Policy

The people you need to participate in the risk assessment process will not join you because it’s fun. They’ll only do it if it’s required.

You are going to be causing a stink asking for people to participate in the risk assessment process.

Everyone from the business analysts, data owners, application owners, and data entry is overworked and overburdened in the organizations I’m working with. Maybe I’ve been fortunate, but the businesses I’ve been serving are growing faster than their employee resources are.

That means that no one is going to be warm and welcoming to the ideas of calling you and filling out your forms.

You need a policy. Because they are not going to do something you ‘want’ them to do, they will do something ‘required’. This policy, approved by executive leadership, is the statement that ‘thou shalt do your part in this risk assessment’. I hate to be negative, but if they have a problem with it, they need to address that resource problem with their leadership because they have a resource problem, not a process issue.

Identifying risks to the business through vendor applications, and external data sharing is critical. Your work here is critical. Most people don’t understand that, and you shouldn’t expect them to.

 

Data Classification Policy

Data Classification Types

The best policy to create is a Data Classification Policy. The goal of the data classification policy is to define and classify the different data types that exist within your business.

The heart of a data classification policy is defined as data classifications that you want to use as an organization. This frequently includes;

  • Public – Can be used by anyone in the company and can be shared externally.
  • Internal – Can be used by anyone in the company, but needs approval before being shared externally.
  • Sensitive – Important records that need to be labeled and stored in specific locations and should not be shared outside specific company groups and departments.
  • Confidential – Most highly regarded data and should only be accessed by individual people that require the data and the highest level of security protection should be applied.

 

Data Labels

Next start populating the data labels with the specific type of data that your organization works with that corresponds to those definitions.

Examples might include;

  • employee HR data
  • health care data
  • intellectual property
  • client data

Assign these data types to the classification labels defined.

Start with what you know. This process can feel overwhelming. It’s normal to not be able to classify all your company’s data at one time. It will take time. Just publishing this policy will start to change the culture of the company to start thinking about the types of data they are working with.

 

Statements

Finally, once you have your data labels and your data types, you can make policy statements that define the what, who, how, where, and how’s of the policy. What statements do you want to make about ‘restricted’ data? Statements like;

  • All systems storing, processing, or transmitting ‘Restricted’ data are required to complete the cybersecurity risk assessment process.
  • All ‘Restricted’ data needs access authorization by the business owner and reviewed quarterly according to the entitlement process.
  • All ‘Restricted’ data is prohibited from being shared with vendors, partners, contractors, or consultants without prior documented approval.
  • All ‘Restricted’ data must be encrypted in storage according to the company’s ‘encryption policy’.

The company’s I work with tend to be at this stage that we’re just focusing on getting our grip on ‘Restricted’ data and implementing the security capabilities related.

If you’re ready to bite off more you can continue these policy statements for each data classification type. Another way is a waterfall approach to your policy that starts with stating how ‘Public’ data can be managed. Then define policy statements for ‘Internal’ data and the first statement is that it inherits all the ‘Public’ data requirements.

 

Classifying Data

Classifying data is like a dance. You’ll have a dance partner (BA) and you need to lead. You need to take them by the hand and show them what you’re trying to do. What this means practically is that you should show them the different classification categories and explain how each one is defined.

Then provide an example or two of data types that would fit into this category. Then let them come up with some ideas. Ask if they can think of any data that should be assigned to a category. Give them time. Be quiet. Don’t fear the silence. Wait for them to respond and start providing ideas. The first one is the hardest, then after that, it seems they flow easily.

Take notes on the valuable information they share about data types and then repeat back what they said. Thank them for contributing, and then start your risk process of questioning what categories they should be in. Challenge what category they should be in, but do it respectfully in a way that acts as a catalyst for risk discussion with the BA. Because as you’re doing this something greater is happening. You’re educating them about risk.

 

As mentioned above, you can state where the classified data can be used. With the prevalence of cloud computing, I have found it helpful to create a hosting platform matrix like the below.

Data Type: Public Cloud / SaaS Public Cloud / PaaS Public Cloud / IaaS
Confidential Data No No No
Sensitive Data Yes No No
Internal Data Yes Yes No
Public Data Yes Yes Yes

 

Finally, if your business is large enough to develop its private cloud your policy can add another level of what data classification can be hosted on what platforms, hosted by what group.

Summary

Policy one of the first steps in creating a successful cybersecurity risk assessment process.

A Data classification policy is an ideal policy to align risk priorities to your risk assessment processes. One of the greatest risk reduction initiatives you can be done by keeping your pulse on the data movement of classified information moving in and out of the organization.

Join us in the next article in the cybersecurity risk assessment series where we will discuss developing security standards. These standards create a baseline of expectations and will you finish more assessments in less time.

 

 

Previous Article:

Cybersecurity Risk Assessment Funnel – Part #2: People

7 Ways to Improve Your Cybersecurity Reporting to Executives and the Board of Directors

A guide for cybersecurity leaders that will help you gain the reputation of a solid leader, while preventing you from making the mistakes I made when I was projected into reporting. This guilde will equip you and remove the stress and anxiety so that you can be clear and bold in your opportunity to prove you're the right person for the role, and your plan is on track!

You have Successfully Subscribed!