Information Security

Expand all | Collapse all

Info Sec Risk Ratings...and Quantification

  • 1.  Info Sec Risk Ratings...and Quantification

    This message was posted by a user wishing to remain anonymous
    Posted 08-21-2020 11:29 AM
    This message was posted by a user wishing to remain anonymous

    Am curious if anyone uses the AMOUNT of PII or MNPI (i.e. ANY sensitive data) "given" to a vendor to assist with determining the Risk Rating from an Info Sec perspective. Or...is even a smidgen of PII enough to force you to rate the vendor as "High" given CCPA, EU regulations etc etc etc. ?

    If you use quantities, what's the amount that would allow you to assign a lower rating. (Hundreds v. Thousands or Millions of data points) etc.

    (I realize: If one person's PII gets compromised...that stinks. The issue though is that if 14,000,000 people's PII gets compromised, that's a real problem for everyone. Even if you're not directly involved.)

    Thanks to anyone that reads the post.....and MANY thanks to anyone that answers! Have a great day!


  • 2.  RE: Info Sec Risk Ratings...and Quantification

    This message was posted by a user wishing to remain anonymous
    Posted 08-21-2020 02:45 PM
    This message was posted by a user wishing to remain anonymous

    We do use a risk-based approach based on quantity of records and type of PII at risk.  We don't have set numbers but general guidelines (e.g., minor, moderate, significant exposure).  So a vendor mailing invitations to 5,000 employees given name, spouse name, mailing address, telephone number, and masked employee number would be rated a lot lower than a vendor transmitting  loan information of 1,000 borrowers given name, mailing address, loan number, loan balance, etc.  I think each institution will have different thresholds and criteria based on each institution's risk tolerance and how sensitive they are of their reputation (e.g., a high volume transactional bank, I believe, may have a higher tolerance for reputational risk because of the public's dependence on their network or low costs vs. a small niche bank that caters to high-profile celebrities).