Security starts with asset classification It can be really stressful  when you have trouble finding something important. You're late to an appointment and can't find your keys! We all find ourselves in  situations like these at one time or another. Believe it or not, organizations  deal with the same kind of trouble. Take a few seconds to think of the number of  important assets you have nearby. I'm thinking of my phone,  wallet, and keys, for example. Next, imagine that you've just joined  a security team for a small online retailer. The company has been growing over the past few years,  adding more and more customers. As a result, they're expanding their security department  to protect the increasing numbers of assets they have. Let's say each of you are responsible for 10 assets. That's a lot of assets!  Even in this small business setting, that's an incredible amount of  things that need protecting. A fundamental truth of security is you can only protect the things you account for. Asset management is the process of  tracking assets and the risks that affects them. All security plans revolve around asset management. Recall that assets include  any item perceived as having value to an organization. Equipment, data, and intellectual property are just a  few of the wide range of assets businesses want to protect. A critical part of  every organization's security plan  is keeping track of its assets. Asset management starts with having an asset inventory,  a catalog of assets that need to be protected. This is a central part  of protecting organizational assets. Without this record, organizations run  the risk of losing track of all that's important to them. A good way to think of  asset inventories is as a shepherd protecting sheep. Having an accurate count of the number of  sheep help in a lot of ways. For example, it will be easier to  allocate resources, like food, to take care of them. Another benefit of asset inventory  might be that you'd get an alert  if one of them goes missing. Once more, think of the important assets you have nearby. Just like me, you're probably able to  rate them according to the level of importance. I would rank my wallet ahead of my shoes, for example. In security, this practice is  known as asset classification. In general, asset classification  is the practice of labeling  assets based on the sensitivity and importance to an organization. Organizations label assets differently. Many of them follow a basic classification scheme: public, internal-only,  confidential, and restricted. Public assets can be shared with anyone. Internal-only can be shared with anyone in  the organization but should not be shared outside of it. And confidential assets should only be  accessed by those working on a specific project. Assets classified as restricted are  typically highly sensitive and must be protected. Assets with this label are considered need-to-know. Examples include intellectual property  and health or payment information. For example, a growing online retailer  might mark internal emails about  a new product as confidential because those working on the new product should know about it. They might also label the doors at  their offices with the restricted sign  to keep everyone out who doesn't have a specific reason to be in there. These are just a couple of everyday examples that you  may be familiar with from your prior experience. For the most part, classification determines whether an asset can be disclosed, altered, or destroyed. Asset management is a continuous process, one that helps uncover  unexpected gaps in security for potential risks. Keeping track of all that's important to  a organization is an essential part of security planning.