### Definition >Anything that has value to the organisation \-([[ISO/IEC 13335]]) Assets come in as great an array of types as the mechanisms for using them. In information assurance, three main types of assets are considered, although the sub-categories that fall within each of these main types can be numerous. The three main types are: 1. pure information (in whatever format); 2. physical assets such as buildings and computer systems; 3. software that is used to process or manage information and data 4. [[Dieter Gollman]], in [[Computer security]], adds "reputation" as another asset >[!warning] >Apparently staff are not an asset. Interesting approach, let's see how it works out for them ## information assets Information might be structured or unstructured: stuctured, like a relational database, or unstructured, like memos or written records They might also vary in location. They may be locally held. They may be backed up to a cloud storage facility, or may even originate there and never touch the user's device. Information assets can be in transit, or at rest. We protect such information from eavesdropping risks using [[encryption]]. ## ownership Assets should have an owner. However, in a brutal reminder that Marx had a point, it turns out an asset owner is generally the person or team responsible for the production, development, maintenance, use, and security. It is not the person or team who 'owns' the asset in paper terms.