Sample Information Asset Register (Iar) Template

SAMPLE INFORMATION ASSET REGISTER (IAR) TEMPLATE
INSTRUCTIONS - How to use this sample template
Prior to using this template, please read Practitioner Guide: Identifying and Managing Information Assets
A) If your organisation has a tool or system already in place to register your information assets, you are encouraged to use that in the first instance.
B) If you do have another tool or system, we encourage you to cross reference the fields on this sample template and consider updating or enhancing your existing register / system, so that it captures
all relevant attributes for each information asset
C) This template provides 3 options (set out across the different tabs) for organisations to use. These tabs present different fields to register unique attributes of your information assets.
D) Organisations need to choose which tab is appropriate for their work program, and refer to the fields on that tab.
How do organisations group together or split out information assets and capture them in an IAR -
There is no set process to follow when defining what is and isn’t an information asset. Each organisation will have unique information holdings, business requirements and expectations around the
management of their material. These differences mean that some businesses will group their information in different ways to others.
Practically speaking, organisations should define their information assets at a level of granularity that allows any individual components to be managed usefully as a single unit. Too broad and the
organisation will not have enough detail to properly manage the material, too fine and it will have thousands of information assets.
When deciding how to logically group information into a broader asset it is worth considering:
• the business context in which the material is being used
• the security value (Business Impact Level assessment outcome) of the material
• the business classification (records management) of the material
• any legal, regulatory or administrative obligations surrounding the management or use of the material
• any business engagement activities that it may support
For more guidance on Information Asset Registers refer to Pracitioner Guide: Identifying and Managing Information Assets
For more guidance on terms used in this IAR, refler to the VPDSF Glossary
Which tab should you use?
VPDSF Requirements
If you are creating an IAR to simply address the VPDSF, please ref to the tab titled >
This tab includes the minimum fields that an organisation should register for each
information asset, for the Victorian Protective Data Security Framework (VPDSF).
CORE (inc. VPDSF reqs)
This tab includes a list fields that organisations should record attributes of their
information assets in.
OR The fields on this tab will help you meet the requirements of the VPDSF, as well as
other existing legal and regulatory information management (IM) references across
if you are using an IAR to address the VPDSF, as well other legal, administrative and regulatory Victorian Government.
requirements that your organisation may have, please refer to the tab titled >
Organisations must consider their specific operating requirements and relevant
legislative and regulatory obligations when developing their own specific IAR.
The core fields represent the more common reqiurements for the majority of Victorian
Government agencies or bodies.
SUPPLEMENTARY
This tab includes a list of supplementary fields that organisations can consider including
OR in their IAR.
if your organisation already has an information asset register in place, but you are looking at maturing your IM These fields are based on existing legal or regulatory references across Victorian
practices, your organisation may want to consider some of the fields captured under the tab titled > Government.
Organisations must be mindful of their specific operating requirements and relevant

