The Data Asset Inventory module is a short form designed to collect basic information about data assets essential for the operation of your unit such as:
- What are our data assets and where are they managed?
- Who is responsible for our data assets?
- What purposes can our data assets be used for?
So much of the work we do is dependent on data. An asset inventory is the first step in identifying the risk management and governance efforts you need to appropriately protect and govern those data.
Data Asset Management Guidance
Core Definitions
Data Asset: a collection of data that supports the achievement of objectives at the University. For example, data that supports student enrolment or evaluation, course selection, employee profiles, or financial transactions.
Data Asset System: the system(s), platforms or applications involved with the collection or creation, storage, processing, sharing, and destruction of data assets.
Data Access Governance Protocols: The methods by which users can obtain approval to access and use data for institutional Quality Assurance/Quality Improvement initiatives and / or for Scholarly Research purposes.
Data Asset Inventory Questions
Data Asset
Provide a brief description of the Data Asset
For example, enrolment data, student profiles, employee profiles, electronic medical/health records, financial transactions, system event logs, etc.
Indicate the subject area(s) about which the data asset primarily collects or stores information:
Examples:
- Alumni: lists, demographics, activity
- Donors: lists, demographics, activity
- Faculty: lists, demographics, activity
- Staff: lists, demographics, activity (including applicants)
- Financial: transactions and activity; budgets, accounting, financial planning, charges, invoices, etc.
- IT Management & Service Delivery: T-Card, , Wi-Fi, cofiguration files, network & flow diagrams, source code, support tickets, change log, IAM & auth assets
- Facilities Management: construction, maintenance, physical/building access, floor plans and diagrams
- Scholarly Research Administration: data about administration of research activity, e.g. RIS
- Scholarly Research Data: data collected and used in research projects
- Prospective Students: application lists, demographics, activity
- Students: lists, demographics, and registration & enrolment activity
- Student Life: student housing data, awards, so-curricular, career and advising services, accessibility services, student surveys
- Curriculum management: courses, curriculum, degrees, programs
- Library Data: library holdings and activity
- Health: patient data, including, medical, mental health and social work
What is the approximate number of records the unit manages for this data asset?
The volume of data your unit manages for this asset may be an indicator of the impact to your operations should that data become unavailable, improperly modified or improperly disclosed. If your data asset contains unstructured data (e.g. word documents, video/audio recordings, images/graphics etc.) a count of individual files can be entered for the number of records.
What is the approximate number of individuals that may be impacted from a breach of this data asset?
The number of records identifying unique individuals that your unit manages is another way to understand the risks to your unit should this data be improperly disclosed. Such disclosures may result in harm to the individuals affected, impact the trust relationships with your stakeholders, and may have financial and regulatory consequences. You can use this measure to help you prioritize which data assets and data asset systems to target for risk reduction efforts.
What is the Data Classification of this data asset?
Data assets that contain multiple classifications of institutional data are categorized based upon the highest classification. Classifying the data that is collected, stored and processed within the unit is an important function of assessing information risk, and determining appropriate security measures for the systems that contain that data.
Data Asset Accountability
Who is the primary person accountable for the data asset?
This is the primary person accountable for the information risk, data quality and responsible use of these data? (name, title, role)
Data Asset Management functions
Is there anyone else also accountable for the asset in addition the primary person identified above?
Most data assets have one person in this role, but there may be cases where these responsibilities are shared. (name, title, role)
Data Asset System
Name
What is the name of the main system, platform or application on which the data asset resides? Data asset systems can vary greatly across the University. ROSI and HRIS, SharePoint and OneDrive are examples; local databases or even a spreadsheet in a network or local drive may serve as the system or container for data assets. If unknown please enter 'unknown'.
What category best describes the data asset system?
Server systems include those systems that provide application, system, or network services to other information systems, typically managed on-premises by U of T staff. Web Applications & Software as a Service (SaaS) refers to a purchased online application or service, typically managed by a vendor.
Often, important data assets may be contained in a spreadsheet, access database, or even in PDFs or word documents. These might be stored on the M365 platform, departmental file servers, or local hard-drives.
Who manages or administers the data asset system?
Administrators of data asset systems could be Unit IT or Unit staff, another unit in your division, a Central/Shared Services unit, a vendor, etc.
Name & Title of your contact for this data asset system.
This may be a system, service or project owner, U of T department, or vendor.
If known, list all host names or IP addresses associated with this data asset system.
How do you locate this system on the network?
If relevant, what is / are the URL(s) for this data asset system?
What are the web addresses for the user and / or administrative portals of this data asset system?
Has the data asset system undergone a risk assessment?
Conducted either by your unit, divisional or central ITS, or an external assessor.
Data Access Governance Protocols
This section of the data asset inventory has been removed as an institutional requirement for data collection. It is preserved if you would like to continue to use and track your responses for your own data governance needs.
The data that the University collects in the administration of its mission is often used for secondary purposes such as quality assurance / quality improvement initiatives or even as a source for scholarly research. Understanding if a data asset may be valuable for these purposes, and the protocols required to obtain access for these purposes is useful starting information for your data governance program. This section is optional.
Is the data asset used for quality assurance or quality improvement (QA/QI) purposes?
Which response best describes the protocol for approving access for QA/QI purposes?
Non-Existent, Ad-Hoc, Informal, Formal, Managed & Measured
Is the data asset used for Scholarly Research purposes?
Can the data asset be obtained by a researcher to receive all of part of the information for the purposes of conducting research studies with the intent to publish the results, typically in a peer-reviewed journal.
Which response best describes the protocol for approving access for Scholarly Research?
Non-Existent, Ad-Hoc, Informal, Formal, Managed & Measured