I recommend you start asset cataloging before you have a vulnerability assessment done on your organization as you need to know what the assets are you’re trying to protect. The cataloging process is similar to the vulnerability assessment process in that you want to identify, quantify and prioritize all of your assets.
This is done by first creating a comprehensive catalog of assets. A good place to start is with your financial statements, as you’ll have your catalog already started from the assets listed there. Assets are the nouns of your organization, the people, places and things. Your financial statements will likely list the larger assets, such as furniture, computing devices, vehicles etc. In the information economy, you’ll also want a list of your digital assets, such as your intellectual property, databases, personally identifiable information, copyrighted works, etc. You’ll also want a list of all of the people your organization considers assets including staff, contractors, third party suppliers and joint ventures. You’ll also want a list of places, for example, if you have someone who keeps backed up hard drives at their house, and their house caught fire, you might lose some important information. That house would also be considered an asset.
Once you have your list of assets, it’s a good exercise to sit down with your executive team and prioritize your assets, including the people. If you lost a given asset immediately and forever, how much impact would it have? Continuing the example above, if someone can steal the backup hard drive from your organization’s owner’s house, that’s likely a lot easier of an attack surface than the organization’s data server closet. This process will help the vulnerability assessor to focus on the organizations priority assets.
This catalog itself is an asset is of the upmost important priority, as if it is compromised, potential attackers will know exactly where to strike. Protect it at the same level you protect your other most valuable assets.