legislative and regulatory obligations when developing their own specific IAR, as not all
fields are listed.
DOCUMENT DETAILS
Protective Marking N/A
Approved for unlimited public release? Yes – Authorised for release
Publication Date November 2019
Review Date November 2020
Document Status Final V2.0
Author Information Security Unit - Office of the Vicorian Information Commissioner
1
VPDSF REQUIREMENTS
INFORMATION ASSET REGISTER
*** Fields related to the 'ASSET DESCRIPTION'- Not all fields will apply to
all forms of information assets. Delete any columns that aren't relevant to
your information assets
CREATION DATE
ASSET NAME ASSET DESCRIPTION LOCATION FORMAT LAST UPDATED ORIGINATOR
OR ACQUIRED DATE
NATIONAL INTEREST OR
PERSONAL
NATIONAL SECURITY
INFORMATION?
INFORMATION (NSI)?
The name or title of the Description of the contents Does the information asset A term used to identify official Describe the location Describe the form and Input the date that this Input the date the The person, or
information asset and / or an outline of the contain personal or information whose compromise where the information format of the version of the information asset was organisation,
components of the sensitive personal does not threaten national security asset is most commonly information asset. This information asset or last modified responsible for
information asset information as defined in but could otherwise threaten the used and stored includes both soft and associated records were preparing / creating
Schedule 1 of the Privacy national interest, or interests of hard copy material generated official information or
and Data Protection Act individuals, groups, or commercial for actioning
DESCRIPTION (2014)? entities. information generated
outside the public
sector (i.e. private
industry).
List name of the Provide a detailed Yes or No Yes or No Describe location of the Provide a detailed List the original creation List the date that the This person, or
information asset description of the information asset description of the date of the information latest version of the organisation, is also
information asset (data) or If yes, the organisation If yes, identify if this material has format of the asset or when the information asset was responsible for deciding
Include any alternative program may choose to outline the been created or collected as part of This can be a physical information asset (i.e. information asset was last updated or modified whether, and at what
names for the information types of personal or a National Agreement (including location and/ or digital soft copy excel, hard acquired or transferred level, to value /
asset may be captured in At a minimum, organisation's sensitive personal name and duration of agreement – location where the copy records). to the organisation (i.e. Organisations may want protectively mark that
description field. should identify if the information contained in i.e. renewal dates) information is used and either capture or to include the version no. official information.
Make sure the title information asset contains the information asset stored (including any ICT This includes outlining collection) to help record future
describes the information one of more of the following N.B. Definition of 'National Interest' systems) whether the material is updates to the information For more information on
asset, is meaningful to the information types: Refer to Part 3 – Schedule 1 includes matters which matter which stored in: If the information asset asset assessing the value of
user and is keyword rich of the Privacy and Data has or could have impact on Australia, • hard copy, or originated outside the official information, refer
to support any search • Personal Information (as Protection Act (2014) for full including: • soft copy, or organisation, a description N.B. It is important to to VPDSF Information
functions in the future defined in the Privacy and definitions of Sensitive • national security * both (soft and hard of where it came from and align all date elements Security Management
Data Protection Act, 2014) Personal information • international relations copy) the business area that with ISO8601 and format Collection.
• law and governance, including: originally created it should any date fierld to
• Law Enforcement Data (as • interstate / territory relations Format types such as: also be included. automatically format the
defined in the Privacy and • law enforcement operations • word documents, date when entered
SUPPORTING Data Protection Act, 2014) where compromise could hamper or • excel sheets, N.B. It is important to
COMMENTS prevent national crime prevention • audio files. align all date elements
• Crime Statistics Data (as strategies or investigations, or with ISO8601 and format
defined in the Privacy and endanger personal safety N.B. There may be any date fierld to
Data Protection Act, 2014) • economic wellbeing multiple format options, automatically format the
• heritage depending on the makeup date when entered
• Health records (as defined • culture. of the information asset
in the Health Records Act,
2001), or (As drawn from Commonwealth The available media types
Protective Security Policy Framework (formerly known as MIME
• any other forms of data or Glossary of security terms Version types) are available at
records not already specified 1.3, December 2014) http://www.iana.org/assig
above nments/media-
types/index.html
INFORMATION ASSET 1
2
INFORMATION ASSET 2
INFORMATION ASSET 3
INFORMATION ASSET 4
INFORMATION ASSET 5
INFORMATION ASSET 6
INFORMATION ASSET 7
INFORMATION ASSET 8
INFORMATION ASSET 9
INFORMATION ASSET 10
3
4
5
6
etc…
7
***Field related to the "BIL -
CONFIDENTIALITY" assessment
BUSINESS IMPACT LEVEL (BIL) – BUSINESS IMPACT LEVEL (BIL) – BUSINESS IMPACT LEVEL
OWNER CUSTODIAN SUITABLE FOR UNLIMITED PUBLIC RELEASE?
CONFIDENTIALITY INTEGRITY (BIL) – AVAILABILITY
PROTECTIVE MARKING
Legal owner of the Role that is formally The assessed Business Impact Level The highest protective marking The assessed Business Impact Level The assessed Business Impact Identify whether the information asset has been authorised
information asset. accountable to the Owner for (BIL) if the confidentiality of the applied to the overall information (BIL) if the integrity of the Level (BIL) if the availability of for unlimited public release.
managing the delegated assets information asset were asset. information asset were compromised the information asset were
Organisations may chose in their care compromised. compromised Suitable / Not Suitable
to delegate ownership
through relevant legal or BIL 1, 2, 3, 4 N.B. This is based on an assessment of the individual merits
regulatory instruments to and content in order to determine whether this is suitable for
an authorised role or public release
group. This may be a
divisional director or line
of business lead
Include the role title and Outline who (i.e. role / title, The BIL can be listed in numerical form Identify the highest overall protective The BIL can be listed in numerical form The BIL can be listed in numerical If the asset is suitable for unlmited public release, consider
organisational unit, and business unit or agency) has (i.e. 1, 2, 3 or 4) marking for the information asset. (i.e. 1, 2, 3 or 4) form (i.e. 1, 2, 3 or 4) whether it is suitable for publication on the VIc Gov Open Data
alternate contact methods custody of the information This overall marking should take into Portal - DataVic.vic.gov.au
(e.g. position based email asset • For more information on how to account the aggregated risks • For more information on how to • For more information on how to
accounts, phone) for the conduct this assessment, please refer associated with each of the conduct this assessment, please refer conduct this assessment, please If the material is not suitable for public release, provide a
owner Details should include the role to the VPDSF Information Security individual records that make up the to the VPDSF Information Security refer to the VPDSF Information statement outlining what the release restrictions are, for both
title and organisational unit, and Management Collection information asset. Management Collection Security Management Collection now and in the future.
Privacy warning – should include several alternate
Organisations should refrain contact methods (e.g. position Refer to the VPDSF Information Organisations should consult with the originator of the individual
from nominating an based email accounts, phone). Security Management Collection. for records or associated information elements in order to determine
individuals name and more information on protective whether the content is appropriate for unlimited public release.
contact number unless due Privacy warning - Organisations markings.
notice has been supplied to should refrain from nominating an Restrictions on release may be due to:
them, and that these individuals name and contact • other parties having rights over IP, or
individuals are aware that number unless due notice has • where there are legislative restrictions on release of the
these details may be been supplied to them, and that information before a certain date
published in this form, for these individuals are aware that • reasons of privacy,
this purpose. these details may be published in • public safety,
this form, for this purpose. • security and law enforcement,
If an organisation does • public health, or
deem it necessary to identify If an organisation does deem it • compliance with the law.
the particular individual necessary to identify the
(rather than a position or particular individual (rather than a Organisations should consider the original assessment of the
role), then appropriate position or role), then appropriate information and identify if there are any other reasons why the
notice must be given in notice must be given in material may not be disclosed in this manner.
accordance with Information accordance with Information
Privacy Principle 1.3 of the Privacy Principle 1.3 of the PDPA N.B. A protective marking does not prohibit the information asset
PDPA 2014). 2014). from being released under an Freedom of Information request.
All requests should be assessed on the individual merit of the

information assets content at the time of the request.
8
9
10
11
12
13
***Fields related to the 'SUITABLE FOR UNLIMITED PUBLIC
RELEASE''- Not all fields will apply to all forms of information assets.
APPROVER / AUTHORISOR (FOR

PUBLIC RELEASE
UNLIMITED PUBLIC RELEASE OF THE
DATE
INFORMATION
If the material is suitable for public release, Only required if the

identify the role or position who has given dataset has been
approval for this publically released.
This is the date on

which the information
asset (and its
associated records and
elements – metadata)
was released into the
public domain.
Note: Refrain from nominating an individuals If approved for public

name and contact number unless due notice release, this is the date
has been supplied to them, and they are aware that this version of the
that these details may be published in this information asset and
form, for this purpose. its associated records
and elements were
If an organisation deems it necessary to identify approved for, and
the particular individual (rather than a position or subsequently released.
role), then appropriate notice must be given in
accordance with Information Privacy Principle 1.3 N.B. It is important to
of the PDPA 2014). align all date elements
with ISO8601 and format
If the asset is aithorised for unlmited public release, any date fierld to
consider whether it is suitable for publication on the automatically format the
VIc Gov Open Data Portal - DataVic.vic.gov.au date when entered
If the asset is aithorised

for unlmited public
release, consider whether
it is suitable for
publication on the VIc Gov
Open Data Portal -
DataVic.vic.gov.au
14
15
16
17
18
19
CORE (including VPDSF requirements)
*** Fi eld re lated to the

