Performing an Information Security and Privacy Risk Assessment

Enterprise information security and privacy professionals are responsible for identifying information security and privacy gaps in information management systems and processes. To do so, they can implement controls to increase the security and privacy of information in accordance with confidentiality, integrity and availability (CIA) and authenticity. As development progresses, there may be a need to monitor the system itself, and additional controls to meet additional requirements may be implemented. Monitoring can imply an association between the system and increased security and privacy risk. If controls are not implemented, there may be an immediate increase in information security and privacy risk linked to the critical system in question.

The new controls introduced should allow for 2 new activities:

1. Evaluating the controls established in the scope, resulting in proposed revisions and adjustments
2. The development team's assessment of the approach to information security and privacy in the enterprise’s internal organizational structure

Any theoretical framework can be used to identify and categorize information security and privacy issues, and to assess information security and privacy risk. The steps of the framework serve as an opportunity to identify gaps, but they are also inputs for the creation of a data privacy impact analysis (DPIA).

It is important to reinforce that risk assessment is just one of the steps of the risk management process of the International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC) standard ISO/IEC 31000:2018, Risk Management—Guidelines (figure 1).

Figure 1—Risk Management Process (ISO/IEC Standard 31000:2018, Section 6)

Attributes of Information Security and Privacy

The attributes of information security and privacy group controls didactically into 3 different contexts:

1. Structure—Structure evaluates the controls that address the structural aspects of a system (including the processes and the infrastructure that support it) and the characteristics of the environment in which it is executed, which are indispensable to identifying the current state of security and privacy of information in the organization.
2. System—The System attribute is based on security-by-design and privacy-by-design principles, that is, the proposed security controls aim to incorporate information security and privacy throughout the system's life cycle and, consequently, help reduce the probability of a threat exploiting a system vulnerability. The attribute encompasses concepts such as secure development, logical access controls and web security. It is important to note that the organization is free to change, include, or exclude controls, adapting this structure to the reality and criticality of its systems. There are critical systems in which multi-factor authentication (MFA) (or the digital certificate) is of fundamental use to raise the level of reliability in the transactions performed by the system, while in other cases with low risk (i.e., low probability and low impact of risk), its use can be waived. Therefore, identifying gaps and adapting to the reality of the system to be developed is a responsibility of the chief risk officer (CRO) and must always be a part of institutional risk management.
3. Privacy—The privacy controls present in this attribute are related to the scope of legal compliance with the protection in the treatment of data, including those of a personal nature. The controls allow the chief information security officer (CISO) to analyze the system that handles these data and verify that the requirements for suitability for protection and compliance are being met.

These controls motivate the controller to revisit the business requests and find out if the data collected are excessive or noncompliant, obeying the principle of necessity.¹

Security and Privacy Measures

There is a need for security and privacy measures and to establish the control objective for those measures. The measures to be used may refer to standards ISO/IEC 27002:2013 (information security scope), ISO/IEC 27701:2019 (extension of 27001 and 27002 information security and privacy scope) and ISO/IEC 29100:2011 (privacy scope).

Performing the Risk Assessment

The risk assessment, both in the context of ISO 31000 and the DPIA (ISO 29134:2017), can be based on the risk assessment model of ISO 31000. Following the application of the proposed controls (or lack thereof), the person responsible for the system observes the result of exposure to the security and privacy risk to which the system is subject. Identification and validation of compliance with a control is the controller's sole responsibility.

Note that the evaluation proposed is not a final or holistic solution and its continuous adaptation to the reality of the system that handles personal data is an essential part of the evaluation process. Laws, processes and cultures are constantly maturing and so is the information security and privacy assessment process for personal data.

Laws, processes and cultures are constantly maturing and so is the information security and privacy assessment process for personal data.

Stages of Risk Assessment
First, scalar parameters are established (i.e., parameters that assign a gradual value to each of the risk classifications [Low, Moderate, High]). Additionally, a matrix is created that relates the probability with the impact, according to scalar parameters. By multiplying these 2 values, the risk level (i.e., magnitude of a risk or combination of risk factors) is obtained.

Methodology
The method proposed is based on the following 4 fundamental concepts for understanding the structure of the evaluation model:

1. The system to be evaluated starts with a risk level of High (high probability and high impact), since the system controls have not yet been analyzed.
2. Controls have been divided and grouped into common characteristics. This grouping is referred to as the security and privacy measures.
3. Each control can behave differently in relation to a given risk. It can contribute to the prevention of the risk, to its mitigation or both simultaneously. Preventative controls help reduce the probability of the occurrence of the risk and mitigation controls help reduce the impact of the risk.
4. The method establishes weights for controls that represent a degree of importance in relation to risk.

In conclusion, controls act to mitigate and/or prevent certain risk factors and, according, to their importance (i.e., weights), they may reduce the probability (preventive controls) and impact (mitigation controls). For controls that do not apply to the assessed system, there is no effect on the likelihood or impact of risk.

To calculate the total number of controls that will act on the probability and impact, the prevention controls (probability) and the mitigation controls (impact) are added.

In addition to the sum of the types of controls, there is an accounting of all controls applied, those not applied and those that do not apply for each of the risk factors. This accounting occurs through the sum of the weights linked to the controls for that specific risk.

Thus, to obtain the probability of a given risk, the sum of all the weights of the prevention controls associated with it that were identified as applied is first calculated, since certain controls may not be applicable to the system.

