This part of the training is going to zoom out from specific risk strategies and go through the risk management life cycle, so you can see the iterative process involved in dealing with risk. This will give you a great overview and appreciation for the entire risk management process which it is constantly growing and evolving, requiring continuous updating and renewal. Circular diagram with Identity, Analyse, Threat and Monitor around Risk Management Life Cycle

Figure 1: Risk management life cycle

Risk management life cycle

Risk management is a repetitive circular process consisting of four stages:

Identify, Analyse, Treat, and Monitor.

Defining the risk

Risk can be analysed and assessed, but first it must also be accurately identified; this means defining which assets are at risk. An organisation will generally have a register of its assets; however, many businesses are poor at keeping a register of their data assets. Configuration management databases (CMDBs) are often referred to as ‘the heart of your ISMS’ (Information Security Management System).

Asset classification

Risk can also be reduced through classification, which specifies how data and physical assets should be treated. Most organisations have a corporate information classification scheme and associated policy that explains its use.

Classification schemes

In governments throughout the world, classification schemes are used to label documents with protective markings, such as ‘official’, (official sensitive), ‘secret’ and ‘top secret’. Commercial organisations often use markings like ‘company confidential’, ‘company sensitive’, ‘commercial in confidence’ and ‘personal’.

Markings aren’t only relevant for printed documents. They can also be applied to electronic documents, for example through document headers and footers.

Physical assets can also be protectively marked with a classification of ‘secret laptop’, or a removable hard disc marked as ‘confidential’. The policy might also state that all confidential removable media should be kept on the premises and secured in a locked cabinet when not in use.

Access to classified material is often restricted to individuals who have been vetted and have achieved the appropriate security clearance.

Baseline personnel security standard (BPSS) is the basic clearance required for all UK government staff. It’s worth noting that the ‘need to know’ principle also applies. If someone has ‘secret’ clearance it doesn’t automatically mean that they have access to all material marked as ‘secret’.

The role of data classification (all data is not created equal)

Let's look at how classification affects data and its users. Once a piece of information has been given a security classification, it automatically imposes certain constraints on how that information can be processed, stored, transmitted, disposed of, or otherwise handled. These conditions are imposed on anyone who may encounter it.

Under these circumstances it's essential to have a clear standard for the accurate classification of data and assets. What follows is a guide to developing a data classification schema.

Decorative Image: Someone attaching a hard drive

1. Define your data classification objectives

The best way to begin this process is through an interview-based approach that involves key stakeholders, including compliance, legal, and business unit leaders. Next, complete a risk assessment of sensitive data. It's important to ensure a clear understanding of the organisation’s regulatory, contractual, privacy and confidentiality requirements, as these will influence the action of classification. 

2. Develop a formalised classification policy

Resist the urge to get too granular, as granular classification schemes tend to cause confusion and become unmanageable. Three to four classification categories are reasonable. Make sure you are clear about exact employee roles and responsibilities. Policies and procedures should be clearly defined, aligned with the sensitivity of specific data types, and easily interpreted by employees.

3. Categorise the types of data

Determining what types of sensitive data exist within your organisation can present challenges. It is an effort that should be organised around business processes and driven by process owners. Consider each business process; tracking the flow of data provides insight into what data needs to be protected and how it should be protected.

4. Discover the location of your data

After establishing the types of data in your organisation, it’s important to catalogue all the places data is stored electronically. The flow of data into and out of the organisation will be a key consideration.

How does your organisation store and share data internally and externally? Do you use cloud-based services like Dropbox or OneDrive? What about mobile devices? What regulatory and contractual rules apply to the various functions in your organisation?

Data discovery tools can help generate an inventory of unstructured data and help you understand exactly where your company’s data is stored, regardless of the format or location. These tools also help address difficulties around identifying data owners by providing insights about users who are handling data. In your discovery efforts, you can incorporate keywords or specific types or formats of data, such as medical record numbers, social security numbers, or credit card numbers.

5. Identify and classify data

Only after you know where your data is stored can you identify and classify it so that it’s appropriately protected. Consider the penalties associated with a loss or breach.

Looking into the potential costs associated with the compromise of a data set will enable you to set expectations for the price of protecting it and which classification level to set.

Commercial classification tools support data classification initiatives by determining the appropriate classifications and then applying the classification label either to the metadata of the item or as a watermark.

6. Enable controls

Establish baseline cybersecurity measures and define policy-based controls for each data classification label. This will ensure the appropriate solutions are in place.

High-risk data will require more layers of protection than lower risk data. By understanding where data resides and the organisational value of the data you can implement appropriate security controls based on risk. 

7. Monitor and maintain

Be prepared to monitor and maintain the organisation’s data classification system, making updates as necessary. Classification policies should be dynamic. You need to establish a process for review and update that involves users, which will encourage adoption and ensure your approach continues to meet the changing needs of the business. 

Introduction to risk management life cycle and treatment