* **Fie lds re lated to the 'C REATION DATE / ACQUIRED D ATE'- "BIL - ***Fields related to the 'SU ITABLE F OR UNLIMITED PUBLIC R ELEASE''- Not all field s will apply to all forms of information assets.
*** Fields related to the 'ASSET DESCRIPTION'- Not all fields will apply to all forms of information assets. Delete any columns that aren't relevant to your information assets No t al l fi eld s w ill a ppl y to a ll forms of i nformatio n assets. D ele te
C ON FIDEN TIALITY"
an y co lumn s th at a ren't rele van t to your in fo rmation a ssets Delete any columns th at aren't relevant to your information assets
asse ssment
BUSINESS BUSINESS
BUSINESS IMPACT
C REAT ION DATE IMPACT LEVEL IMPAC T LEVEL
ASSET NAME ASSET D ESCR IPT ION LOC ATION FORMAT ASSET STATUS ORIGINATOR OWNER CUST ODIAN LEVEL (BIL) – SUIT ABLE F OR U NLIMITED PUBLIC RELEASE?
(VPDSF Req) (VPDSF Req) (VP DSF Req) (VPDSF Req) OR ACQUIRED D AT E (VPDSF Req) (VPDS F Req) (VP DSF Req) (BIL) – (BIL) – (VPDSF Req) Approver / authorisor
(VPDS F Req) C ON FIDENTIA LITY
National Interest or National (VPDSF Req) INT EGRIT Y AVAILA BILIT Y (for unlimited public
Personal information? Tags (site tages) / Keywords Temporal range / Coverage Data Source URL (website address) Program URL Unique ID Last upda te d Update frequency Protective Marking (V PDS F Req) (VPDSF Req)
(VP DSF Req) Security Information (NSI)? (VPDSF Req) (V PDSF Req) release of the
(VPDSF Req) information)
(VPDSF Req)
The nam e or title of the Des cription of the c ontents and / or a n outline of the Does the informa tion a ss et A ter m us ed to identify Two o r three tag s to supp ort The d ate o r time p erio d which U RL (web site add ress) fro m A gency U niqu e Des cribe the De scr ibe the for m and Current, semi-c urrent Input the da te tha t this Input the da te the Outline of how fr eque ntly The pe rs on, or Legal owne r of the R ole that is form ally The ass ess ed B us ines s The highest The as ses sed The a sse sse d Identify whether the informa tion a ss et ha s be en a uthorised for The role or position who
inform ation ass et components of the inform ation ass et conta in pe rsonal or offic ia l inform ation whose search functions the in fo rm atio n asset d escribes which to retrieve the d ataset p rogram id entificatio n loca tion where forma t of the or no n-cu rren t ver sion of the informa tion infor ma tion a sse t was las t the informa tion a sse t is organisa tion, inform ation ass et. a ccounta ble to the Owne r Impac t Lev el (B IL) if the pr ote ctive B us ines s Business unlimited public re le as e. ha s give n approval for
sensitive per sona l compromise does not the infor mation inform ation ass et. This ass et or a ss oc ia ted m odifie d update d or maintaine d. r es pons ible for for ma na ging the de le ga ted c onfide ntiality of the mar king applied to Impa ct Le vel Impact Leve l this ma terial to be
informa tion a s de fined in threa ten nationa l s ecurity
or references. website (if co de to iden tify ass et is m os t inc ludes both s oft and rec or ds wer e ge nera ted pre pa ring / Organis ations ma y chos e a sse ts in the ir car e inform ation as set were the ove rall (B IL) if the (BIL) if the Suitable / Not Suitable relea sed publicly
Schedule 1 of the Pr iv acy but could other wise thre ate n A link to dataset MUST b e availab le) the asset. This commonly hard copy m ater ial Is this asset bein g c re ating to delegate owne rship c om pr om is ed. informa tion a sse t. integrity of the av aila bility of
and Da ta Protection Ac t the na tional intere st, or On ly comp lete this field if p resent if th e datas et is sh ou ld be a n on us ed a nd currently u pd ated official through r eleva nt legal or infor mation the informa tion N .B . This is ba se d on an ass ess ment of the indiv idual mer its
(201 4)? inte res ts of individua ls , relevant to th e asset a vailable on line and has b een T his field is no t ch ang ing stored and u sed? Has th e infor mation or re gulatory ins truments to BIL 1, 2 , 3, 4 a ss et we re as set were a nd conte nt in order to dete rmine whe the r this is suita ble for
groups, or c om mer cial p ub lished. req uired if the u nam bigu ou s asset be en closed ? for ac tioning an authorise d role or c om pr om is ed compromise d public relea se
entitie s. asset is no t reference infor mation group. This m ay be a
DESCRIPTION gene rate d div is ional direc tor or line
T his field is no t requ ired if the availab le onlin e relating to a outside the of busine ss lead
a sset is no t pu blically released reco rd, public se ctor
a nd availab le onlin e ass ociated (i.e. pr iv ate
industr y).
d ataset or
in fo rm atio n
ass et
Li st na me of th e Provid e a detai led d escrip tion o f the in fo rmation a sset (data) Yes or No Yes or No Inclu de a min imum of tw o or th ree tag s o r (Date ran ge the d ata covers i.e. Branc h C an be u sed to li nk It i s re comme nde d Descri be Provi de a d etail ed List whe th er th is is an List th e orig ina l crea ti on da te L ist th e date that th e la te st Da ta freq uen cy (freq ue ncy Thi s p erso n, o r Inclu de the rol e ti tl e an d Outli ne wh o (i.e. role / ti tl e, The BIL can b e listed i n Id entify th e hig he st The BIL ca n be The BIL can be If the a sset is suitab le for unl mited pu bl ic re le ase, consi der wh ether Note: Refrai n fro m
in fo rmation a sset or prog ram keyw ords to supp ort se arch fun cti ons to Expen ditu re 201 2 - start date to en d date Imp ortant: Thi s sh oul d be the U RL from to spe cific age ncy tha t thi s i den ti fi er is loca ti on of th e de scriptio n of th e fo rmat active or in active of the i nformatio n asse t or ve rsio n of the i nformatio n that th e data so urce is o rga nisa ti on, is org ani sation al un it, a nd b usin ess un it o r a gen cy) h as n umeri cal form (i.e. 1 , 2, 3 overa ll pro te cti ve l isted i n li ste d in i t is sui ta ble fo r p ubl icatio n on the VIc Go v Ope n Data Portal - nomi natin g an in divi dua ls
