Data Assessment
Summary
This component allows the auditor to identify what sensitive data exists for the organization, where it is stored, and how it is transferred.
Purpose
Sensitive files are often stored across multiple devices with different levels of security. A data assessment allows the auditor to recommend secure storage solutions which best meet the organizations risk assessment and workflow needs. While the auditor has insight on some of this based on the Network Access and Network Mapping work, cross-staff understanding and agreement on what constitutes sensitive data will support later organizational change.
An adversary who obtains a laptop, workstation, or backup drive will be able to read or modify sensitive information on the device, even if that staff member has set a strong account password. This applies to threats involving loss, theft, and confiscation, but also to "checkpoint" scenarios in which they may only have access for a few minutes. Furthermore, in the event of a burglary or office raid, an adversary could obtain all sensitive information on the organization's devices, possibly even undetected.
The Flow Of Information
Guiding Questions
- What are the most important data sets to keep available? Are there backups?
- What are the most important data sets to keep private?
- How does the organization currently determine who should have access to data?
- Is there currently anyone who has access to data who should not?
- Does the staff agree on what constitutes sensitive data?
- What data does each staff member need to be able to access in order to do their job?
Approaches
- Data Mapping Activity: Have staff identify where that data is currently (what devices/physical locations), who has access (physical, login, permissions), and who needs to have access to get the organizations work completed.
- Risks of Data Lost and Found Activity: Have rank the impact if different data within the organization was lost, and if adversaries gained access to that data.
- Private Data Activity: Guide staff through an activity to have them list private data within the organization 1
If it was not possible to conduct these activities in person, you can conduct them remotely through applying one of the remote facilitation approaches described in the Remote Facilitation appendix.
Outputs
- A map of the staff's understanding of critical organizational data:
- what that data is,
- where it is stored,
- who has access,
- who needs access.
Operational Security
- Ensure that any physical notes/drawings are erased and destroyed once digitally recorded.
- Ensure that any digital recordings of this process are kept secure and encrypted.
- Consider who has physical and visual access to the room where this process takes place, and if the room can be secured if this activity may span long/overnight breaks.
Preparation
- Facilitation skills or experience is useful for these exercises
- Carefully review the exercises you plan to use
Resources
Activity: "Backup Matrix: Creating an Information Map" (LevelUp)
Activity: "Identifying and prioritizing your organization’s
information types " (NISTIR 7621)Guide: "Data Risk Checker: Categorizing harm levels on knowledge assets to inform mitigation and protection" (Responsible Data Forum wiki)
Guide: "Awareness and Training" (Information Security Handbook: A Guide for Managers - NIST 800-100)
Guide: "Managing Information Security Risk: Organization, Mission, and Information System View" (NIST 800-39)
Guide: "Guide to Protecting the Confidentiality of Personally Identifiable Information (PII)" (NIST 800-122)
Activities
undefined
