Best Practices For Data Risk Assessment and Planning

What’s essential, what can wait, and what’s myth

Evaluating and managing your bank’s data risk doesn’t have to be an overwhelming endeavor. The list of things to do can look impossible if you don’t filter out those items you really need to tackle now and what can be addressed later, when time and other resources allow. There are also some falsehoods floating around out there that may cause more concern than they should.

What’s essential

Before that mountain of must-do’s threatens to topple onto you, focus first on those tasks that will truly help to ensure your data is reasonably secure from the majority of breach scenarios. One way to get into the right mindset is to remember that your data is an asset, and you need to treat it that way. Once you’re looking at data from that perspective, the initial step becomes clear: inventory your data. It’s the only way to know for sure what you have, where it exists, how it comes to you, who touches it, how it can be replicated and removed, and how it is ultimately disposed. In short, a comprehensive data inventory will tell you precisely where risk factors exist.

Now that you know what data you have, it’s time to separate the most important from the unimportant. This separation accomplishes two critical things: one, it gives you a smaller subset of data (the important, essential stuff) to focus on as you implement your security measures, and two, it provides a demarcation so that if an attackers get into your system, they won’t have access to ALL of your information. The important data will be under additional layers of protection and away from the hackers’ hands.

Take that important data you identified and start protecting it. Encryption is a good place to start. It’s inexpensive (often free), it’s easy, and it provides real security should other parts of your security program fail. Reduce the ways a hacker can get into system by staying up-to-date with security patches. Require all network users to employ strong passwords, and back them up with robust authentication protocols on the back end. And pull everything together by conducting regular security audits, augmented by periodic penetration testing by an outside firm. These efforts will identify potential weak spots and let you know rather than just think that your plan is effective.

What can wait

Remember that less-than-important information you separated out earlier? That’s what can wait. Don’t protect unimportant e-mail messages with the same rigor you use for financial data. Focus first on the most important and work your way to the least important, stopping when you reach the information set that doesn’t need to be protected.

What’s myth

While it would be great to plan for every scenario, it’s a myth that you should actually devote your resources to doing that (or that you even can!). The plan you put in place to protect your assets should be specifically designed to focus on protecting your information in your environment against the attacks you are most likely to face. Yes, some fundamentals exist, such as having anti-virus in place and training employees, but a carefully crafted plan will help your security dollars to go farthest by focusing on what is most important to your business. Don’t get sidetracked by risks that aren’t likely to affect your organization.

A sensible data risk program puts more than one layer of protection around the most important information. To help ferret out what’s essential and what can wait, think of it this way: A bank doesn’t keep all of its money in a pile in the lobby. To get to the “stash,” you have to go through the front door, then past the teller, past another locked door, maybe through another locked door, and finally the vault door. And, not all of the valuables in a bank are kept in a single vault. Your important data should be protected in a similar way.

Deena Coffman is CEO of IDT911 Consulting