Cybersecurity Risk Assessment Funnel Process

Policy in building a cybersecurity risk assessment process funnel

You need a policy. Because people are not going to do something you ‘want’ them to do, they will do something ‘required’. In fact, 23% of organizations have no formal compliance training plan, meaning behaviors aren’t being shaped by what’s mandatory—they’re left to chance.

This policy, approved by executive leadership, is the statement that ‘thou shalt do your part in this risk assessment’.

Identifying risks to the business through vendor applications, and external data sharing is critical. Your work here is critical. Most people don’t understand that, and you shouldn’t expect them to.

Data Classification Policy

The best policy to create is a Data Classification Policy. The goal of the data classification policy is to define and classify the different data types that exist within your business.

1.Data Types

The heart of a data classification policy is defined as data classifications that you want to use as an organization.

This frequently includes;

• Public – Can be used by anyone in the company and can be shared externally.
• Internal – Can be used by anyone in the company, but needs approval before being shared externally.
• Sensitive – Important records that need to be labeled and stored in specific locations and should not be shared outside specific company groups and departments.
• Confidential – Most highly regarded data and should only be accessed by individual people that require the data and the highest level of security protection should be applied.

2. Data Labels

Next start populating the data labels with the specific type of data that your organization works with that corresponds to those definitions.

Examples might include;

• employee HR data
• health care data
• intellectual property
• client data

Assign these data types to the classification labels defined.

Start with what you know. This process can feel overwhelming. It’s normal to not be able to classify all your company’s data at one time. It will take time. Just publishing this policy will start to change the culture of the company to start thinking about the types of data they are working with.

3. Statements

Finally, once you have your data labels and your data types, you can make policy statements that define the what, who, how, where, and how’s of the policy.

What statements do you want to make about ‘restricted’ data? Statements like;

• All systems storing, processing, or transmitting ‘Restricted’ data are required to complete the cybersecurity risk assessment process.
• All ‘Restricted’ data needs access authorization by the business owner and reviewed quarterly according to the entitlement process.
• All ‘Restricted’ data is prohibited from being shared with vendors, partners, contractors, or consultants without prior documented approval.
• All ‘Restricted’ data must be encrypted in storage according to the company’s ‘encryption policy’.

If you’re ready to bite off more you can continue these policy statements for each data classification type. Another way is a waterfall approach to your policy that starts with stating how ‘Public’ data can be managed. Then define policy statements for ‘Internal’ data and the first statement is that it inherits all the ‘Public’ data requirements.

4. Classifying Data

Classifying data is like a dance. You’ll have a dance partner (BA) and you need to lead. You need to take them by the hand and show them what you’re trying to do. What this means practically is that you should show them the different classification categories and explain how each one is defined.

Then provide an example or two of data types that would fit into this category. Then let them come up with some ideas. Ask if they can think of any data that should be assigned to a category. Give them time. Be quiet. Don’t fear the silence. Wait for them to respond and start providing ideas. The first one is the hardest, then after that, it seems they flow easily.

Take notes on the valuable information they share about data types and then repeat back what they said. Thank them for contributing, and then start your risk process of questioning what categories they should be in. Challenge what category they should be in, but do it respectfully in a way that acts as a catalyst for risk discussion with the BA. Because as you’re doing this something greater is happening. You’re educating them about risk.

As mentioned above, you can state where the classified data can be used. With the prevalence of cloud computing, I have found it helpful to create a hosting platform matrix like the below.

 Finally, if your business is large enough to develop its private cloud your policy can add another level of what data classification can be hosted on what platforms, hosted by what group.

Summary

Policy one of the first steps in creating a successful cybersecurity risk assessment process.

A Data classification policy is an ideal policy to align risk priorities to your risk assessment processes. One of the greatest risk reduction initiatives you can be done by keeping your pulse on the data movement of classified information moving in and out of the organization.

Join us in the next article in the cybersecurity risk assessment series where we will discuss developing security standards. These standards create a baseline of expectations and will you finish more assessments in less time.