- What are the most important data sets to keep available? Are there backups?
- What are the most important data sets to keep private?
- How does the organization currently determine who should have access to data?
- Is there currently anyone who has access to data who should not?
- Does the staff agree on what constitutes sensitive data?
- What data does each staff member need to be able to access in order to do their job?
- Ensure that any physical notes/drawings are erased and destroyed once digitally recorded.
- Ensure that any digital recordings of this process are kept secure and encrypted.
- Consider who has physical and visual access to the room where this process takes place, and if the room can be secured if this activity may span long/overnight breaks.
- Facilitation skills or experience is useful for these exercises
- Carefully review the exercises you plan to use
- A map of the staff's understanding of critical organizational data:
- what that data is,
- where it is stored,
- who has access,
- who needs access.
Sensitive Data_Data and meta-data about an organization and its staff is incredibly difficult to keep track of over time, as people or projects use cloud…
Risks of Data Lost and Found_Have staff rank the impact if different data within the organization was lost, and the impact if various adversaries gained access to that…
Assessing Usage of Cloud Services_During the organizational assessment you will almost certainly come across 3rd party cloud-based service providers being used by the audited…
The Impacts of a Lost Device_Lead staff in an activity were they describe the impact if various devices were destroyed.
The Impacts of a "Found" Device_Lead staff in an activity identifying what critical data (as identified in during the Data Assessment) would be available if an adversary…
Private Data_Guide staff through an activity to have them list private data within the organization (e.g. Using the "personal information to keep private…
References and resources for Data Assessment
- Activity: "Backup Matrix: Creating an Information Map" (LevelUp)
- Activity: "Identifying and prioritizing your organization’s information types " (NISTIR 7621)
- Guide: "Data Risk Checker: Categorizing harm levels on knowledge assets to inform mitigation and protection" (Responsible Data Forum wiki)
- Guide: "Awareness and Training" (Information Security Handbook: A Guide for Managers - NIST 800-100)
- Guide: "Managing Information Security Risk: Organization, Mission, and Information System View" (NIST 800-39)
- Guide: "Guide to Protecting the Confidentiality of Personally Identifiable Information (PII)" (NIST 800-122)