Attacks Cloud Data Executive Decisions IoT Malware Mobile Network Security Strategy Threat Defense
Attacks Cloud Data Executive Decisions IoT Malware Mobile Network Security Strategy Threat Defense

Mitigate Threats with Data Risk Assessments

Add bookmark
Elizabeth Mixson
Elizabeth Mixson
07/21/2021

Data Privacy Challenges Abound

Since the introduction of the General Data Protection Regulation (GDPR) in 2018, dozens of countries have followed suit such as Australia, Brazil, and South Korea as well as various states in the U.S. such as California. In fact, some experts predict that 65% of the world’s population will have its personal information covered under a privacy regulation by 2023

Though the rapidly accelerating privacy regulations and their associated regulatory burdens are certainly a top concern for the c-suite, this is far from the only data privacy-related risk organizations are facing. 

Since 2011, the number of reported data breaches in the U.S. has doubled. In 2020 alone, data security solution provider Varonis confirmed 3,950 data breaches across the globe, some of which resulted in the exposure of hundreds of millions of customer records. 

High profile cyber attacks such as SolarWinds and Colonial Pipeline incidents along with emerging conversations surrounding the ethical use of Artificial Intelligence (AI) have increased public scrutiny on data usage and privacy. In fact, a Consumer Reports study found that 74% of U.S. consumers are concerned about personal data privacy with 96% saying companies should do more to protect customer privacy.

However, before an organization can re-engineer its approach to data privacy, it must first understand its current state. This is where the data risk assessment (DRA) come in. 

What is Data Risk Assessment (DRA) ? 

With more than 140,000 members, Cyber Security Hub is the vibrant community connecting cyber security professionals around the world.

Similar to cybersecurity risk assessments, a data risk assessment (DRA) is a systemized approach to uncovering where your sensitive data is, who has access to it and what changes are happening around it.

The goal of a DRA is to:

  • Calculate the risk in holding personally identifiable information (PII).
  • Determine readiness to comply with applicable legal, regulatory and policy requirements for privacy.
  • Ensure compliance to applicable legal, regulatory and policy requirements for privacy.
  • Gain a baseline for organizational risk for future assessments .
  • Identify and mitigate vulnerabilities the could lead to data exposure or breach.
  • If well-defined key performance and risk indicators are uses, DARs can be used to communicate the value proposition of increased data security.

Data risk assessments typically require three steps. 

Step One: Data & Application Mapping

This involves mapping an enterprise’s complete data footprint. Key areas that should be investigated and defined during this process are:

  • Data Owners - the individual or team responsible for the data in a particular data domain
  • Data Types and Attributes - Characteristics or features of a data object. For example, employee data, EMR/Patient information, customer contact information, financial data
  • Data Classification - level of sensitivity and the impact should that information be compromised, modified or accessed without proper authorization and authentication.
  • Data environment - Individual locations or regions where the data resides
  • Applications – a list of what applications use or “touch” data 
  • Data flows – the mapping of individual data flows based on the data and application use
  • Protection controls – a record of existing data protection controls around the data in scope

Step Two: Perform Assessment

Review, analyze and assess the information gathered in step one to identify threats and vulnerabilities. In order to accomplish these objectives, many organizations rely on data discovery and classification solutions - tools that scan data repositories and analyze how data is stored/handled/secured against defined assessment policies. If a policy violation is found, an incident violation is reported.

These tools automatically log violations into one detailed report that organizes data based on risk.

Step 3: Mitigate

Once data vulnerabilities are identified and organized based on risk, a game plan for mitigating these vulnerabilities can be developed. This could involve tasks as simple as deleting vulnerable files or as complex as active directory remediation. 

Tags: Data Risk Assessment DRA Data Mapping Application Mapping Data Assessment Data Risk Mitigation CSH CS Hub GDPR Cyber Security Hub AI Data and application mapping

FIND CONTENT BY TYPE

Cyber Security Hub COMMUNITY

ADVERTISE WITH US

Advertise Now

JOIN THE Cyber Security Hub COMMUNITY

Join CSHUB today and interact with a vibrant network of professionals, keeping up to date with the industry by accessing our wealth of articles, videos, live conferences and more.

Learn more
iqpc logo

Cyber Security Hub, a division of IQPC

© 2024 All rights reserved. Use of this site constitutes acceptance of our User Agreement, Privacy Policy and Cookies Settings.

Careers With IQPC| Contact Us | About Us | Cookie Policy