Policy
The people you need to participate in the risk assessment process will not join you because it’s fun. They’ll only do it if it’s required.
You are going to be causing a stink asking for people to participate in the risk assessment process.
Everyone from the business analysts, data owners, application owners, and data entry is overworked and overburdened in the organizations I’m working with. Maybe I’ve been fortunate, but the businesses I’ve been serving are growing faster than their employee resources are.
That means that no one is going to be warm and welcoming to the ideas of calling you and filling out your forms.
You need a policy. Because they are not going to do something you ‘want’ them to do, they will do something ‘required’. This policy, approved by executive leadership, is the statement that ‘thou shalt do your part in this risk assessment’. I hate to be negative, but if they have a problem with it, they need to address that resource problem with their leadership because they have a resource problem, not a process issue.
Identifying risks to the business through vendor applications, and external data sharing is critical. Your work here is critical. Most people don’t understand that, and you shouldn’t expect them to.
Data Classification Policy
Data Classification Types
The best policy to create is a Data Classification Policy. The goal of the data classification policy is to define and classify the different data types that exist within your business.
The heart of a data classification policy is defined as data classifications that you want to use as an organization. This frequently includes;
- Public – Can be used by anyone in the company and can be shared externally.
- Internal – Can be used by anyone in the company, but needs approval before being shared externally.
- Sensitive – Important records that need to be labeled and stored in specific locations and should not be shared outside specific company groups and departments.
- Confidential – Most highly regarded data and should only be accessed by individual people that require the data and the highest level of security protection should be applied.
Data Labels
Next start populating the data labels with the specific type of data that your organization works with that corresponds to those definitions.
Examples might include;
- employee HR data
- health care data
- intellectual property
- client data
Assign these data types to the classification labels defined.
Start with what you know. This process can feel overwhelming. It’s normal to not be able to classify all your company’s data at one time. It will take time. Just publishing this policy will start to change the culture of the company to start thinking about the types of data they are working with.
Statements
Finally, once you have your data labels and your data types, you can make policy statements that define the what, who, how, where, and how’s of the policy. What statements do you want to make about ‘restricted’ data? Statements like;
- All systems storing, processing, or transmitting ‘Restricted’ data are required to complete the cybersecurity risk assessment process.
- All ‘Restricted’ data needs access authorization by the business owner and reviewed quarterly according to the entitlement process.
- All ‘Restricted’ data is prohibited from being shared with vendors, partners, contractors, or consultants without prior documented approval.
- All ‘Restricted’ data must be encrypted in storage according to the company’s ‘encryption policy’.
The company’s I work with tend to be at this stage that we’re just focusing on getting our grip on ‘Restricted’ data and implementing the security capabilities related.
If you’re ready to bite off more you can continue these policy statements for each data classification type. Another way is a waterfall approach to your policy that starts with stating how ‘Public’ data can be managed. Then define policy statements for ‘Internal’ data and the first statement is that it inherits all the ‘Public’ data requirements.
Classifying Data
Classifying data is like a dance. You’ll have a dance partner (BA) and you need to lead. You need to take them by the hand and show them what you’re trying to do. What this means practically is that you should show them the different classification categories and explain how each one is defined.
Then provide an example or two of data types that would fit into this category. Then let them come up with some ideas. Ask if they can think of any data that should be assigned to a category. Give them time. Be quiet. Don’t fear the silence. Wait for them to respond and start providing ideas. The first one is the hardest, then after that, it seems they flow easily.
Take notes on the valuable information they share about data types and then repeat back what they said. Thank them for contributing, and then start your risk process of questioning what categories they should be in. Challenge what category they should be in, but do it respectfully in a way that acts as a catalyst for risk discussion with the BA. Because as you’re doing this something greater is happening. You’re educating them about risk.
As mentioned above, you can state where the classified data can be used. With the prevalence of cloud computing, I have found it helpful to create a hosting platform matrix like the below.
Data Type: | Public Cloud / SaaS | Public Cloud / PaaS | Public Cloud / IaaS |
Confidential Data | No | No | No |
Sensitive Data | Yes | No | No |
Internal Data | Yes | Yes | No |
Public Data | Yes | Yes | Yes |
Finally, if your business is large enough to develop its private cloud your policy can add another level of what data classification can be hosted on what platforms, hosted by what group.
Summary
Policy one of the first steps in creating a successful cybersecurity risk assessment process.
A Data classification policy is an ideal policy to align risk priorities to your risk assessment processes. One of the greatest risk reduction initiatives you can be done by keeping your pulse on the data movement of classified information moving in and out of the organization.
Join us in the next article in the cybersecurity risk assessment series where we will discuss developing security standards. These standards create a baseline of expectations and will you finish more assessments in less time.
I’m extremely pleased to discover this website. I wanted to thank you for ones time just for this fantastic read!! I absolutely enjoyed every part of it and i also have you bookmarked to see new stuff in your site.
Some really great info, Gladiola I detected this. I’m not spaming. I’m just saying your website is AWSOME! Thank you so much!