Creating Reliable Risk Assessments: How to Measure Data Security / GLBA Risk
Part 1 of 4
Protecting customer’s sensitive data is more than just a sacred duty. It’s a regulatory requirement. A Gramm-Leach-Bliley Act risk assessment should identify reasonably foreseeable internal and external threats that could result in unauthorized disclosure, misuse, alteration, or destruction of information and assets.
Each risk should also be assessed to understand the threat it poses and how effectively it is being mitigated.
But how exactly do you properly assess a cyber risk? Let’s find out by assessing one potential cyber risk: the risk that an employee will successfully access or misuse data.
Inherent vs. Residual Risk
Inherent risk scores represent the level of risk an institution would face if there weren’t controls to mitigate it. For example, think of the risk of a cyberattack if the institution didn’t have any defenses in place. Residual risk is the risk that remains after controls are taken into account. In the case of a cyber breach, it’s the risk that remains after considering deterrence measures.
To assess inherent risk, determine how big of an impact of an event would have and how likely the event is to occur.
Inherent risk = Impact of an event * Probability
To calculate residual risk, consider the inherent risk as well as the effectiveness of the controls. That includes how large of an impact a control has in mitigating a problem as well as how effective it is.
Residual risk = Inherent risk * Control effectiveness
Control effectiveness = Control impact * % ineffective
Making the Assessment
Different institutions use different scales when making these measurements. In conducting this exercise, we’ll use a 5-point scale using these terms to measure risk and potential impact:
Control effectiveness will be measured on a three-point scale for impact:
- Very important
- Not important
Probability and effectiveness will be measured on a five-point scale:
With these in mind, let’s begin to assess risk.
Risk: Employee unauthorized access or misuse or sensitive consumer information.
Event Impact: Catastrophic. It’s a violation of federal law and could result in reputational damage to the institution.
Probability: Possible. With no controls it’s easy enough to access data, but the average employee isn’t likely to try to steal data.
Inherent Risk Rating: Significant. While there is a lot of opportunity to steal data, the vast majority of employees aren’t looking to commit a crime. A common mistake is to use background checks and interviews to state that the inherent risk is Moderate or Minor, but these are controls that should not be factored into the inherent risk.
Now let’s look at the controls the institution has in place to mitigate this risk. There are a variety of controls designed to limit unnecessary access to data and protect data. They include:
- Access restrictions based on job responsibilities.
- Requiring individual identification and authentication for desktop log-on.
- Formal policies that define password parameters & rules (no Post-its with passwords on monitors).
- Interviews with prospective employees
- Background Checks (Pre-employment)
- Background Checks (Current employees)
- Requirements for periodic review of access rights.
- Termination protocols and checklists.
- Secure disposal measures to properly dispose of consumer information when no longer needed.
- Requirement for acknowledgement and acceptance of confidentiality/non-disclosure agreements before permitting access to confidential data or systems.
Each of these controls should be individually reviewed and risk assessed. Then an aggregate residual risk score should be calculated. To better understand how this works, let’s assess the first control by impact and probability.
Control: Access restrictions based on job responsibilities.
Impact: Important. The fewer people who have access to data, the safer the data is, and this control limits who has access. However, there will still be many people with access to the data and logging into someone else’s account to access data remains a possibility.
Effectiveness: Moderate. It’s very hard to log in without access, assessments have shown.
Residual risk: Minor. With the controls in place, it’s less likely that employees will be able to misuse data since sensitive data since fewer people will have it. Additional controls are necessary to reduce risk further.
Conduct this assessment with each of the controls. Then assess the total value of the controls to determine how high or low the residual risk. Remember, not every control is equal. Give greater weight to those with a high impact and less to those with a low impact.
Be sure to be candid when assessing controls. If the assessment reveals that a control isn’t particularly effective, it might not be a problem if other strong controls are in place. It could be an opportunity to strengthen a weak control or decide that it’s not worth the resources. New controls can be developed.
To learn more about risk assessments, including how to ensure they are reliable, timely and consistent, check out our whitepaper: Creating Reliable Risk Assessments.