Slide Heading Data Security Risk Assessment David Fanson, CISA, MBA Practice Director, Technology Risk Titus December 12, 2012 Introductions – – – – – Wisconsin based national consulting firm founded in 2000 Risk Management, Finance, Recruiting, and Energy Multi-year winner of Southeastern Wisconsin’s “Future 50” Winner of Inc. Magazine’s List of Fastest Growing companies in the US Independent and employee owned • David Fanson, CISA, MBA – – – – – Director of Tech Risk Practice at Titus IT professional for 15 Years Specializing in IT Risk management Accenture (Andersen Consulting), PwC, Fortune 500 Telco System Development, Strategic Planning, and Risk Management Agenda Data Security Program Risk Assessment Process Overview Data Security Impact and Likelihood Slide Heading Collaborative Exercise Parting Thoughts and Discussion Data Security Program – Key Ingredients • Data Classification - Management knows what data they have and has rules for managing it. • Data Mapping – Management knows where their data is and how it moves. • Control Programs – Management has a risk & control program in place to protect their data. • Preparedness – Management is prepared for data breaches with security, legal, and public relations programs. Recent Example from NASA “NASA told its staff this week that a laptop containing sensitive personal information for a large number of employees and contractors was stolen two weeks ago from a locked vehicle. Although the laptop was password protected, the information had not been encrypted, which could give skilled hackers full access to the contents. …And as recently as March, the company reported a breach that was also caused by a stolen laptop.” -New York Times, November 14, 2012 Risk Assessment - Objectives • Help management achieve organization objectives • Risk management activities should be tied to strategic objectives • Risk Assessments are then tied to Risk Management Objectives • Focus risk management activities on highest risk areas. • Improve the effectiveness of audits • Audit activity should focus on the highest risk areas in the organization Risk Assessment – Key Ingredients • Risk Universe • Spectrum of risk areas across an organization, function, or process • Example: IT Department risk universe could include: • Application Management • Data Management • Infrastructure • Resource Management • The risk profile of each area in the Risk Universe will be compared to each other, scored, and ranked Risk Assessment – Key Equation Impact Likelihood Risk Impact - What happens to your organization in the event of a risk being realized. Likelihood - The probability that a risk will be realized. Risk Assessment – Impact • Impact Analysis • Each area in the Risk Universe is evaluated for impact to the organization should the risk be realized. • Impact is determined by analyzing different Impact Factors. • Types of Impact Factors • • • • • Strategic Impact Financial Impact Operational Impact Legal Reputation etc. Risk Assessment – Likelihood • Likelihood Analysis • Each area in the Risk Universe is evaluated for likelihood the risk be realized. • Likelihood is determined by analyzing different likelihood factors. • Example Likelihood Factors • • • • • Prior Findings Monitoring Complexity Customization Frequency of Change Risk Assessment – Scoring/Ranking Impact Likelihood Risk Risk Universe Impact Likelihood Score Rank ERP Application High High 10 1 Medium High 7 3 Oracle Database High Low 5 4 Unix High Medium 8 2 Active Directory Low Low 2 5 Custom App Data Security Risk Assessment • Data Security Risk Universe What does the Data Security Risk Universe look like? Data Security Risk Assessment • Data Security Risk Universe • Two Primary Drivers of Data Security Risk • Type of data • Which would have a higher impact to an organization if it gets leaked to the public? • Earnings • Organizational Chart • Location of data • Which data location is more likely to cause a data leak? • Earnings data on a database behind firewall • Earnings data on a flash drive in controller’s pocket? Data Security Risk Assessment • Data Security Risk Universe • We need to conduct two risk assessments 1. Data Types • • • What types of data does an organization have? Has the organization classified its data? Is all data equal or is some higher risk than others? 2. Data Locations • Where does data reside in an organization? • Does management know where all its data is? • Where could data reside in an organization? Data Type Risk Assessment • Data Type Risk Universe • Consider the different types of data in your organization • Data can be thought of by business process • Revenue, Payroll, Purchasing, Manufacturing • Data can be thought of by Structured vs. Unstructured • Data Type Impact Factors • What questions can we ask to determine the impact different data types can have? • Let’s begin building a Data Type Risk Assessment! Data Location Risk Assessment • Data Location Risk Universe • Consider the different locations data could be in your organization • Is data always electronic? • Does data stay still or is it on the move? • Data Location Likelihood Factors • What questions can we ask to determine the likelihood that a data location could cause a data breach? • Let’s begin building a Data Location Risk Assessment! Pulling Type and Location Together • The Impact of a data security breach is driven by the type of data it is. • The Likelihood of a data a security breach is driven by where the data is. • What insights do we get when we combine the impact of a type of data with the likelihood of its location? • Let’s find out! Insights From This Exercise • What insights would a data security manager gain from a risk ranked list of data types? • What insights can be drawn from the data location exercise? • How can the combining of data type and location assessment impact an audit plan? Insights From This Exercise • Has this exercise addressed our objectives? • Help management achieve organization objectives • Focus risk management activities on highest risk areas. • Improve the effectiveness of audits • Can this exercise contribute to an organization’s Data Security Program? • • • • Data Classification – Building Data Type Universe Data Mapping – Building Data Location Universe Control Programs – Data Location Risk Assessment. Preparedness –. Data Type Risk Assessment In Summary • An effective data security program must be able to: 1. Identify, classify, and prioritize its data. 2. Map its data to specific locations and quantify the risks associated with those locations. 3. Build control programs to safeguard its data, wherever it is. 4. Be prepared for a data breach if and when it happens. • A Data Security Risk Assessment helps by: 1. 2. 3. 4. Building a data type universe that can be classified and prioritized. Driving risk management of hardware, devices and networks. Identifying the high risk areas control and monitoring programs. Facilitating the analysis and planning for emergency response. Questions? Closing comments Happy Holidays! David Fanson, CISA, MBA, Practice Director, Technology Risk Titus 608-556-0906 david.fanson@titus-us.com