Data Assessment Process
A data assessment process should be conducted for all data generated or kept in any organization. This process may be formal or informal, but it is very important to categorize the security requirements for all data. There may be a default data setting and data may be moved to another category upon review. The data assessment is also an important part of a risk assessment especially when the main asset of value is the data.
During a risk assessment which is conducted for complete systems including the network, computers, and applications the security needs and risks are quantified and defined. One of the first risk assessment steps includes the definition of data security needs which considers:
Confidentiality - The need to keep the information secret from unauthorized third parties.
Integrity - The need to keep the information from being changed by persons that are not authorized to change the data. This is a need for data accuracy.
Availability - The need to have the information available for authorized users of the data.
During this part of a risk assessement, data used in the system will be identified along with its sensitivity and a determinination of who will have access to the data. This should include configuration data. This is done in steps 1 through 7 below.
Steps to properly conduct a data assessment to help determine the required level of protection include:
Data Identification - Identify data item types to help determine the most sensitive item which will help in determining confidentiality, integrity, and availability needs.
Data Ownership and users - The data owners of each data item identified in the previous step should be identified so they can determine confidentiality, integrity, and possibly availability needs. Users must be identified to help determine availability needs.
Data Confidentiality - The need to keep the data secret from unauthorized persons. Consider how much damage would be done if the data were obtained by unauthorized persons.
Data Integrity - The need to keep the data accurate and not allow unauthorized persons to change it. Consider the impact if the data were not correct.
Data Availability - The need for the data to be available to authorized users. Data owners should consider how their business processes would be impacted if they could not access their data for some period of time and what periods of time would be critical.
Data Criticality - This step considers how essential the data is to the operation of the organization.
Data Access Determination - Helps secure the data by determining minimum access needs.
Data and Application Location - Helps determine risks as data is sent across the network and allow for risk mitigation.
These steps must be performed by the entity that is responsible for creating the application and/or the owner of the data. Of the three requirements including confidentiality, integrity, and availability, the data confidentiality requirement is normally the most important or the most emphasized but it will vary by requirements from organization to organization. Sometimes organizations fail to consider the importance of the availability aspect when the project is under development by their staff or being maintained by their staff. Data adminstrators may require ready availability to prevent a loss of productivity which costs the organization.
Data Requirements Confusion
While performing the data assessment steps it is important to be careful to be sure what you are quantifying. Do not confuse data confidentiality requirements with data access determination which specifies which users are allowed to access or modify the data. Sometimes when people think about data sensitivity, they think about who is using it regarding whether it can be used by the public, used within the entire organization, or only one department. Specific use by different departments or more global use does not set data confidentiality requirements. Potential damage that can be done should set data confidentiality, integrity, and availability requirements.
The data access determination is an important component both of risk assessment and setting up access controls in order to reduce risk, but it is not related to data confidentiality needs.