This component allows the auditor to identify what sensitive data exists for the organization, where it is stored, and how it is transferred.
Sensitive files are often stored across multiple devices with different levels of security. A data assessment allows the auditor to recommend secure storage solutions which best meet the organizations risk assessment and workflow needs. While the auditor has insight on some of this based on the Network Access and Network Mapping work, cross-staff understanding and agreement on what constitutes sensitive data will support later organizational change.
An adversary who obtains a laptop, workstation, or backup drive will be able to read or modify sensitive information on the device, even if that staff member has set a strong account password. This applies to threats involving loss, theft, and confiscation, but also to "checkpoint" scenarios in which they may only have access for a few minutes. Furthermore, in the event of a burglary or office raid, an adversary could obtain all sensitive information on the organization's devices, possibly even undetected.
If it was not possible to conduct these activities in person, you can conduct them remotely through applying one of the remote facilitation approaches described in the Remote Facilitation appendix.
Activity: "Backup Matrix: Creating an Information Map" (LevelUp)
Activity: "Identifying and prioritizing your organization’s
information types " (NISTIR 7621)
Guide: "Data Risk Checker: Categorizing harm levels on knowledge assets to inform mitigation and protection" (Responsible Data Forum wiki)
Guide: "Awareness and Training" (Information Security Handbook: A Guide for Managers - NIST 800-100)
Guide: "Managing Information Security Risk: Organization, Mission, and Information System View" (NIST 800-39)
Guide: "Guide to Protecting the Confidentiality of Personally Identifiable Information (PII)" (NIST 800-122)
undefined