Classify data and applications based on business risk

Info iconThis preview shows page 1. Sign up to view the full content.

View Full Document Right Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: ics Measure relative value of data and software assets and choose risk tolerance Results ✦✦Customized assurance plans per project based on core value to the business ✦✦Organization-wide understanding of security-relevance of data and application assets ✦✦Better informed stakeholders with respect to understanding and accepting risks Add’l Success Metrics ✦✦>90% applications and data assets evaluated for risk classification in past 12 months ✦✦>80% of staff briefed on relevant application and data risk ratings in past 6 months ✦✦>80% of staff briefed on relevant assurance program roadmap in past 3 months Add’l Costs Activities A. Classify data and applications based on business risk Establish a simple classification system to represent risk-tiers for applications. In its simplest form, this can be a High/Medium/Low categorization. More sophisticated classifications can be used, but there should be no more than seven categories and they should roughly represent a gradient from high to low impact against business risks. Working from the organization’s business risk profile, create project evaluation criteria that maps each project to one of the risk categories. A similar but separate classification scheme should be created for data assets and each item should be weighted and categorized based on potential impact to business risks. Evaluate collected information about each application and assign each a risk category based upon overall evaluation criteria and the risk categories of data assets in use. This can be done centrally by a security group or by individual project teams through a customized questionnaire to gather the requisite information. An ongoing process for application and data asset risk categorization should be established to assign categories to new assets and keep the existing information updated at least biannually. B. Establish and measure per-classification security goals With a classification scheme for the organization’s application portfolio in place, direct security goals and assurance program roadmap choices can be made more granular. ✦✦Buildout or license of application and data risk categorization scheme ✦✦Program overhead from more granular roadmap planning The assurance program’s roadmap should be modified to account for each application risk category by specifying emphasis on particular Practices for each category. For each iteration of the assurance program, this would typically take the form of prioritizing more higher-level Objectives on the highest risk application tier and progressively less stringent Objectives for lower/other categories. Add’l Personnel This process establishes the organization’s risk tolerance since active decisions must be made as to what specific Objectives are expected of applications in each risk category. By choosing to keep lower risk applications at lower levels of performance with respect to the Security Practices, resources are saved in exchange for acceptance of a weighted risk. However, it is not necessary to ar...
View Full Document

{[ snackBarMessage ]}

Ask a homework question - tutors are online