Difference between revisions of "User:Shawndouglas/sandbox/sublevel3"

From LIMSWiki
Jump to navigationJump to search
Line 1: Line 1:
AHIMA recommends you "create an information asset inventory as a base for risk analysis that defines where all data and information are stored across the entire organization."<ref name="DowningAHIMA17">{{cite web |url=https://journal.ahima.org/wp-content/uploads/2017/12/AHIMA-Guidelines-Cybersecurity-Plan.pdf |format=PDF |title=AHIMA Guidelines: The Cybersecurity Plan |author=Downing, K. |publisher=American Health Information Management Association |date=December 2017 |accessdate=23 July 2020}}</ref> Consider any applications and systems used within the periphery of your operations, including business intelligence software, mobile devices, and legacy systems. Remember that any networked application or system could potentially be compromised and turned into a vector of attack. Additionally, classify and gauge those assets' based on type, risk, and criticality. What are their essential functions? How can they be grouped? How do they communicate: internally, externally, or not at all?<ref name="LebanidzeGuide11">{{cite web |url=https://www.cooperative.com/programs-services/bts/documents/guide-cybersecurity-mitigation-plan.pdf |format=PDF |title=Guide to Developing a Cyber Security and Risk Mitigation Plan |author=Lebanidze, E. |publisher=National Rural Electric Cooperative Association, Cooperative Research Network |date=2011 |accessdate=23 July 2020}}</ref> As AHIMA notes, you'll be able to use this asset inventory, in combination with a variety of additional assessments described below, as a base for your risk assessment.
During the asset inventory, you'll also want to address classifying the type of data contained or transported by the cyber asset, which aids in decision making regarding the controls you'll need to adequately protect the assets.<ref name="LebanidzeGuide11">{{cite web |url=https://www.cooperative.com/programs-services/bts/documents/guide-cybersecurity-mitigation-plan.pdf |format=PDF |title=Guide to Developing a Cyber Security and Risk Mitigation Plan |author=Lebanidze, E. |publisher=National Rural Electric Cooperative Association, Cooperative Research Network |date=2011 |accessdate=23 July 2020}}</ref> Use a consistent set of nomenclature to define the data. For example, if you look at universities such as the University of Illinois and Carnagie Mellon University, they provide guidance on how to classify institutional data based on characteristics such as criticality, sensitivity, and risk. The University of Illinois has a defined set of standardized terms such as "high-risk," "sensitive," "internal" and "public,"<ref name="UoIData19">{{cite web |url=https://cybersecurity.uillinois.edu/data_classification |title=Data Classification Overview |work=Cybersecurity |publisher=University of Illinois System |date=2019 |accessdate=23 July 2020}}</ref> whereas Carnagie Mellon uses "restricted," "private," and "public."<ref name="CMUGuidelines18">{{cite web |url=https://www.cmu.edu/iso/governance/guidelines/data-classification.html |title=Guidelines for Data Classification |work=Information Security Office Guidelines |publisher=Carnegie Mellon University |date=23 May 2018 |accessdate=23 July 2020}}</ref> You don't necessarily need to use anyone's classification system verbatim; however, do use a consistent set of terminology to define and classify data.<ref name="LebanidzeGuide11" /> Consider also adding additional details about whether the data is in motion, in use, or at rest.<ref name="BowieSEC19">{{cite web |url=https://adeliarisk.com/sec-cybersecurity-guidance-data-loss-prevention/ |archiveurl=https://web.archive.org/web/20191130181159/https://adeliarisk.com/sec-cybersecurity-guidance-data-loss-prevention/ |title=SEC Cybersecurity Guidance: Data Loss Prevention |author=Bowie, K. |publisher=Adelia Associates, LLC |date=09 April 2019 |archivedate=30 November 2019 |accessdate=23 July 2020}}</ref>
 
If you have difficulties classifying the data, pose a series of data protection questions concerning the data's characteristics. One such baseline for questions could be the European Union's definition of what constitutes personal data. For example<ref name="LebanidzeGuide11" /><ref name="KochWhatIs19">{{cite web |url=https://gdpr.eu/eu-gdpr-personal-data/ |title=What is considered personal data under the EU GDPR? |author=Koch, R. |publisher=Proton Technologies AG |date=01 February 2019 |accessdate=23 July 2020}}</ref>:
 
* Does the data identify an individual directly?
* Does the data relate specifically to an identifiable person?
* Could the data—when processed, lost, or misused—have an impact on an individual?


==References==
==References==
{{Reflist|colwidth=30em}}
{{Reflist|colwidth=30em}}

Revision as of 23:40, 11 February 2022

During the asset inventory, you'll also want to address classifying the type of data contained or transported by the cyber asset, which aids in decision making regarding the controls you'll need to adequately protect the assets.[1] Use a consistent set of nomenclature to define the data. For example, if you look at universities such as the University of Illinois and Carnagie Mellon University, they provide guidance on how to classify institutional data based on characteristics such as criticality, sensitivity, and risk. The University of Illinois has a defined set of standardized terms such as "high-risk," "sensitive," "internal" and "public,"[2] whereas Carnagie Mellon uses "restricted," "private," and "public."[3] You don't necessarily need to use anyone's classification system verbatim; however, do use a consistent set of terminology to define and classify data.[1] Consider also adding additional details about whether the data is in motion, in use, or at rest.[4]

If you have difficulties classifying the data, pose a series of data protection questions concerning the data's characteristics. One such baseline for questions could be the European Union's definition of what constitutes personal data. For example[1][5]:

  • Does the data identify an individual directly?
  • Does the data relate specifically to an identifiable person?
  • Could the data—when processed, lost, or misused—have an impact on an individual?

References

  1. 1.0 1.1 1.2 Lebanidze, E. (2011). "Guide to Developing a Cyber Security and Risk Mitigation Plan" (PDF). National Rural Electric Cooperative Association, Cooperative Research Network. https://www.cooperative.com/programs-services/bts/documents/guide-cybersecurity-mitigation-plan.pdf. Retrieved 23 July 2020. 
  2. "Data Classification Overview". Cybersecurity. University of Illinois System. 2019. https://cybersecurity.uillinois.edu/data_classification. Retrieved 23 July 2020. 
  3. "Guidelines for Data Classification". Information Security Office Guidelines. Carnegie Mellon University. 23 May 2018. https://www.cmu.edu/iso/governance/guidelines/data-classification.html. Retrieved 23 July 2020. 
  4. Bowie, K. (9 April 2019). "SEC Cybersecurity Guidance: Data Loss Prevention". Adelia Associates, LLC. Archived from the original on 30 November 2019. https://web.archive.org/web/20191130181159/https://adeliarisk.com/sec-cybersecurity-guidance-data-loss-prevention/. Retrieved 23 July 2020. 
  5. Koch, R. (1 February 2019). "What is considered personal data under the EU GDPR?". Proton Technologies AG. https://gdpr.eu/eu-gdpr-personal-data/. Retrieved 23 July 2020.