The first step in performing a data assessment is to complete a data identification process to identify the types of items you have. The data identification process may be a formal process or not depending on the needs of your organization. In databases, each data field should be considered and eventually the most sensitive and critical data (to the operation of your organization) should be identified. This can speed the process of determining data requirements later which will be based on data sensitivity, integrity, and availability.
1. Data Identification
Each data item must be identified. Data items may have different levels of confidentiality such as a person's name, a person's social security number, or the name of a building. Examples of some types of data items may include:
Location of items.
Size of items.
Location of equipment
Location of personnel
Amount of equipment at a location
Amount of personnel at a location
Names of personnel
Information about a person or organization.
Information about equipment or an item.
Contract information and/or agreements
Identify the data and determine which item or items are the most sensitive and important for accuracy and availability. Usually the team will determine the data item that is the most sensitive or important and concentrate on that for purposes of confidentiality, then concentrate on the entire set of data for purposes of availability and integrity.
2. Data Ownership and users
The owner of each data item listed in the above step must be identified complete with contact information for the organization and point of contact person. Sometimes there is one owner for all the data being identified and sometimes there may be different owners for different fields of data. The data users should also be identified in this step.
In many cases the data owner would be the party who is asking for a project to be implemented but this is not always the case. Sometimes the data owner may be outside the organization and if that is the case the data owner should get some assurance that the data is handled and protected appropriately and that obligation should always be honored. If the data owner is the party that is asking for the project to be created and they create the data, determining how the data should be handled can be simpler. Every organization should create a process for identifying data owners and allowing the data owners to specify the access limitations to their data.