Information Security

I am curious to learn more about any best practices others are currently using within a risk assessment questionnaire to capture different categories of information being shared (i.e. public, internal, confidential, highly confidential) and then forming your informational risk ratings based on those categories. Also curious to understand if anyone is capturing the number of data records that are shared with a vendor (i.e.. some data versus all data). Is this level of granularity explored in anyone's risk assessment questionnaire? If not there, are you capturing it somewhere else and how are you using it in your TPRM program? Thanks!

Stephen,

We use a brief version of this in Inherent  risk questionnaire to rank Information sharing. NPI includes bank confidential not just customer PII (NPI foreign data storage, NPI domestic data storage, NPI via remote support, No NPI data sharing)

We also then detail at the vendor level 

Data Classification (Restricted, Internal Use Confidential, Public, None)

Data Context (Narrative description of the data shared. This should describe the subset of data being exposed e.g. Mortgage customers)

Data Density (Small, Medium, Large) this measure is related to the context description e.g. by being based on the context we can see Large in terms of the mortgage customers. vs the same record exposure might be small in terms of all customers. 

Data Classification, Context, and Density shape the perspective for assessment scope and qc review.  qc would flag for challenge Large data density if the Risk Impacts are Low (those appear inconsistent) ... 

Original Message:
Sent: 11-13-2023 04:52 PM
From: Stephen Meyer
Subject: Leveraging Data Classification Policies to Drive Informational Risk Assessment

I am curious to learn more about any best practices others are currently using within a risk assessment questionnaire to capture different categories of information being shared (i.e. public, internal, confidential, highly confidential) and then forming your informational risk ratings based on those categories. Also curious to understand if anyone is capturing the number of data records that are shared with a vendor (i.e.. some data versus all data). Is this level of granularity explored in anyone's risk assessment questionnaire? If not there, are you capturing it somewhere else and how are you using it in your TPRM program? Thanks!

To confirm my understanding of how it is being captured and utilized in the inherent risk questionnaire, is this a multiple choice scenario in your assessment? Great information, thank you for sharing!

Stephen,

We use a brief version of this in Inherent  risk questionnaire to rank Information sharing. NPI includes bank confidential not just customer PII (NPI foreign data storage, NPI domestic data storage, NPI via remote support, No NPI data sharing)

We also then detail at the vendor level 

Data Classification (Restricted, Internal Use Confidential, Public, None)

Data Context (Narrative description of the data shared. This should describe the subset of data being exposed e.g. Mortgage customers)

Data Density (Small, Medium, Large) this measure is related to the context description e.g. by being based on the context we can see Large in terms of the mortgage customers. vs the same record exposure might be small in terms of all customers. 

Data Classification, Context, and Density shape the perspective for assessment scope and qc review.  qc would flag for challenge Large data density if the Risk Impacts are Low (those appear inconsistent) ... 

Original Message:
Sent: 11-13-2023 04:52 PM
From: Stephen Meyer
Subject: Leveraging Data Classification Policies to Drive Informational Risk Assessment

I am curious to learn more about any best practices others are currently using within a risk assessment questionnaire to capture different categories of information being shared (i.e. public, internal, confidential, highly confidential) and then forming your informational risk ratings based on those categories. Also curious to understand if anyone is capturing the number of data records that are shared with a vendor (i.e.. some data versus all data). Is this level of granularity explored in anyone's risk assessment questionnaire? If not there, are you capturing it somewhere else and how are you using it in your TPRM program? Thanks!