Slide HeadingData Security Risk Assessment

David Fanson, CISA, MBAPractice Director, Technology Risk

TitusDecember 12, 2012

Introductions

• David Fanson, CISA, MBA– Director of Tech Risk Practice at Titus– IT professional for 15 Years– Specializing in IT Risk management– Accenture (Andersen Consulting), PwC, Fortune 500 Telco– System Development, Strategic Planning, and Risk Management

– Wisconsin based national consulting firm founded in 2000– Risk Management, Finance, Recruiting, and Energy– Multi-year winner of Southeastern Wisconsin’s “Future 50”– Winner of Inc. Magazine’s List of Fastest Growing companies in the US– Independent and employee owned

Agenda

Slide Heading

Data Security Program

Risk Assessment Process Overview

Data Security Impact and Likelihood

Collaborative Exercise

Parting Thoughts and Discussion

Data Security Program – Key Ingredients

• Data Classification - Management knows what data they have and has rules for managing it.

• Data Mapping – Management knows where their data is and how it moves.

• Control Programs – Management has a risk & control program in place to protect their data.

• Preparedness – Management is prepared for data breaches with security, legal, and public relations programs.

Recent Example from NASA

“NASA told its staff this week that a laptop containing sensitive personal information for a large number of employees and contractors was stolen two weeks ago from a locked vehicle.

Although the laptop was password protected, the information had not been encrypted, which could give skilled hackers full access to the contents.

…And as recently as March, the company reported a breach that was also caused by a stolen laptop.”

-New York Times, November 14, 2012

Risk Assessment - Objectives

• Help management achieve organization objectives• Risk management activities should be tied to strategic

objectives• Risk Assessments are then tied to Risk Management

Objectives• Focus risk management activities on highest risk

areas.• Improve the effectiveness of audits

• Audit activity should focus on the highest risk areas in the organization

Risk Assessment – Key Ingredients

• Risk Universe• Spectrum of risk areas across an organization,

function, or process• Example: IT Department risk universe could include:

• Application Management• Data Management• Infrastructure• Resource Management

• The risk profile of each area in the Risk Universe will be compared to each other, scored, and ranked

Risk Assessment – Key Equation

Impact - What happens to your organization in the event of a risk being realized.

Likelihood - The probability that a risk will be realized.

Impact Likelihood Risk

Risk Assessment – Impact

• Impact Analysis• Each area in the Risk Universe is evaluated for impact

to the organization should the risk be realized.• Impact is determined by analyzing different Impact

Factors.• Types of Impact Factors

• Strategic Impact• Financial Impact• Operational Impact• Legal• Reputation etc.

Risk Assessment – Likelihood

• Likelihood Analysis• Each area in the Risk Universe is evaluated for

likelihood the risk be realized.• Likelihood is determined by analyzing different

likelihood factors.• Example Likelihood Factors

• Prior Findings• Monitoring• Complexity• Customization• Frequency of Change

Risk Assessment – Scoring/Ranking

LikelihoodImpactRisk Universe Score Rank

ERP Application

Custom App

Oracle Database

Unix

Active Directory

High High

High

High

High

Medium

Low

Low

Low

10

Medium

7

8

5

2

1

2

3

4

5

Impact Likelihood Risk

Data Security Risk Assessment

• Data Security Risk Universe

What does the Data Security Risk Universe look like?

Data Security Risk Assessment

• Data Security Risk Universe• Two Primary Drivers of Data Security Risk

• Type of data• Which would have a higher impact to an organization if it

gets leaked to the public?• Earnings• Organizational Chart

• Location of data• Which data location is more likely to cause a data leak?

• Earnings data on a database behind firewall• Earnings data on a flash drive in controller’s

pocket?

Data Security Risk Assessment

• Data Security Risk Universe• We need to conduct two risk assessments

1. Data Types• What types of data does an organization have?• Has the organization classified its data?• Is all data equal or is some higher risk than others?

2. Data Locations• Where does data reside in an organization?• Does management know where all its data is?• Where could data reside in an organization?

Data Type Risk Assessment

• Data Type Risk Universe• Consider the different types of data in your organization• Data can be thought of by business process

• Revenue, Payroll, Purchasing, Manufacturing• Data can be thought of by Structured vs. Unstructured

• Data Type Impact Factors• What questions can we ask to determine the impact

different data types can have?• Let’s begin building a Data Type Risk Assessment!

Data Location Risk Assessment

• Data Location Risk Universe• Consider the different locations data could be in your

organization• Is data always electronic?• Does data stay still or is it on the move?

• Data Location Likelihood Factors• What questions can we ask to determine the likelihood

that a data location could cause a data breach?• Let’s begin building a Data Location Risk Assessment!

Pulling Type and Location Together

• The Impact of a data security breach is driven by the type of data it is.

• The Likelihood of a data a security breach is driven by where the data is.

• What insights do we get when we combine the impact of a type of data with the likelihood of its location?

• Let’s find out!

Insights From This Exercise

• What insights would a data security manager gain from a risk ranked list of data types?

• What insights can be drawn from the data location exercise?

• How can the combining of data type and location assessment impact an audit plan?

Insights From This Exercise

• Has this exercise addressed our objectives?• Help management achieve organization objectives• Focus risk management activities on highest risk areas.• Improve the effectiveness of audits

• Can this exercise contribute to an organization’s Data Security Program?• Data Classification – Building Data Type Universe• Data Mapping – Building Data Location Universe• Control Programs – Data Location Risk Assessment.• Preparedness –. Data Type Risk Assessment

In Summary

• An effective data security program must be able to:1. Identify, classify, and prioritize its data.2. Map its data to specific locations and quantify the risks associated

with those locations.3. Build control programs to safeguard its data, wherever it is.4. Be prepared for a data breach if and when it happens.

• A Data Security Risk Assessment helps by:1. Building a data type universe that can be classified and prioritized.2. Driving risk management of hardware, devices and networks.3. Identifying the high risk areas control and monitoring programs.4. Facilitating the analysis and planning for emergency response.

Questions?Closing comments

Happy Holidays!

David Fanson, CISA, MBA,Practice Director, Technology Risk

Titus608-556-0906

david.fanson@titus-us.com