If yes, the orga nisa ti on may If yes, ide ntify if thi s ma te rial find the i nformatio n asse t. - 0 1/01/2 012 to 31 /1 2/20 12) w hic h th e informa ti on asse t ca n be p rogra m w ebsi te u niq ue a t le ast informa ti on of th e in fo rmation a sset informa ti on asse t whe n th e info rma tion a sset a sset was la st up dated o r up dated (i .e w ee kly, mo nthly, a lso re spon sibl e al te rnate con ta ct meth ods cu sto dy of th e informa ti on or 4) markin g fo r the n ume rical form nu merica l fo rm D ataVic.vic.go v.a u name a nd con ta ct nu mbe r
Inclu de an y altern ative At a min imum, orga nisa ti on' s sh oul d ide ntify i f the i nformatio n choo se to outli ne the types ha s b ee n created o r co lle cte d re tri eve d, o r the w eb pa ge from wh ich the w ithin th e Victoria n asset (i.e. soft cop y excel , ha rd was acq uire d or tra nsferre d mo di fi ed an nua lly) for d ecid ing (e.g. posi ti on ba sed e mail a sset informa ti on asse t. (i .e . 1 , 2, 3 or 4) (i.e. 1, 2 , 3 or 4) unl ess due n otice ha s
na mes fo r th e informa ti on asset contai ns one o f mo re of the fol low ing i nformatio n types: of p erson al o r se nsitive as pa rt o f a Na ti ona l Keyw ords (in clud ing a ny acron yms) n ee d To faci litate u se in the Interne t, da te s a nd i nforma ti on asse t can b e retrie ve d g ove rnmen t. Note cop y re cords). Acti vely use d assets to the o rga nisa ti on (i.e. eithe r w heth er, a nd at acco unts, p hon e) for th e • For more in fo rmation o n Th is overa ll If the ma te ria l is not suitab le for pub lic rel ea se, p rovid e a sta te ment bee n supp lie d to th em,
asse t may be capture d in perso nal i nformati on Agre emen t (in clu din g name to descri be the topi c o r conten t of th e ti mes shou ld be expre ssed in the su bse t tha t thi s i den ti fi er Th is can be a must b e secure ly capture o r co lle cti on ) Org ani sation s ma y w ant to (Sche ma ta ken from ANZLIC w hat le vel, to ow ner D etail s sh oul d inc lud e th e role h ow to cond uct thi s markin g shou ld • For more • Fo r mo re o utlin ing w ha t the rel ease re stri cti ons are , for bo th n ow an d in the and the y a re awa re th at
de scriptio n fi eld . • Pe rsona l In fo rmatio n (as defin ed in the P ri vacy an d Data contai ned in the in fo rmation an d du ration o f ag reeme nt – in fo rmation a sset. of ISO86 01 en dorse d by W3 C S evera l lin ks ma y b e prese nt i f the p rimari ly ide ntifie s physi cal lo cation This in clud es ou tl ini ng mana ged a cross th eir i nclu de the ve rsion n o. to – the pe ak go vernme nt b ody va lue / title a nd o rg an isatio nal u nit, a ssessmen t, ple ase refer to ta ke into acco un t i nformati on on in fo rmation o n future . th ese de ta ils may be
Make su re th e title Protection Act, 2 014 ) asset i.e. rene wa l dates) (http ://www .w 3.org/TR/NOTE -d ate time), d atase t is ava ila ble i n differe nt forma ts. the record . The and / or di gital wh ether the ma te rial i s informa ti on li fe cycle. If th e informa ti on a sset h el p record future u pda tes to in Au stra lia a nd Ne w Ze al and p rotective ly Priva cy w arni ng – a nd sho ul d incl ude se veral the VPD SF Informatio n th e agg rega te d h ow to con duct ho w to co ndu ct pub lish ed in thi s form, fo r
de scribe s the informa ti on When co nsid erin g wha t keyw ord s to use , how ever ran ge s mu st be u sed wh ere S evera l lin ks ma y a lso be p resen t if there co ntai ned loca ti on wh ere stored i n: orig ina te d ou tsi de the th e informa ti on asse t resp onsi ble for spa ti al ma rk tha t o ffici al Organ isatio ns shou ld a lterna te co ntact method s Se curity Mana geme nt risks associ ated thi s this Orga nisa ti ons sh oul d consu lt w ith th e orig in ator of the i ndi vidu al th is purp ose.
asse t, is mean in gful to th e • L aw Enforce ment Da ta (a s d efine d in the Pri vacy and D ata Refer to Part 3 – Sched ule 1 N.B. D efini ti on o f 'Na ti ona l org ani sation s ma y co nsid er th e foll owi ng nece ssary. ISO86 01 do es not ha ve th e a re very clo sely rel ated in fo rmation a ssets re cords/file s/datase t th e informa ti on • ha rd copy, or Th e orga nisa ti on must orga nisa ti on, a de scriptio n of in fo rmation ) i nformati on. refrai n fro m n omin ating a n (e .g . po sition base d emai l Co lle ction with ea ch of the a ssessme nt, asse ssment, re cords or asso ciate d informa ti on el emen ts in o rde r to de te rmine
use r a nd is ke yword ri ch Protection Act, 2 014 ) of the P ri vacy an d Data Interest' in clud es matte rs sche mes to h elp frame the ir keyw ords: capa bil ity to in di cate 'circa' o r (e .g. mo nth by month da ta). ma y h ave o th er is used a nd • soft co py, o r ensu re th e informa ti on whe re it ca me fro m a nd the N .B. It is imp ortant to a lig n all in divi dua ls name a nd a ccoun ts, ph one ). ind ivid ual re cords p le ase refer to pl ease re fe r to w hethe r the conten t is ap prop riate for un limi te d pub lic rel ease . If an org ani sation d ee ms i t
to supp ort any sea rch Protection A ct (20 14) for fu ll wh ich matter whi ch ha s o r • Australi an Govern men ts' Interactive 'ap proxi mate' date s. i den tifiers. sto red (in clud ing * bo th (so ft an d hard asset is retain ed for th e busi ness are a that orig ina lly d ate el emen ts wi th ISO860 1 N.B. It i s i mportan t to ali gn a ll For more con ta ct nu mber un les s d ue th at ma ke up the the VPDSF the VPDSF nece ssary to i den ti fy the
functio ns in the future • C rime Statistics Data (as de fine d in the Priva cy a nd Da ta defin ition s o f Se nsitive cou ld ha ve imp act o n Functio ns Th esau rus (AGIFT) H ow ever, th ere sho uld b e a sin gle any ICT cop y) mini mum peri od created i t sho ul d also b e a nd forma t an y d ate fi erld to da te e leme nts w ith IS O8 601 i nformati on on no ti ce has be en su ppl ied to Pri vacy warn ing - informa ti on asse t. Info rmation Informatio n R estriction s o n rele ase ma y b e due to: particu lar in divi dua l (rather
Protection Act, 2 014 ) Person al in fo rmatio n Austral ia, in cl ud ing : (http://ww w.naa .g ov.au/re cords- No more p recisi on sh oul d be pre sent th an a utho ritative sou rce fo r e ach forma t (i.e. syste ms) speci fi ed in the re leva nt incl ude d. a utoma ti call y forma t the da te an d fo rmat a ny da te fie rld to a ssessin g the them, and tha t the se Orga nisa ti ons sh oul d refrain Se curi ty Secu rity • oth er partie s h avin g righ ts ove r IP, or th an a po sition o r ro le),
