Strengthen data governance and protection with these tips
Do you remember the iconic search-and-find puzzles, “Where’s Waldo?” The phrase has become a symbol of the challenge of locating something valuable amidst a sea of information. Waldo, known for traveling all over the world and blending into diverse and vibrant settings, makes the search both exciting and frustrating.
Similarly, finding your organization’s data can feel just as challenging. It often resides in scattered and unexpected places. This article asks, “Where’s the data?”; a critical question to strengthen understanding of your organization’s data assets.
By improving your knowledge of where data resides, what type of data it is, and how it is managed, you can enhance your ability to protect and utilize that data effectively.
What is a data asset inventory?
To start, one must understand data asset inventories. These are listings of critical data sources that your organization (or various departments) depends on to provide services to clients and community constituents. The data asset inventory is also used to track essential information for internal use, meeting requirements, and passing audits.
It should include structured data sources, such as case management systems, financial systems, human resource systems, and cloud solutions, as well as unstructured data sources like documentation, contracts, statements of work, and press releases. This inventory should also include videos, spreadsheets, system monitoring data, as well as websites and social media.
The importance of developing a data asset inventory
Before you can safely store and protect your organization’s data, you need to know where it is. You also need to know what type of data it is, and who is responsible for maintaining it. This information is often referred to as “meta data” or “data about the data.”
This meta data can include location data (where it was created), who created it, and manner of creation (voice to text, handwriting to text, template, etc.)
Having a data asset inventory is no longer optional, it’s essential. Several of the reasons focus on compliance, while others help to improve efficiency and governance.
Additional reasons include:
- Cyber insurance: Most insurance policies and renewals now require it. While a decade ago it was enough to provide a number of records to protect, today’s cyber insurance requires a more detailed asset inventory.
- Compliance: There are federal regulations and audits that now ask to see the organization’s data asset inventory to ensure you are compliant. You can also find guidance through your state’s records office, archives agency, or historical society for regulatory requirements, as well.1
- Continuity: Developing a data asset inventory is akin to a home inventory that you might do for insurance purposes, in case of a fire. If your systems go down for the entire organization, or even just one department, do you know what to tell the insurers now that your data is inaccessible? And just as important, do you know where to find the backup to restore the data?
- Risk management: Putting all data assets into corresponding inventories reveals vulnerabilities, duplication, and misuse that could otherwise go unnoticed.
- Cyberattacks: It is not a matter of if, but when your organization is targeted with a cyberattack. An attack may disrupt access to your data, even to the point of holding it for ransom. Having a data asset inventory will help you prioritize and locate backups so that you can recover quickly.
- Efficiency: By having this inventory or catalog of data, you may be able to identify areas where data sources can be relocated, combined with other data sources, or used in data analysis, which can facilitate better decision-making.
- Data lifecycle: A data asset inventory helps support the life cycle of data, from creation and collection to utilization, deletion, or destruction. Data can be both an asset and a liability (if it is retained longer than is required or needed). Knowing what you have in an inventory that shouldn’t be in there is equally important.
Determining the best data asset inventory approach for your organization
There are plenty of examples of data asset inventories. However, it is best if you understand the types of data you may want to include. Databases and document repositories are often used as the only sources of data to include in an inventory.
Keep in mind that valuable data may also be coming from web forms on your website, from social media input, email tracking, as well as third-party sources, such as external partners like hospitals, health agencies, and human services providers. From there, you can determine a priority list. It is recommended that you:
- Start with the structured databases
- Follow with unstructured data in documents
- Close with these other sources of data.
A data asset inventory identifies the type of data, where it is located, who has access, which department(s) is responsible for the data, and why you are collecting the data. The inventory also identifies the sensitive nature of data, which aids in knowing and determining who should have access.
Data governance template and strategy implementation
Identify a template that works for your organization. You can start with something as simple as the example below. Remember, the same data may reside in several databases or locations, and therefore, will need to be listed multiple times.
| Asset Name | Property Tax Records | Human Services Case Notes | Budget Reports | Public Meeting Records | Crime Statistics Data |
|---|---|---|---|---|---|
| Description | Records of property tax assessments and payments | Case notes related to human services programs | Annual financial budgets and reports | Minutes and recordings of public meetings | Data on reported crimes and investigations |
| Owner | Tax Collector Department | Human Services Office | Finance Department | Clerk's Office | Police Department |
| Format | Database | Document | Spreadsheet | Audio/Video | Database |
| Number of Records or Docs | 1,000,000 | 3,000,000 | 500 | 1,000 | 5,000,000 |
| Update Frequency | Monthly | Daily | Annually | Monthly | Daily |
| Security Level | Medium | High | Medium | Medium | High |
| Type of Sensitive Data | PII | HIPAA, PII | None | None | CJIS |
| Reason for Collecting Data | Tax billing and revenue tracking | Social service program administration | Financial planning and accountability | Transparency and public recordkeeping | Law enforcement and public safety |
| Retention Period* | 7 years | As long as case is open 10+ yrs | 7 years | See Records Retention | Based on department requirements |
| Location of Data | Local server | Encrypted cloud storage | Shared network drive | Archived local server | CJIS-compliant database |
*Retention period dependent on state/local statutes.
There are other template resources that can be found on government supported websites, along with free AI tools that can assist with populating the inventory.2 In addition to developing the template, a successful data governance strategy can be implemented with 5 key steps.
- Build your team: Before you begin, make sure that you have a team that buys in to the need and will support the process. This should include IT, human resources, legal, high-level stakeholders, as well as several department directors. This also includes emergency management, or the ones responsible for your organization’s continuity plan.
- Define the scope: Before you start, determine what the first phase will encompass. Starting with collecting structured data is easier, and you will get better responses.
- Prepare your process: Decide on which template you will use and how you will collect the data. You may want to opt for a more user-friendly form that can be used to populate the inventory. The IT department can pre-fill some of the information and then share it with the departments and data owners. They can review the information, validate the accuracy, and make edits so that you have complete entries.
- Discover your data sources and document your assets: Send out the request to a subset of departments with a deadline for when responses are due. Your organization may already have an inventory management tool that can provide some of the basic data needed. Transfer the responses into an inventory, which can be as simple as a spreadsheet.
- Validate, repeat and periodically collect updates: Repeat the process to include additional department data. The iterative approach ensures more comprehensive documentation. Update the data asset inventory on an annual or semi-annual basis, as part of an organizational best practice.
Finding and protecting your organization’s data
In today’s data-driven world, a comprehensive inventory is essential to safeguard sensitive information, ensure compliance, and drive operational efficiency. By understanding where data resides, its sensitivity and purpose, organizations can improve governance and decision-making. These practices also help strengthen protection against risks like cyberattacks and system disruptions.
As one county official shared:
If I was a data doctor, I would prescribe an exercise regimen that consists of 5 minutes a day organizing and cleaning out digital filing cabinets. It is the best exercise to make you more efficient and effective in data management.
Everything encompassed in this article can serve to help you start building your data asset inventory today. Keep in mind that it is an iterative journey, and perfection isn’t the goal. Starting small, even with a single department, is a great first step.
To learn more about how CAI works with local government and public sector organizations on data governance initiatives, fill out the form below.
Endnotes
- Pennsylvania Office of Administration. “Data Classification Policy.” January 5, 2025. https://www.pa.gov/content/dam/copapwp-pagov/en/oa/documents/policies/it-policies/data%20classification%20policy.pdf. ↩
- GovEx Labs. “Guides.” Bloomberg Center for Government Excellence at Johns Hopkins University. https://labs.centerforgov.org/guides/. ↩