Subsequently, the sum of all weights of risk prevention controls is subtracted from the sum of all weights of prevention controls that “does not apply” to the risk. At the end, the sum of all weights of prevention controls associated with it that were identified as “applied” is divided by the subtraction between the sum of all weights of risk prevention controls and the sum of all risk prevention controls. Weights of prevention controls that “do not apply” to the risk. If all controls are applied, there is a probability value equal to 1, and if no controls are applied, we have a value equal to 0. Therefore, the closer to 1, the greater the number of controls applied (implemented) which reduces the likelihood of that risk occurring. The impact calculation formula follows the same reasoning and differs only in the type of control evaluated (mitigation controls).

Before carrying out the risk level calculation, it is necessary to categorize the result obtained with the probability and the impact, the value between 0 and 1, into one of the classifications (High, Moderate and Low).

As controls are implemented, the probability or impact rating is reduced. The impact has only 2 classifications rather than 3, since it takes into account the possibility of the existence of peculiarities of the environment, types of personal data processed and specific legislation applied to data processing. Thus, a single reduction step can be chosen (from High to Moderate). It should be noted again that the evaluator can adapt the method to the reality of the organization and can insert more categories or change the method according to their criteria and needs.

Benefits of Conducting a Risk Assessment

After better understanding what risk assessment is and how to perform it, some benefits can justify the implementation of this practice.

• Competitive advantage—Risk assessment enables a more strategic and predictable operation, which influences the enterprise’s competitive edge and increases its chances of standing out against the competition when considering different scenarios and establishing specific plans for adverse events.
• New business opportunities—When an organization maps risk, it also sheds light on the opportunities for action and can transform critical events into beneficial arrangements. Thus, managers are better able to define investments, projects, strategies and other directions more convenient for the scenarios analyzed.
• Increased project security—Risk management can be developed considering any business or specific projects. This practice gives more security to the decisions made by managers, assisting in the direction of investments, strategies, team formation, competition analysis and trend study.
• Minimized internal and external risk—Minimizing risk is the central goal of risk assessment, but it is worth further explanation. Even market-leading enterprises have internal and external risk; after all, the landscape is always changing and requires business teams to adapt and innovate. When performing the risk assessment, the organization is aware of potential events that may affect the outcome, either positively or negatively. The direction, methodology and breadth of the risk assessment will depend on an organization’s objectives. It can be used throughout the enterprise or in specific areas, such as sales, finance or marketing.

Risk in the Context of a DPIA

The risk factors listed in a DPIA can be based on and adapted from the standard ISO/IEC 29134:2017 which addresses security techniques for the assessment of privacy impact. The risk factors related to unavailability are loss, theft and destruction. If the risk is realized, the data subject may not be able to access their data, for example, and, consequently, not exercise their rights. In this way, if controls that mitigate this risk are not implemented, there will be a direct impact on availability.

The assessment will serve as an input and complement to 2 steps of the DPIA: identifying and assessing the risk and identifying measures to address the risk. The first step (identifying and assessing risk), or first assessment, reflects an analysis of the current scenario (i.e., a diagnosis) of the system that handles data, including personal data. The second step (identifying measures to address the risk), or second assessment, represents the treatment effectively applied to the risk through the implementation of controls after the first assessment is completed. It helps define complementary measures for the risk treatment.

To align with best practices, instead of logging the security and data privacy measures, during documentation the controls applied could be indicated and the level of detail could be increased.

In addition to providing information for the aforementioned 2 stages of the DPIA, other information in this assessment allows for the identification of needs in contracts with data operators, security measures to be disclosed in the terms of use and privacy policy (aligning with the principle of transparency), improved information security and privacy of internal processes in the organization, and increased compliance with privacy laws and regulations.

Risk assessment is the first step in a risk management process that must be carried out in its entirety and accompanied by the maturation of the defined controls.

Editor’s Note

This article is related to “Assessment of Security and Privacy Risks of Information” by Andre Pitkowski and Daniel Bispo de Jesus. To request access to the full publication, contact the authors at andrepit@gmail.com or dbj1964@gmail.com.

Endnotes

¹ Gdpr-info.eu, Art. 5 GDPR–Principles Relating to Processing Personal Data

Andre Pitkowski, CRISC, CGEIT, COBIT Foundation Trainer, CRMA, ISO 27001 LA, ISO 31000 LA, OCTAVE, Scrum PSM

Has been a member of ISACA^® since 2003. He served as international vice president from 2015–2017, president of the ISACA Sao Paulo (Brazil) Chapter from 2013–2019, and director of the chapter from 2003–2006. He is also a member of the ISACA Framework Committee and a subject matter expert and CSX liaison for Brazil. He has more than 25 years of experience as a senior consultant in corporate governance of IT, IT risk assessment projects and compliance, and as an instructor and guest lecturer in governance, risk and compliance (GRC) in Brazil and internationally. He works on projects that seek to align IT to the business goals of its clients, with business cases presented internationally. He can be reached at https://www.linkedin.com/in/andrepitkowski.

Daniel Bispo de Jesus, COBIT 5 Foundation, BCMF, CISO, DPO, ISO 27001 IA, ISO 27001 LA, ISO 27701 LI

Has been a member of ISACA^® since 2016. He is an IT and information security professional with more than 10 years of experience. Currently he is with Santos Port Authority (SPA) where he is an active participant of the implementation and management of personal information management systems (PIMS). He can be reached at www.linkedin.com/in/daniel-bispo-87122126.