Data Assessment
Summary
This component allows the auditor to identify what sensitive data exists for the organization, where it is stored, and how it is transferred.
Purpose
Sensitive files are often stored across multiple devices with different levels of security. A data assessment allows the auditor to recommend secure storage solutions which best meet the organizations risk assessment and workflow needs. While the auditor has insight on some of this based on the Network Access and Network Mapping work, cross-staff understanding and agreement on what constitutes sensitive data will support later organizational change.
An adversary who obtains a laptop, workstation, or backup drive will be able to read or modify sensitive information on the device, even if that staff member has set a strong account password. This applies to threats involving loss, theft, and confiscation, but also to "checkpoint" scenarios in which they may only have access for a few minutes. Furthermore, in the event of a burglary or office raid, an adversary could obtain all sensitive information on the organization's devices, possibly even undetected.
Guiding Questions
- What are the most important data sets to keep available? Are there backups?
- What are the most important data sets to keep private?
- How does the organization currently determine who should have access to data?
- Is there currently anyone who has access to data who should not?
- Does the staff agree on what constitutes sensitive data?
- What data does each staff member need to be able to access in order to do their job?
Operational Security
- Ensure that any physical notes/drawings are erased and destroyed once digitally recorded.
- Ensure that any digital recordings of this process are kept secure and encrypted.
- Consider who has physical and visual access to the room where this process takes place, and if the room can be secured if this activity may span long/overnight breaks.
Preparation
- Facilitation skills or experience is useful for these exercises
- Carefully review the exercises you plan to use
Outputs
-
A map of the staff's understanding of critical organizational data:
- what that data is,
- where it is stored,
- who has access,
- who needs access.
References
- Activity: "Backup Matrix: Creating an Information Map" (LevelUp)
- Activity: "Identifying and prioritizing your organization’s information types " (NISTIR 7621)
- Guide: "Data Risk Checker: Categorizing harm levels on knowledge assets to inform mitigation and protection" (Responsible Data Forum wiki)
- Guide: "Awareness and Training" (Information Security Handbook: A Guide for Managers - NIST 800-100)
- Guide: "Managing Information Security Risk: Organization, Mission, and Information System View" (NIST 800-39)
- Guide: "Guide to Protecting the Confidentiality of Personally Identifiable Information (PII)" (NIST 800-122)
data_assessment:
Activities
Sensitive Data_
Data and meta-data about an organization and its staff is incredibly difficult to keep track of over time, as people or projects use cloud…Risks of Data Lost and Found_
Have staff rank the impact if different data within the organization was lost, and the impact if various adversaries gained access to that…Assessing Usage of Cloud Services_
During the organizational assessment you will almost certainly come across 3rd party cloud-based service providers being used by the audited…The Impacts of a Lost Device_
Lead staff in an activity were they describe the impact if various devices were destroyed.The Impacts of a "Found" Device_
Lead staff in an activity identifying what critical data (as identified in during the Data Assessment) would be available if an adversary…Private Data_
Guide staff through an activity to have them list private data within the organization (e.g. Using the "personal information to keep private…