Presentation is loading. Please wait.

Presentation is loading. Please wait.

Slide Heading Data Security Risk Assessment David Fanson, CISA, MBA Practice Director, Technology Risk Titus December 12, 2012.

Published byKarson Pleasants Modified over 10 years ago

Similar presentations

Presentation on theme: "Slide Heading Data Security Risk Assessment David Fanson, CISA, MBA Practice Director, Technology Risk Titus December 12, 2012."— Presentation transcript:

1 Slide Heading Data Security Risk Assessment David Fanson, CISA, MBA Practice Director, Technology Risk Titus December 12, 2012

2 Introductions David Fanson, CISA, MBA –Director of Tech Risk Practice at Titus –IT professional for 15 Years –Specializing in IT Risk management –Accenture (Andersen Consulting), PwC, Fortune 500 Telco –System Development, Strategic Planning, and Risk Management –Wisconsin based national consulting firm founded in 2000 –Risk Management, Finance, Recruiting, and Energy –Multi-year winner of Southeastern Wisconsins Future 50 –Winner of Inc. Magazines List of Fastest Growing companies in the US –Independent and employee owned

3 Agenda Slide Heading Data Security Program Risk Assessment Process Overview Data Security Impact and Likelihood Collaborative Exercise Parting Thoughts and Discussion

4 Data Security Program – Key Ingredients Data Classification - Management knows what data they have and has rules for managing it. Data Mapping – Management knows where their data is and how it moves. Control Programs – Management has a risk & control program in place to protect their data. Preparedness – Management is prepared for data breaches with security, legal, and public relations programs.

5 Recent Example from NASA NASA told its staff this week that a laptop containing sensitive personal information for a large number of employees and contractors was stolen two weeks ago from a locked vehicle. Although the laptop was password protected, the information had not been encrypted, which could give skilled hackers full access to the contents. …And as recently as March, the company reported a breach that was also caused by a stolen laptop. - New York Times, November 14, 2012

6 Risk Assessment - Objectives Help management achieve organization objectives Risk management activities should be tied to strategic objectives Risk Assessments are then tied to Risk Management Objectives Focus risk management activities on highest risk areas. Improve the effectiveness of audits Audit activity should focus on the highest risk areas in the organization

7 Risk Assessment – Key Ingredients Risk Universe Spectrum of risk areas across an organization, function, or process Example: IT Department risk universe could include: Application Management Data Management Infrastructure Resource Management The risk profile of each area in the Risk Universe will be compared to each other, scored, and ranked

8 Risk Assessment – Key Equation Impact - What happens to your organization in the event of a risk being realized. Likelihood - The probability that a risk will be realized. Impact LikelihoodRisk

9 Risk Assessment – Impact Impact Analysis Each area in the Risk Universe is evaluated for impact to the organization should the risk be realized. Impact is determined by analyzing different Impact Factors. Types of Impact Factors Strategic Impact Financial Impact Operational Impact Legal Reputation etc.

10 Risk Assessment – Likelihood Likelihood Analysis Each area in the Risk Universe is evaluated for likelihood the risk be realized. Likelihood is determined by analyzing different likelihood factors. Example Likelihood Factors Prior Findings Monitoring Complexity Customization Frequency of Change

11 Risk Assessment – Scoring/Ranking LikelihoodImpactRisk UniverseScoreRank ERP Application Custom App Oracle Database Unix Active Directory High Medium Low 10 Medium 7 8 5 2 1 2 3 4 5 Impact LikelihoodRisk

12 Data Security Risk Assessment Data Security Risk Universe What does the Data Security Risk Universe look like?

13 Data Security Risk Assessment Data Security Risk Universe Two Primary Drivers of Data Security Risk Type of data Which would have a higher impact to an organization if it gets leaked to the public? Earnings Organizational Chart Location of data Which data location is more likely to cause a data leak? Earnings data on a database behind firewall Earnings data on a flash drive in controllers pocket?

14 Data Security Risk Assessment Data Security Risk Universe We need to conduct two risk assessments 1.Data Types What types of data does an organization have? Has the organization classified its data? Is all data equal or is some higher risk than others? 2.Data Locations Where does data reside in an organization? Does management know where all its data is? Where could data reside in an organization?

15 Data Type Risk Assessment Data Type Risk Universe Consider the different types of data in your organization Data can be thought of by business process Revenue, Payroll, Purchasing, Manufacturing Data can be thought of by Structured vs. Unstructured Data Type Impact Factors What questions can we ask to determine the impact different data types can have? Lets begin building a Data Type Risk Assessment!

16 Data Location Risk Assessment Data Location Risk Universe Consider the different locations data could be in your organization Is data always electronic? Does data stay still or is it on the move? Data Location Likelihood Factors What questions can we ask to determine the likelihood that a data location could cause a data breach? Lets begin building a Data Location Risk Assessment!

17 Pulling Type and Location Together The Impact of a data security breach is driven by the type of data it is. The Likelihood of a data a security breach is driven by where the data is. What insights do we get when we combine the impact of a type of data with the likelihood of its location? Lets find out!

18 Insights From This Exercise What insights would a data security manager gain from a risk ranked list of data types? What insights can be drawn from the data location exercise? How can the combining of data type and location assessment impact an audit plan?