• na ti ona l securi ty man age ment/pub lica ti on s/a gift.a spx), is warra nted by the a ccuracy of th e da ta - th ere sho uld n ot b e multi ple l inks to th e Format typ es such a s: Reten ti on an d Disp osa l w he n entere d au to matical ly fo rmat the date va lue of o ffici al in divi dua ls are aw are tha t from no mina ti ng a n ind ivid ual s Refer to th e VPDSF Ma na geme nt Man age ment • wh ere the re are le gisl ative restrictio ns on re lea se of the th en ap prop riate no tice
• H eal th re cords (as de fine d in the He alth Re cord s Act, 2 001 ), • in te rnatio nal re latio ns • th e extensi on Au stra lia n Go vernme nt so a informa ti on a sset re prese nting Ap ril sa me in fo rmation a sset i n th e same • wo rd docu ments, Authori ty, autho rised b y Imp leme ntation n ote: It is wh en en te red i nformati on, these d etail s ma y b e n ame an d con ta ct nu mber In fo rmation Se curity C oll ectio n Co lle cti on i nformatio n be fo re a certain d ate mu st b e give n in
or • la w and g overn ance , Archi te ctu re (AGA) Busi ness Re fe ren ce 196 4 sho uld b e expre ssed as 19 64 -04 or fo rmat). • exce l shee ts, th e Keep er of Pu bl ic recomme nde d th at th is fi eld re fe r to VPD SF pu bli shed i n th is fo rm, for u nle ss d ue n otice ha s b een Mana geme nt • rea son s o f pri vacy, accord ance w ith
SU PPORTING in clud ing : Mod el (http://ww w.fi nan ce.go v.a u/e- 196 4-04 -01 /1 964 -04-3 0, n ot 1 96 4-04 - • au dio fil es. Reco rds. be ge nera ted au to matical ly Info rma tion this pu rpose . su ppl ied to the m, an d th at Col lectio n. for more • pu bl ic safety, In fo rmation Pri vacy
COMMENT S • a ny other forms of data or reco rds not alre ad y sp ecifie d • i nterstate / territory go vernme nt/strateg y-and - Th e URL (web site add ress) wou ld whe n chan ge s o ccur to the Se curity the se ind ivid ua ls are aw are informa ti on on • secu rity and l aw en fo rcemen t, Princi ple 1 .3 o f the PDPA
abo ve rel ation s go verna nce/ag a-rm/5-pro gram- n orma lly be Vi cto rian State go vern ment N.B. The re may be If th e informa ti on asse t informa ti on asse t e leme nts – Ma na geme nt If an o rgan isatio n do es tha t thes e detai ls may be protective • pu bl ic hea lth, o r 201 4).
• l aw en fo rcemen t ou trco mes.html), U RL (e .g . http://ww w.dse.vic.go v.a u/…) to mul ti ple forma t op tion s, is ina cti ve and h as th e i.e. a s n ew versi on s a re C oll ectio n. de em it n ecessa ry to p ubl ishe d in thi s form, fo r thi s markin gs. • comp lia nce w ith th e law .
op eratio ns wh ere comp romise • or Victoria Onl ine (VO) Th esa urus cl ea rly bran d th is resou rce as comin g de pen di ng on the ma keup record s h ave be en add ed or u pda te d. id entify th e particu lar p urpo se. If th e asset is aitho rised
cou ld ha mpe r o r p reven t (http://ww w.ego v.vi c.g ov.au/Vi cto rian - fro m the Vi cto rian State go vern ment, b ut of th e in fo rmation a sset close d, n omin ate in divi dua l (rather than a Orga nisa ti ons sh oul d consi der the ori gin al a ssessmen t of th e fo r u nlmi te d pub lic
na ti on al crime p reven ti on go vernme nt-resou rces/victoria - th e URL sh oul d be pe rsisten t. closu re date. N.B. It is imp ortant to ali gn al l po sition o r ro le), th en If a n orga ni sation d oes de em it i nformatio n an d ide ntify i f there a re an y o th er reaso ns why the re le ase, consi der wh ether
strategi es or in vestiga ti ons, or on lin e/victoria -onl ine -th esau rus/victoria - The ava ila bl e medi a typ es date el emen ts w ith ISO86 01 ap prop riate no ti ce must be n ecessa ry to id en ti fy the ma te rial ma y n ot b e di sclose d in this man ner. it i s su itabl e fo r p ubl icatio n
en dan ge r p erson al safety on lin e-thesa urus-ve rsion -2-7-feb rua ry- D irect lin k to the d ata source l oca ti on (i.e. (formerl y kn own a s MIME and forma t an y date fierl d to gi ven in a ccorda nce wi th p articul ar ind ivid ua l (ra ther on the VIc Gov Open Data
• eco nomi c w ell bei ng 20 11.html). w ww.pre mier.vic.g ov.au/ima ges/storie s/d a types) are a vai lab le at automa ti call y forma t the d ate Informatio n Privacy tha n a po sition o r ro le), th en N .B. A p rotective ma rking d oes no t pro hib it th e informa ti on asse t Portal - DataVi c.vi c.g ov.au
• he ritage ta sets/b riga des.csv) http://ww w.ian a.org /a ssig whe n entere d Prin cipl e 1.3 of the PDPA a ppro pria te notice mu st be from be ing re lea sed u nde r a n Fre edo m o f Informa ti on req uest.
• cul tu re. It is reco mmend ed that AGA o r AGIFT is nme nts/me dia - 20 14). g iven i n accord an ce with
use d to faci litate cross ju risdi cti on al types/in de x.h tml Informa ti on Priva cy Pri nci ple Al l requ ests sh ou ld be a ssessed o n the in divi dua l merit of the
(As draw n fro m matchi ng. Each keyw ord must be 1 .3 o f the PD PA 2 014 ). i nformatio n asse ts con te nt a t the time o f the req uest.
Co mmonw eal th P ro tective asso ciated w ith an attribu te ind icatin g th e
Secu rity Po licy Framew ork sche me fro m w hich the ke yword h as be en
Glossa ry o f se curity te rms dra wn.
Versi on 1 .3 , De cembe r 2 014 )
INFORMATION ASSET 1
INFORMATION ASSET 2
INFORMATION ASSET 3
INFORMATION ASSET 4
INFORMATION ASSET 5
INFORMATION ASSET 6
INFORMATION ASSET 7
INFORMATION ASSET 8
INFORMATION ASSET 9
20
** *Fiel ds rela te d to "RECORD D ISPOSAL
***Fields related to the 'SU ITABLE F OR U NLIMITED PUBLIC R ELEASE''- Not all fields will apply to all fo rms of informa tion assets. ** *Fiel d rela te d to AUTHORITY''- Not all fie ld s w ill a ppl y to al l fo rms o f *** Fi eld s re lated to "GEOGR APHIC COVERAGE'' - N ot a ll fiel ds wil l app ly to all forms of informa ti on
' BUSINESS
Delete any columns that aren't relevant to your information a ssets CL ASSIFICATION' in fo rmation a ssets. D ele te a ny colu mns th at aren 't assets. D ele te a ny col umns that aren 't re leva nt to you r i nformatio n asse ts
rele vant to your in fo rmation a ssets
RECOR D DISPOSAL GEOGRAPHIC

