The list of potential threats to data security and protection doesn’t get shorter. Technology evolves rapidly, and this includes malicious technology. Malware of all forms including viruses, ransomware, adware and hijackers are now more advanced than ever. They also pose a greater risk. In order to begin negating this risk, there is a need to identify and quantify it. This kind of risk assessment follows a three step process outlined below.
1. Analysis of Data Assets
Many complicated risk assessment processes will often split this step in to three separate ones. However, those three sub-steps all move towards the single goal of understanding what data is at risk. The three sub-steps are:
- Identification – This involves taking a deep look in to the types of data the enterprise collects and stores. This will include data such as customer information, payment data, transaction records, etc. All of the data that the company needs to store, access and use to operate. Once a list has been made, it should be prioritized by data value.
- Location – Now that a prioritized list of data assets has been made, it is time to locate each data silo. Possible locations could include cloud services, in-house servers, user desktop, mobile device, etc.
- Classification – Taking the list and information created so far, it is time to start classifying the actual threat level to each data silo. This means slotting each data silo in to a category such as: public, internal (but not secret), sensitive internal, compartmentalized internal, and regulated. Each has a specific number attached. 1 through to 5.
2. Cause and Effect – What is the Worst Case?
Now that potentially vulnerable data silos have been identified, classified and prioritized, it is time to uncover just how big of a threat is faced. This means running a theoretical worst case attack against the highest priority, most critical data.
This may sound complicated, but in fact, Microsoft has developed a very simple hypothetical framework for performing this step of the risk assessment. Its acronym is STRIDE, and this stands for:
- Spoofing of Identity
- Tampering with Data
- Repudiation of Transactions
- Information Disclosure
- Denial of Service
- Elevation of Privilege
These are the most common, damaging forms of cyber-attacks. Simply take each data silo on the list, and give it score of 1-10 against each of the STRIDE components. With 1 being the least likely, and 10 being the most likely. Also, give each a rating for how serious of an effect of a data breach would be. Again, 1-10. With 1 being minimal impact and 10 being entirely catastrophic to business continuity. Multiply the two numbers to assign an overall threat rating. Note the word threat, not risk.
3. Do the Math and Make a Plan to Address the Risk Assessment
Now to uncover the actual risks. Taking the information gathered above, it is time to do a little math to discover which data silos carry the greatest risk, and could cause the most damage to the enterprise if breached.
This is again very easy to do. Take the two numbers generated from the previous steps, and multiply them. For example, if we have a data silo with a classification of 5 (regulated) and a threat level of 100, we end up with a risk factor of 1000. As high as they come.
Do this for each data silo on the list, and then sort it by threat level from highest to lowest. The result is a list of the highest risk data silos, which should receive greater levels of protection than lower risks ones.
To learn more about how to assess and protect your data, download the HOSTING white paper: Protecting Your Data in the Cloud.