When evaluating data and the overall system layout, the flow of the data through the system to and from the users must be a strong consideration. Whether the data should be encrypted either during storage or transmission must be considered and the requirements must be designed into the system.
8. Data and Application Location
This part of the data assessment process examines the locations where the data are stored and examines the network paths that the data travels in an attempt to determine whether there is a need to encrypt the data during storage, during transmission, or both. The need to encrypt the data will depend on the risk of snooping during transmission or unauthorized reading of the data during storage along with the confidentiality needs of the data.
The location of each item of data on the computer must be identified.
Consider server storage
Consider remote storage on user systems and mobile devices.
The path of the any data between the computer under consideration and to any other computer must be identified. This includes the path in both directions. The data sensitivity must be considered to determine whether the data should be encrypted during transport.
Data Assessment Summary and Conclusions
During the process of assessing data, one of the first important steps is to identify the data owners owners. The data owners must then identify the data confidentiality and integrity needs. The data users should help identify the data availability needs. Each of these three needs should be quantified into a high, medium, or low ranking. The data can then be ranked by importance to the organization based on the highest of the three rankings combined with the criticality of the data to the organizational operation.
After this determining who should have access to the data, where it is stored, and the network paths the data will travel across, will help determine the risks to the data and minimize those risks by implementing minimum access levels along with security controls to prevent unauthorized persons from accessing the resources.
During the data assessment process, the impact of a security incident was assessed based on the data needs in three areas, confidentiality, integrity, and availability. To complete a risk assessment, the current implementations of systems must be examined to determine threat vectors and determine the probability of security incidents which would compromise confidentiality, integrity, or availability. Once that is done, the value of spending money to reduce the chance of an incident can be quantified.