BUSINESS CLASSIFICATION
CATEGOR Y C OVERAGE
ASGS (Australian
Pu blic release date Attribution Geodata - Verttical
Copyright statement Licensing Disclaimer Type / Category Dispsal category Disposal class Statistical Geography Bounding box
(VPDSF Req) statement Granularity coverage
Stand ard)
Only requir ed if the Sta ndard C opyrig ht A license g iving o fficial permissio n to A statemen t of Assists in iden tifying the Select Minim um retention Sp ecify th e Specify the c la ss Do es the (If applicable) Spatial coverage Spatial coverage Th e vertical
da ta se t has bee n attribu tion s tand ards and use the information asset. repud iatio n or scop e, typ es, use and relevan t perio d of the R etention and n umb er from the information specified u sing spec ified b y using exten t o f th e
publica lly re le ase d.
statem ent for a dditional carve den ial of fu nctions o f an in fo rm atio n catego ry / information a sset D isposal A uth ority Retention an d asset ASGS. latitud e/long itud e information
the State of o uts. respon sibility or asset catego ries which app lies Disp osal Au tho rity co ntain bo un ding box. asset.
Victo ria only con nectio n. which ap plies loca tion -
req uired if the ba sed or
d ataset has sp atial
b een pu blically information ?
released
If app roved for pu bli c MU ST be p resen t if MUST be p resen t if MUST b e prese nt if the d ataset ha s b een MUST b e pre sent if Busi ness cla ssificatio ns may be Avail abl e Spe cify the mi nu mu m peri od Sp ecify the Re te ntion Re fe r to the R etentio n Yes o r N o (Exte nt o f dri ll Austral ian Statistica l One o f Austral ian Expre ssed as a
re le ase, th is is th e date the d ataset ha s b een th e datase t ha s b ee n pub lica lly rel ease d. th e da ta set h as bee n functio nal , p rocess ba sed, subj ect catego ries the in fo rmation a sset must b e a nd Di spo sal Autho rity an d Di sposa l Authori ty dow n leve l – i.e. Geog raph y Sta nda rd Statistica l Ge ogra phy min imum an d
th at thi s ve rsion o f the p ubl ical ly rele ased . p ub lica lly rel ease d. pu bli call y re lea sed. ba sed o r o rg an isatio n base d. The re incl ude : retai ned u nd er a Reten ti on (R DA) whi ch app lie s – (RD A) a nd sp ecify th e (Exten t of data to L ocal (ASGS) i s a re lative ly ne w Stand ard (ASGS) and maxi mum
informa ti on asse t an d [C reative C ommon s] CC – Attrib ution 4 .0 may be mu ltipl e bu sine ss • Bu sine ss an d Disp osal Au thori ty e .g . PR OS 07 /0 1 cla ss n umb er whi ch cove rag e – i.e. Go vernme nt ge ogra phi cal stan dard Bou nd ing Bo x mu st be val ues wi th u nit
its a ssocia te d record s Thi s ca n be Imp leme ntation n ote: [C reative C ommon s] CC – Attrib ution - Discl aime r sp ecific to cla ssificatio ns fo r e ach i nformatio n • au th orise d by the Kee per of ap pl ies – e.g. 5.6.1 al l of Victoria , al l Areas (LGA) de velo ped by th e Australi an pre sent. of measu re (e.g.
and e leme nts w ere p rogra mmatical ly Th is can be Non commerci al 4.0 th e da ta set asse t. Commu nica ti on Pub lic Re cords. Fo r e xamp le Lo cal leve l) Bure au of Statistics (ABS) metres). If not
app roved for, and g ene rated if the p rog rammatica lly [C reative C ommon s] CC – Attrib ution - othe rwise d efaul ts to • C ommun ity - "Te mpora ry. De stro y 5 Gove rn men t for th e coll ection and This is a text stri ng pre sent,
su bse que ntly rele ased . a ttrib ution state me nt g en erated i f the Non commerci al-N o Deri vative Works 4.0 web pag e’s ge nera l Busi ness cla ssificatio ns or the act of • Ed ucatio n yea rs a fter actio n comp leted . Area s (L GAs) di ssemin ation o f g eog raph ic con sisting of fou r re al assu med to be
i s i den ti cal for all co pyri ght sta te ment [C reative C ommon s] CC – Attrib ution - discl aime r. arra ngi ng reco rds in a l ogi cal • Emp loyme nt Ho ld in Ag ency p end ing statistics. nu mbers re prese nting (i n the surface for
N.B. It is imp ortant to d atasets. i s i de ntical for al l Non commerci al-Sh are Ali ke 4.0 structure an d seq uen ce, faci litates • En viron ment de stru cti on. " seq ue nce): N lon gitud e, S ge ogra phi c
ali gn al l date el emen ts d atase ts. [C reative C ommon s] CC – Attrib ution -No thei r su bseq ue nt u se and re fe ren ce. • Fin ance Organ isatio ns sho uld lo ngi tu de , E latitud e, a nd in fo rmation
with ISO8 601 a nd 'Pu bli she r' i s a Deri vative Works 4.0 • Gen eral Re te ntion a nd D ispo sal en sure that on e ASGS an d W l atitude . asse ts
fo rmat a ny date fierl d ma nda to ry Au stra lia n [C reative C ommon s] CC – Attrib ution -Share Al ike It al so ena bl es app ropri ate lin king , • H eal th Autho rities are a vai lab le on Bou ndi ng Bo x mu st be
to a utomatica lly format Gove rnmen t Lo cator 4.0 gro upi ng, na ming , secu rity, use r • Pl ann ing the PROV web s ite pre sent. ASGS is a As pe r ANZL IC ( the pe ak
th e date wh en en te red Se rvice (AGLS) [C reative C ommon s] CC – Attrib ution 3 .0 Au stra lia pe rmissio ns and re tri eva l, d ispo sition • R ecrea ti on (http://pro v.vi c.g ov.au ) If hi erarch ical sch eme from go vernme nt bod y i n
p rope rty for [C reative C ommon s] CC – Attrib ution - an d ide ntifica ti on of vital reco rds. • Sci ence a nd there i s n o ap pli cabl e RDA, the ABS Austral ia a nd Ne w Ze ala nd
If th e asset is i nformatio n Non commerci al 3.0 Au stra lia Te chno log y the con te nts of thi s e leme nt (http://ww w.abs.go v.au/au ss resp onsi ble fo r sp atial
aitho rised for un lmited re source s. [C reative C ommon s] CC – Attrib ution - • So ciety must be "U nsen te nced . tats/a bs@.nsf/mf/12 16.0) in fo rmation ), thi s i s o nly an
pub lic rel ease , Non commerci al-N o Deri vative Works 3.0 Austral ia • Sp atial D ata Re ta in in a gen cy pen din g that divi des Au stra lia i nto ap pro xi mate refere nce so
co nsi der wh ether it is [C reative C ommon s] CC – Attrib ution - • Tran sport de te rmina ti on" States, the n LGAs, a nd then spe cifying th e coord ina te
su itab le for pub lica ti on Non commerci al-Sh are Ali ke 3.0 Austral ia sub L GAs. refere nce s system is no t
on the VIc Gov Open [C reative C ommon s] CC – Attrib ution -No req uire d.
Data Portal - Deri vative Works 3.0 Austral ia It is reco mmend ed tha t on ly
DataVi c.vi c.g ov.au [C reative C ommon s] CC – Attrib ution -Share Al ike the State (Victori a), a nd
3.0 Austral ia Lo cal Govern men t Area s
[Other] Cop yrig ht (LGA) bran ch be u sed, and
[Other] GN U – Fre e Do cumen ta ti on Li cense that sub L GA cod ing s i s n ot
[Other] Th e MIT Li cense use d.
[Other] Th e BSD Li cense
(N.B. De fa ult is CC – Attribu ti on 4.0)
21
SUPPLEMENTARY
Organisation's can consider the following metadata elements(left hand column), and add any relevant fields to it's own IAR tool / system
INFORMATION ASSET DEFINITION OF THE METADATA /

