How to assess an organization’s data asset risk

IntermediateSecurity 5 StepsLast updated: March 27, 2024
In this guide, you will learn how to first identify your data assets, and then assess their associated risks.

Guide Objectives

  • Create your organization’s data asset inventory
  • Identify key risk factors for each data asset
  • Assess risk by data asset within the inventory

How do you keep your data safe? First, you need to know the risks associated with your data. While this may sound straightforward, the risks vary greatly depending on what the data contains.

In this guide, you will learn how to first identify your data assets, and then assess their associated risks. This is step one in creating a systematic approach for mitigating data security risks. (A data asset is any entity composed of data. Types of data assets include, but are not limited to, a database, text file, CSV, document, web page, application, spreadsheet, and data visualization.)

Guide Specific Disclaimer

There is no perfect “solution” that fits every organization for complicated issues around data use and management, and we recognize that. These guides are designed to support you, but please adjust steps, templates, and plans to your needs.

For this guide, one varying factor is time. Depending on the size of your organization, and the number of data assets you work with, creating an inventory and assessing risks may take more or less time. For example, if you work in a large organization you may find that creating a data asset inventory may be a longer and more collaborative process as the information may lie across multiple departments.

Identify your organization’s data assets

The first step is to download the Data Asset Inventory & Risk Rating Template.



Once this has been downloaded you can start to identify the data assets you are working with. A data asset is anything that houses data. It can be your accounting system, CRM, spreadsheets, data visualizations etc.  To start, write down the names of the data assets in the first column. We recommend starting the column with the most important and consistently used data assets. Developing a comprehensive list before starting is not needed or recommended. It is much more important to just start the process.

For example, you can start the inventory process with the data assets you frequently use (perhaps your accounting platform, a product user database, a project outcomes spreadsheet, etc.) Once you have the hang of it, you can seek input from colleagues in other roles or departments to carry on the process.

Complete the data asset inventory

After completing the list of data assets, you will build your inventory by cataloging information regarding each asset. 

How is the data asset used? What does it consist of? Who has ownership?  Start with the most critical and consistently used data asset. Fill in the information, working your way right along each row. If you don’t know the answers, you can always flag it and ask a colleague later.

Identify sensitivity of information within the asset(s)

Now that you have an inventory, it is time to look at how sensitive the contents of each data asset are. The level of sensitivity can vary depending on what the content represents (ex. Information about your organization, communities served, and other key stakeholders. etc.)  On the spreadsheet, select the ‘Risk Rating Tab’. In columns B through E you will answer questions about the sensitivity of the information found within each asset, a key factor that impacts the overall level of associated risk.

Key factors that impact a data asset’s risk:

Users Affected – These can be the people the data represents (participants, employees, donors, etc.), or the people who rely on the data. It is important to know the different groups that can be impacted by this data, and how. 

Personally Identifiable Information (PII) – PII is data that can be used to identify a unique person, such as a social security address or national identification number. PII can also be a combination of data, such as one’s gender, address, and sector of work. PII is particularly important for vulnerable communities who may be targeted by malevolent actors. Learn more about PII here.

Business Sensitive – It is important to define how critical the information within a data asset is in the day-to-day functioning or key decision-making within an organization. The more critical, or “business sensitive”, the more potential risk. For example, a typical accounting system is a highly business-sensitive data asset. Regulations – Within the US, some states, such as California, have regulations regarding data privacy and other security protocols to follow. Within Europe, the General Data Protection Regulation (GDPR) is the key regulation to consider in most countries. Asia has made notable progress as well. In 2023, India launched the Digital Personal Data Protection Act. In the same year, Vietnam’s Personal Data Protection Decree went into effect.

Complete the risk ratings

Keeping in mind the sensitivity of information within each data asset, you will now carry out your own risk rating. 

In columns F through H you will rate the level of risk in the face of different types of data breaches. You can look to the Risk Rating Tab for more information on the different levels of risk. 

Once columns F through H are populated, column I (the “Overall Risk Rating”) will automatically populate with the highest of the three risk areas. This can be used to determine which assets to prioritize for mitigating risk.

What is a loss of data confidentiality? This is when a malevolent actor, often considered a “hacker”, finds a way to access information within the data asset.

What is a loss of data integrity? This is when a malevolent actor accesses and changes information within your data asset, potentially with you being unaware. What is a loss of data availability? This is when a malevolent actor accesses and removes your access to a data asset. Often this is part of a ransomware scheme, where money is requested by this person or organization for them to grant you access again.

Personally Identifiable Information (PII) – PII is data that can be used to identify a unique person, such as a social security address. PII can also be a combination of data, such as one’s gender, address, and sector of work. PII is particularly important for vulnerable communities who may be targeted by malevolent actors. Learn more about PII here.

Business Sensitive – It is important to define how critical the information within a data asset is in the day-to-day functioning or key decision-making within an organization. The more critical, or “business sensitive”, the more potential risk. For example, a typical accounting system is a highly business-sensitive data asset.

Regulations – Within the US, some states, such as California, have regulations regarding data privacy and other security protocols to follow. Within Europe, the General Data Protection Regulation (GDPR) is the key regulation to consider in most countries. 

‘So what’ and next steps

Congratulations! You have begun creating a data asset inventory, and you now know the risks associated with each data asset in it. With this knowledge you can start mitigating these risks. 

Whenever the need arises, you can now go back and add more to the inventory list and complete the associated risk assessments. Remember, the spreadsheet you are developing is meant to be a living document of your assets, so it will change as your organizations evolves. Also note that proper risk mitigation strategies can reduce the impact and occurrence of human error and data breaches. Strategies may involve shoring up organizational practices, improving security policies, and even implementing tech solutions. Check back soon for more guides on data risk mitigation. 


We'd love your feedback.

Was this guide helpful? Please rate this guide and share any additional feedback on how we might improve it.


Need some additional help?

Explore additional pathways and perspectives to inform your data for social impact journey.