19 Insights From This Exercise Has this exercise addressed our objectives? Help management achieve organization objectives Focus risk management activities on highest risk areas. Improve the effectiveness of audits Can this exercise contribute to an organizations Data Security Program? Data Classification – Building Data Type Universe Data Mapping – Building Data Location Universe Control Programs – Data Location Risk Assessment. Preparedness –. Data Type Risk Assessment

20 In Summary An effective data security program must be able to: 1.Identify, classify, and prioritize its data. 2.Map its data to specific locations and quantify the risks associated with those locations. 3.Build control programs to safeguard its data, wherever it is. 4.Be prepared for a data breach if and when it happens. A Data Security Risk Assessment helps by: 1.Building a data type universe that can be classified and prioritized. 2.Driving risk management of hardware, devices and networks. 3.Identifying the high risk areas control and monitoring programs. 4.Facilitating the analysis and planning for emergency response.

21 Questions? Closing comments Happy Holidays! David Fanson, CISA, MBA, Practice Director, Technology Risk Titus 608-556-0906 david.fanson@titus-us.com

Download ppt "Slide Heading Data Security Risk Assessment David Fanson, CISA, MBA Practice Director, Technology Risk Titus December 12, 2012."

Similar presentations

Symantec 2004 Pulse of IT Security in Canada Volume II Survey shows Increases in Concern and Spending for IT Security Andrew Bisson Director, Planning.

Symantec 2004 Pulse of IT Security in Canada Volume II Survey shows Increases in Concern and Spending for IT Security Andrew Bisson Director, Planning.
1 of 21 Information Strategy Developing an Information Strategy © FAO 2005 IMARK Investing in Information for Development Information Strategy Developing.

1 of 21 Information Strategy Developing an Information Strategy © FAO 2005 IMARK Investing in Information for Development Information Strategy Developing.
DEVELOPING A STRATEGIC TECHNOLOGY PLAN © Cummings & Lockwood LLC 2002 1 Fantasy Meets Reality: Strategic Planning and Budgeting DEVELOPING A STRATEGIC.

DEVELOPING A STRATEGIC TECHNOLOGY PLAN © Cummings & Lockwood LLC Fantasy Meets Reality: Strategic Planning and Budgeting DEVELOPING A STRATEGIC.
Agenda For Today! Professional Learning Communities (Self Audit) Professional Learning Communities (Self Audit) School Improvement Snapshot School Improvement.

Agenda For Today! Professional Learning Communities (Self Audit) Professional Learning Communities (Self Audit) School Improvement Snapshot School Improvement.
Copyright 1997-2001 The Info-Tech Research Group Inc. All Rights Reserved. D1-1 by James M. Dutcher Strategic IT Planning & Governance Creation H I G H.

Copyright The Info-Tech Research Group Inc. All Rights Reserved. D1-1 by James M. Dutcher Strategic IT Planning & Governance Creation H I G H.
Govern the Flow of Data: Moving from Chaos to Control

Govern the Flow of Data: Moving from Chaos to Control
©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone Effective PR: the Power of Three Craig Coward Context Public Relations.

©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone Effective PR: the Power of Three Craig Coward Context Public Relations.
PROCEDURE FOR TRANSFER OF A MEMBER OF THE CIVIL SERVICE CORPS TO THE POST OF DEPARTMENTAL DEPUTY DIRECTOR IN THE CENTRAL STATISTICAL OFFICE WITHOUT CONDUCTING.

PROCEDURE FOR TRANSFER OF A MEMBER OF THE CIVIL SERVICE CORPS TO THE POST OF DEPARTMENTAL DEPUTY DIRECTOR IN THE CENTRAL STATISTICAL OFFICE WITHOUT CONDUCTING.
MOBILE DEVICES & THEIR IMPACT IN THE ENTERPRISE Michael Balik Assistant Director of Technology Perkiomen Valley School District.

MOBILE DEVICES & THEIR IMPACT IN THE ENTERPRISE Michael Balik Assistant Director of Technology Perkiomen Valley School District.
Chapter 1 Business Driven Technology

Chapter 1 Business Driven Technology
Determining the Significant Aspects

Determining the Significant Aspects
An Introduction to The JM Group. Agenda  The JM Group overview  Structure  Sector Credentials  Key Clients  Delivery  Recruitment by Capability.

An Introduction to The JM Group. Agenda  The JM Group overview  Structure  Sector Credentials  Key Clients  Delivery  Recruitment by Capability.
Achieve Benefit from IT Projects. Aim This presentation is prepared to support and give a general overview of the ‘How to Achieve Benefits from IT Projects’

Achieve Benefit from IT Projects. Aim This presentation is prepared to support and give a general overview of the ‘How to Achieve Benefits from IT Projects’
Supply Chain Performance Measurement

Supply Chain Performance Measurement
Presentation to ISACA Ottawa Valley Chapter Richard Brisebois, Principal November 9, 2010.

Presentation to ISACA Ottawa Valley Chapter Richard Brisebois, Principal November 9, 2010.
Security Controls – What Works

Security Controls – What Works
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
Manage and Safeguard Your BC Career Cheyene Haase BC Management, Inc.

Manage and Safeguard Your BC Career Cheyene Haase BC Management, Inc.
Security Management IACT 918 July 2004 Gene Awyzio SITACS University of Wollongong.

Security Management IACT 918 July 2004 Gene Awyzio SITACS University of Wollongong.
Security Management IACT 418/918 Autumn 2005 Gene Awyzio SITACS University of Wollongong.

Security Management IACT 418/918 Autumn 2005 Gene Awyzio SITACS University of Wollongong.

Similar presentations

Ads by Google