Mitigate Threats with Data Risk Assessments

Data Privacy Challenges Abound

Since the introduction of the General Data Protection Regulation (GDPR) in 2018, dozens of countries have followed suit such as Australia, Brazil, and South Korea as well as various states in the U.S. such as California. In fact, some experts predict that 65% of the world’s population will have its personal information covered under a privacy regulation by 2023. 

Though the rapidly accelerating privacy regulations and their associated regulatory burdens are certainly a top concern for the c-suite, this is far from the only data privacy-related risk organizations are facing. 

Since 2011, the number of reported data breaches in the U.S. has doubled. In 2020 alone, data security solution provider Varonis confirmed 3,950 data breaches across the globe, some of which resulted in the exposure of hundreds of millions of customer records. 

High profile cyber attacks such as SolarWinds and Colonial Pipeline incidents along with emerging conversations surrounding the ethical use of Artificial Intelligence (AI) have increased public scrutiny on data usage and privacy. In fact, a Consumer Reports study found that 74% of U.S. consumers are concerned about personal data privacy with 96% saying companies should do more to protect customer privacy.

However, before an organization can re-engineer its approach to data privacy, it must first understand its current state. This is where the data risk assessment (DRA) come in. 

The Data Risk Assessment (DRA) 

Similar to cybersecurity risk assessments, a data risk assessment (DRA) is a systemized approach to uncovering where your sensitive data is, who has access to it and what changes are happening around it.

The goal of a DRA is to:

  • Calculate the risk in holding personally identifiable information (PII)
  • Determine readiness to comply with applicable legal, regulatory and policy requirements for privacy
  • Ensure compliance to applicable legal, regulatory and policy requirements for privacy
  • Gain a baseline for organizational risk for future assessments 
  • Identify and mitigate vulnerabilities the could lead to data exposure or breach
  • If well-defined key performance and risk indicators are uses, DARs can be used to communicate the value proposition of increased data security

Data risk assessments typically require 3 steps. 

Step One: Data & Application Mapping

This involves mapping an enterprise’s complete data footprint. Key areas that should be investigated and defined during this process are:

  • Data Owners – the individual or team responsible for the data in a particular data domain
  • Data Types and Attributes – Characteristics or features of a data object. For example, employee data, EMR/Patient information, customer contact information, financial data
  • Data Classification – level of sensitivity and the impact should that information be compromised, modified or accessed without proper authorization and authentication.
  • Data environment – Individual locations or regions where the data resides
  • Applications – a list of what applications use or “touch” data 
  • Data flows – the mapping of individual data flows based on the data and application use
  • Protection controls – a record of existing data protection controls around the data in scope

Step Two: Perform Assessment

Review, analyze and assess the information gathered in step one to identify threats and vulnerabilities. In order to accomplish these objectives, many organizations rely on data discovery and classification solutions – tools that scan data repositories and analyze how data  is stored/handled/secured against defined assessment policies. If a policy violation is found, an incident violation is reported.

These tools automatically log violations into one detailed report that organizes data based on risk.

Step 3: Mitigate

Once data vulnerabilities are identified and organized based on risk, a game plan for mitigating these vulnerabilities can be developed. This could involve tasks as simple as deleting vulnerable files or as complex as active directory remediation. 

Leave a Reply