Online all the time, anywhere with anything
Call Us: +46 8 50003170

Practical work with security and risk assessment

Arbeta platsoberoende i molnet Netintegrate

In order to do the practical work with a security and risk assessment you need to be familiar with the technology you are using. You also need to have the diagrams I wrote about last week.

The work to be done is to identify how the data is being added, consumed, stored and shared with and by users of the organisation. When users are allowed to share information externally you need to have clear and communicated policies what and how data is to be shared. First you have to identify if the data does contain personally identifiable information (PII), and then you need to classify the data. If it is sensitive you definitely need to work more with the assessment. You need to identify the path the PII data takes in your organisation.

Some of the tasks are

  • Identify the input method of the PII.
  • The reason for collecting the PII.
  • The consent or the agreement with the individual.
  • How will the data be stored.
  • Who will have access to the data.
  • How will the PII data be transferred to other systems.
  • Will the PII be shared with subsidiaries or 3rd parties.
  • How will the data be governed in the whole process.
  • What security controls secure that the right users gets access to the PII data.
  • What logging are being performed?

These are some of the common ones that most consultants know of and perform when they assist organisations with assessments. I will also give you a hint to what sometimes are missed and performed in the wrong way.

  • The most common mistake is not to involve the administrators of all the involved systems during the assessment.
  • Using outdated network and system diagrams is also a common mistake.
  • The lack of updated documentation leads to that some parts are not checked during the assessment.
  • With cloud services being added as ”shadow it” it is not enough to involve just IT-staff. You may need to perform a penetration test in advance.
  • The process during the assessment just focus on what is the problem and not what is needed to do when there is a problem.
  • Involving mistakes being done by users or administrators that will make the PII leaking out of the organisation.
  • Identifying problems with software versions of the involved hardware devices.
  • Forgetting the IoT devices installed in the enterprise network, like smart-TVs, door locks, surveillance cameras and other devices.
  • The level of training of the users involved with the PII data.

There are a number of issues to deal with and these are some of the most common ones, my 32+ years in the industry has taught me that no network or system are the same. There simply is no ”one size fits all” for a security and risk assessment. We can together with our team of collaborators assist you with the practical implementation of GDPR as well as the security and risk assessment.

GDPR coaching