SUPPORTING INFORMATION AND IMPLEMENTATION NOTES
METADATA / ELEMENTS ELEMENT
The date that this entry on the IAR was last

IAR entry review date It is recommended that this field be generated automatically when changes occur to the metadata associated with the information asset.
reviewed or updated
This helps organisations determine the original intent or purpose for generation or collection of that information asset.
A description of the purpose for which the
information asset was collected, and whether the This is particularly important for information assets containing personal information. The Privacy and Data Protection Act (2014) prohibits the
Purpose (primary purpose of collection)
information asset may be used for other purposes use of personal information collected for one purpose from being reused for a secondary purpose. This field documents the original purpose for
without modification. which the personal information was collected (including any mandates for collecting the information and whether the information asset contains
personal information.
A link to a related information asset (e.g. previous instances of the information asset).
Related Information Asset Link to related information assets
Organisations to define whether this information asset is an input or an output.
Typical values would be: Replaces / Replaced By, New Version / Old Version, Derived From / Derivation, Related information assets. Other
Type of relationship Type of relationship
values are allowed.
Value Link to related dataset Value refers to the URL (website address) of a metadata record of another dataset.
Organisations should consider:

• the format types of the information asset (including any associated records or elements)
Disposal requirements How must the asset be disposed of?
• related Retention and Disposal Authority & Single Instance Disposal Authority and
• the protective marking of the information (as this will inform various security measures required to securely dispose of the asset)
Organisations should confirm the status of the Data Quality Statement (DQS) and where the DQS is located (i.e. the URL or file path name).
A statement about the quality of the data and
Data Quality / Trust Statement
purposes for which it can be used. Refer to the Vic Gov IM Data Quality Standard for more information
https://www.enterprisesolutions.vic.gov.au/wp-content/uploads/2018/05/IM-STD-07-Data-Quality-Standard.pdf
These requirements cover not only security issues around people gaining access to sensitive or significant information, but also the
opportunities for sharing information internally and externally.
Core considerations include:

• Who can access the information asset?
Access Access restrictions to the information asset • What personnel security measures are required for this material? (i.e. do individuals need to undergo screening prior to accessing this content
and should the need to know principle be employed)
• How are they expected to access the information asset?
• Defining expectations around information sharing opportunities (internally & externally)
Organisations can refer to the Victorian Protective Data Security Standard no. 4 (Information Access) and supporting controls.
Last published /
updated on Date published / updated on DataVic
DataVic?
Collected to meet mandatory legal or

