This message was posted by a user wishing to remain anonymous
All of the selections are from a dropdown list except for the Data Context (Free form text).
Original Message:
Sent: 11-16-2023 04:30 PM
From: Stephen Meyer
Subject: Leveraging Data Classification Policies to Drive Informational Risk Assessment
To confirm my understanding of how it is being captured and utilized in the inherent risk questionnaire, is this a multiple choice scenario in your assessment? Great information, thank you for sharing!
Original Message:
Sent: 11-15-2023 10:34 AM
From: Anonymous Member
Subject: Leveraging Data Classification Policies to Drive Informational Risk Assessment
This message was posted by a user wishing to remain anonymous
Stephen,
We use a brief version of this in Inherent risk questionnaire to rank Information sharing. NPI includes bank confidential not just customer PII (NPI foreign data storage, NPI domestic data storage, NPI via remote support, No NPI data sharing)
We also then detail at the vendor level
Data Classification (Restricted, Internal Use Confidential, Public, None)
Data Context (Narrative description of the data shared. This should describe the subset of data being exposed e.g. Mortgage customers)
Data Density (Small, Medium, Large) this measure is related to the context description e.g. by being based on the context we can see Large in terms of the mortgage customers. vs the same record exposure might be small in terms of all customers.
Data Classification, Context, and Density shape the perspective for assessment scope and qc review. qc would flag for challenge Large data density if the Risk Impacts are Low (those appear inconsistent) ...
Original Message:
Sent: 11-13-2023 04:52 PM
From: Stephen Meyer
Subject: Leveraging Data Classification Policies to Drive Informational Risk Assessment
I am curious to learn more about any best practices others are currently using within a risk assessment questionnaire to capture different categories of information being shared (i.e. public, internal, confidential, highly confidential) and then forming your informational risk ratings based on those categories. Also curious to understand if anyone is capturing the number of data records that are shared with a vendor (i.e.. some data versus all data). Is this level of granularity explored in anyone's risk assessment questionnaire? If not there, are you capturing it somewhere else and how are you using it in your TPRM program? Thanks!