Assessing risk can seem a nebulous thing in the privacy world. How do you quantify the chances of a particular piece of information going missing or being used incorrectly and what the impact would be on the business? It can seem even harder when you don’t have control over many of the systems that create that risk, like third-party cloud solution providers and databases managed by the IT team.
Worse, what do you do when you identify a risk so high that you know the incident will occur, but you don’t have the budget or influence to prevent it?
“We have a lot of clients who deliberately avoid assessing risk,” said Raymond Chabot Grant Thornton Consulting VP of Security and Privacy Aron Feuer, CIPP/C. “We had one healthcare client who turned on a lot of access logging only to find out that people were doing self-lookups at a rate way higher than they thought. It scared them so much they simply turned the logging off again and pretended it wasn’t happening.”
Don’t let that happen to you, Feuer warned, alongside his colleague Rikki Sorensen as part of a preconference workshop, “Assessing IT Risks: What the Privacy Professional Needs To Know,” here at the IAPP Canada Symposium in Toronto, ON.
Privacy pros, they advised, need to have the social skills to befriend and work with IT teams; the technical skills to speak their language and recognize risk when they don’t, and the management skills to properly categorize risk and bubble up major potential problems to the C-suite and the board.
Really, a threat is any person or event that could take advantage of a weakness in your systems to impact the business adversely. That could be a social engineering attack where a bad actor phones up your colleagues and gets them to deliver PII—this works 70 to 80 percent of the time—or a malware attack, like the one that brought Target down, coming through a trusted third-party vendor. In order to prevent threats of all kinds from becoming incidents, the privacy team needs to work with a variety of friends in the business: IT operations, database management, security architects, physical security, HR—you name it.
Should you be familiar with ISO 27001 and 27002, ITIL, COBIT and other security standards? Of course. But no standard, Feuer counseled, is a panacea. “Breaking people of the habit of ‘ISO says we need to do this’ is extremely important,” Feuer said. People should be taking action because it maps to an established risk profile, which takes into account a variety of factors, from standards to legislation to company values.
However, “You do need to be a little bit technical as a privacy pro,” said Sorensen. Otherwise, you can’t speak the language of the IT professional well enough to communicate your risk concerns properly.
You also should be comfortable working with a threat matrix that multiplies the probability of an event occurring with the damage to the organization the event would create. Score each on an axis of one to five and be able to communicate quickly that threat score, they counseled.
Further, when you write out threat risk assessments, they should be more than check-box exercise against some ISO standard. They should incorporate findings from a PIA, should make affirmative statements on risk, should be as precise and practical as possible and should be easily digestible throughout the organization. Otherwise, they’ll just sit on a proverbial shelf somewhere.
You know, something like:
“The calendar application is vulnerable to a Blind SQL injection attack. Using automated tools, an attacker can recursively query the database to expose information. During the penetration test, consultants leveraged this to gain a list of DB user names.”
Bad things are going to happen, Feuer and Sorensen said. Believing in the impenetrability of your company’s info-security measures is a bad plan. Understanding your vulnerabilities and working with the IT team to prepare for breaches and other negative events is a much better one.
If you want to comment on this post, you need to login.