Personally Identifiable Information | Data Classification Policy | Managing University Data | Data Classification Guidelines | System Risk Analysis | In accordance with policy IT-19, Institutional Data Access, Business Owners (as defined in IT-16, Roles and Responsibilities for Information Security Policy) will assess institutional risks and threats to the data for which they are responsible. This risk analysis is then used by Business Owners to classify systems (endpoints, servers, applications) into one of three risk categories:
Risk Analysis must take into consideration the sensitivity of data processed and stored by the system, as well as the likelihood and impact of potential threat events. We use a simple methodology to translate these probabilities into risk levels and an overall system risk level. Threat Event AssessmentRisk assessment is the compilation of risks associated with various potential threat events. A "threat event" is any event which may cause a loss of confidentiality, integrity, or availability of the system and the data it stores and/or processes. Although there may be hundreds of potential threat events related to a system, they can be generally organized into three main categories:
These threat event categories can then be used to calculate their associated risk level, as well as the overall risk of the system: Calculating Risk LevelsRisk levels are calculated as the product of the LIKELIHOOD and IMPACT (to the University) of a potential threat event / threat event category: For example, a threat event where the likelihood is "unlikely" and the impact is "moderate" equals an assessed risk of "Moderate": As a general rule, networked systems that process data protected by federal or state regulation (HIPAA, FERPA, FISMA, ITAR, et. al.) or industry standards (PCI-DSS) are considered high-risk systems. This is because the likelihood of compromise is (at a minimum) possible, while the impact (due to regulatory or industry standard violation) is considered a severe loss of confidentiality. The risk level for each threat event category is then calculated. The overall risk level for the system is equal to the HIGHEST risk level for any risk event. For example: Because one of the risk events was rated as "High Risk", the overall risk level for the system is High. Additional ExamplesEndpoints Servers Applications
Information security risk management, or ISRM, is the process of managing risks associated with the use of information technology. It involves identifying, assessing, and treating risks to the confidentiality, integrity, and availability of an organization’s assets. The end goal of this process is to treat risks in accordance with an organization’s overall risk tolerance. Businesses shouldn’t expect to eliminate all risks; rather, they should seek to identify and achieve an acceptable risk level for their organization.
Identification
Assessment Risk = (threat x vulnerability (exploit likelihood x exploit impact) x asset value ) - security controls Note: this is a very simplified formula analogy. Calculating probabilistic risks is not nearly this straightforward, much to everyone’s dismay. Treatment
Communication Rinse and Repeat Ownership:There are many stakeholders in the ISRM process, and each of them have different responsibilities. Defining the various roles in this process, and the responsibilities tied to each role, is a critical step to ensuring this process goes smoothly. Process Owners: At a high level, an organization might have a finance team or audit team that owns their Enterprise Risk Management (ERM) program, while an Information Security or Information Assurance team will own ISRM program, which feeds into ERM. Members of this ISRM team need to be in the field, continually driving the process forward. Risk Owners: Individual risks should be owned by the members of an organization who end up using their budget to pay for fixing the problem. In other words, risk owners are accountable for ensuring risks are treated accordingly. If you approve the budget, you own the risk. In addition to risk owners, there will also be other types of stakeholders who are either impacted by, or involved in implementing, the selected treatment plan, such as system administrators/engineers, system users, etc. Here’s an example: Your information security team (process owner) is driving the ISRM process forward. A risk to the availability of your company’s customer relationship management (CRM) system is identified, and together with your head of IT (the CRM system owner) and the individual in IT who manages this system on a day-to-day basis (CRM system admin), your process owners gather the information necessary to assess the risk. Assuming your CRM software is in place to enable the sales department at your company, and the data in your CRM software becoming unavailable would ultimately impact sales, then your sales department head (i.e. chief sales officer) is likely going to be the risk owner. The risk owner is responsible for deciding on implementing the different treatment plans offered by the information security team, system administrators, system owners, etc. and accepting any remaining risk; however, your system owner and system admin will likely be involved once again when it comes time to implement the treatment plan. System users—the salespeople who use the CRM software on a daily basis—are also stakeholders in this process, as they may be impacted by any given treatment plan. Managing risk is an ongoing task, and its success will come down to how well risks are assessed, plans are communicated, and roles are upheld. Identifying the critical people, processes, and technology to help address the steps above will create a solid foundation for a risk management strategy and program in your organization, which can be developed further over time.
Compliance and Regulatory Frameworks |