Yes or No Outline which legal or regulatory obligations require the collection of this information asset (i.e. National Minimum Data Sets – NMDS)
regulatory obligations?
Collection method
Collection validation
Off-line access details MUST be present if the resource has been published and is only available off-line.
How information assets available offline can be
Off-line Access
obtained or accessed. Include contact information. The details may be present in other circumstances. Implementation Note: where the same access details are shared amongst several datasets,
it is recommended that the details only be stored once to facilitate maintenance.
Supports Business Process Business process the information relates to Free text field
Name of the business ICT system / application

Source ICT System Only required if stored in a digital format
associated with the information asset.
22
LEGAL AND REGULATORY OBLIGATIONS*
The list below outlines the Victorian Government legal and regulatory references considered dur
* This is not an exhaustive list of all IM obligations that your organisation operates under. Instead this sa
the management of information assets and associated metadata.
Given the variety of organisations that come under the VPDSF, you will need to consider whether there
may not be presented in this template, but may also find that some of these references and fields do no
Victorian Protective Data Security Framework (VPDSF)
Supports the minimum requirements of the Victorian Protective Data

organisations should look to capture in their IAR
Public Record Office Victoria (PROV)
To assist Victorian government bodies with managing their informatio
DataVic Access Policy
The DataVic Access Policy is applicable to all agencies (that is, all De
'Department' and ‘Public body’ are defined in the Financial Managem
authorities.
FOI Requirements
To assist organisations to identify information assets that are require

Freedom of Information Act 1982 (Vic).
Whole of Victorian Government (WoVG) Information Managemen
To assist Victorian Government bodies in meeting information manag
Victorian Auditor Generals Office Recommendations
Assist Victorian public sector organisations meet the requirements
Victorian Government Data Directory MetaData Standard & the sample VPDSF IAR te
A standardised metadata schema is available to assist VPS organisations map their efforts when registe
This internal directory aims to capture metadata about VPS datasets that can be shared between agenc
datasets across the VPS and then either request access to the data, or request access via the data cus
This STD is NOT intended as a metadata standard for agencies’ operational IAR’s, but rather a schema
To find out more, refer to https://www.enterprisesolutions.vic.gov.au/wp-content/uploads/2018/09/IM-ST

erences considered during the development of this sample template.
tes under. Instead this sample template aims to set out the main legal and regulatory requirements relating to
o consider whether there are additional requirements that you need to include in your organisations IAR that
erences and fields do not apply.
work (VPDSF)
Victorian Protective Data Security Standards (VPDSS) and reference particular privacy considerations that
IAR
managing their information assets in accordance with the Public Records Act 1973 (Vic)
all agencies (that is, all Departments and Public bodies) of the State.
n the Financial Management Act 1994. Public bodies include State business corporations and statutory
on assets that are required to be listed in information statements published in accordance with Part II of the
nformation Management
eeting information management best practice
mendations
meet the requirements
ample VPDSF IAR template
their efforts when registering information assets on an internal Victorian Government Data Directory.
be shared between agencies and bodies under authorised conditions. Agencies or bodies can search for
t access via the data custodian.
AR’s, but rather a schema to map to, and assist with searchability / discoverability of datasets across the VPS.
t/uploads/2018/09/IM-STD-09-Victorian-Government-Data-Directory-Metadata-Standard2.pdf
nsidered during the development of this sample template.
nstead this sample template aims to set out the main legal and regulatory requirements relating to
whether there are additional requirements that you need to include in your organisations IAR that
d fields do not apply.
SF)
otective Data Security Standards (VPDSS) and reference particular privacy considerations that
heir information assets in accordance with the Public Records Act 1973 (Vic)
(that is, all Departments and Public bodies) of the State.

cial Management Act 1994. Public bodies include State business corporations and statutory
at are required to be listed in information statements published in accordance with Part II of the
Management
mation management best practice
quirements
DSF IAR template
s when registering information assets on an internal Victorian Government Data Directory.
etween agencies and bodies under authorised conditions. Agencies or bodies can search for
a the data custodian.
her a schema to map to, and assist with searchability / discoverability of datasets across the VPS.
018/09/IM-STD-09-Victorian-Government-Data-Directory-Metadata-Standard2.pdf

Sample Information Asset Register (Iar) Template

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Sample Information Asset Register (Iar) Template

Uploaded by

Copyright:

Available Formats

SAMPLE INFORMATION ASSET REGISTER (IAR) TEMPLATE

INSTRUCTIONS - How to use this sample template

Which tab should you use?

CORE (inc. VPDSF reqs)

Organisations must be mindful of their specific operating requirements and relevant

Protective Marking N/A

Approved for unlimited public release? Yes – Authorised for release

Publication Date November 2019

Review Date November 2020

Document Status Final V2.0

Author Information Security Unit - Office of the Vicorian Information Commissioner

INFORMATION ASSET REGISTER

All requests should be assessed on the individual merit of the

APPROVER / AUTHORISOR (FOR

If the material is suitable for public release, Only required if the

This is the date on

Note: Refrain from nominating an individuals If approved for public

If the asset is aithorised

INFORMATION ASSET REGISTER

*** Fi eld re lated to the

RECOR D DISPOSAL GEOGRAPHIC

(N.B. De fa ult is CC – Attribu ti on 4.0)

INFORMATION ASSET REGISTER

INFORMATION ASSET DEFINITION OF THE METADATA /

The date that this entry on the IAR was last

Organisations should consider:

Core considerations include:

Collected to meet mandatory legal or

Name of the business ICT system / application

Victorian Protective Data Security Framework (VPDSF)

Supports the minimum requirements of the Victorian Protective Data

Public Record Office Victoria (PROV)

To assist Victorian government bodies with managing their informatio

DataVic Access Policy

To assist organisations to identify information assets that are require

Whole of Victorian Government (WoVG) Information Managemen

To assist Victorian Government bodies in meeting information manag

Victorian Auditor Generals Office Recommendations

Assist Victorian public sector organisations meet the requirements

To find out more, refer to https://www.enterprisesolutions.vic.gov.au/wp-content/uploads/2018/09/IM-ST

eeting information management best practice

meet the requirements

ample VPDSF IAR template

(that is, all Departments and Public bodies) of the State.

mation management best practice

DSF IAR template

s when registering information assets on an internal Victorian Government Data Directory.

You might also like