Information Security

 View Only
  • 1.  Leveraging Data Classification Policies to Drive Informational Risk Assessment

    Posted 11-14-2023 09:08 AM

    I am curious to learn more about any best practices others are currently using within a risk assessment questionnaire to capture different categories of information being shared (i.e. public, internal, confidential, highly confidential) and then forming your informational risk ratings based on those categories. Also curious to understand if anyone is capturing the number of data records that are shared with a vendor (i.e.. some data versus all data). Is this level of granularity explored in anyone's risk assessment questionnaire? If not there, are you capturing it somewhere else and how are you using it in your TPRM program? Thanks!



  • 2.  RE: Leveraging Data Classification Policies to Drive Informational Risk Assessment

    This message was posted by a user wishing to remain anonymous
    Posted 11-15-2023 10:40 AM
    This message was posted by a user wishing to remain anonymous

    Stephen,

    We use a brief version of this in Inherent  risk questionnaire to rank Information sharing. NPI includes bank confidential not just customer PII (NPI foreign data storage, NPI domestic data storage, NPI via remote support, No NPI data sharing)

    We also then detail at the vendor level 

    Data Classification (Restricted, Internal Use Confidential, Public, None)

    Data Context (Narrative description of the data shared. This should describe the subset of data being exposed e.g. Mortgage customers)

    Data Density (Small, Medium, Large) this measure is related to the context description e.g. by being based on the context we can see Large in terms of the mortgage customers. vs the same record exposure might be small in terms of all customers. 

    Data Classification, Context, and Density shape the perspective for assessment scope and qc review.  qc would flag for challenge Large data density if the Risk Impacts are Low (those appear inconsistent) ... 




  • 3.  RE: Leveraging Data Classification Policies to Drive Informational Risk Assessment

    Posted 11-16-2023 05:44 PM

    To confirm my understanding of how it is being captured and utilized in the inherent risk questionnaire, is this a multiple choice scenario in your assessment? Great information, thank you for sharing!




  • 4.  RE: Leveraging Data Classification Policies to Drive Informational Risk Assessment

    This message was posted by a user wishing to remain anonymous
    Posted 11-26-2023 02:41 PM
    This message was posted by a user wishing to remain anonymous

    All of the selections are from a dropdown list except for the Data Context (Free form text).