being part of an overall CMDB.

Information Objects are standardized elements of the ServiceNow CMDB

The documentation for Information Objects in the ServiceNow CMDB describes the following: “Information objects are a part of the information portfolio management capability in the Application Portfolio Management application. An information object is a configuration item that displays information in an organized form.

The purpose of the information object is to logically describe the type of data that is exchanged between the application and the database. After information objects are created, they are mapped to business applications. For a given business application, the information objects determine if information can be created, updated, deleted, or read in that business application. This ability allows application owners to efficiently manage information. From an information security management perspective, this ability enables the risk and compliance function to define the right level of controls that must be applied.”?

For those who want to achieve DORA compliance, GDPR compliance, or simply a more meaningful Information Security Management System (ISMS) according to ISO 27001, the ServiceNow Platform and the underlying ServiceNow CMDB is probably a good choice.

? 2023 ServiceNow, Inc. All rights reserved.?ServiceNow, the ServiceNow logo, Now, and other ServiceNow marks are trademarks and/or registered trademarks of ServiceNow, Inc., in the United States and/or other countries.?Other company and product names may be trademarks of the respective companies with which they are associated.