A guide to managing data risks

Some data risk management tasks, tips, and guidance:

• Identify risk, threat, vulnerability – perform a data center risk assessment.
• Assess probability and impact perform a business impact analysis – It may be helpful to use third-party support. Address financial implications, and impact over time to determine priorities and actions to address data risks.
• Define governance, policies, regulations, and compliance needs, including identifying and adopting best practices for data risk management
• Assess current controls in place and continuously do this activity relative to the changing risk landscape. Implement controls in practices, processes, and work instructions across the organization.
• Risk response strategy and plan – Avoidance, mitigation, transference, acceptance. Purchasing Cyber security insurance is a way to transfer data risk resulting from cyber data attacks. Make sure to have a plan for each aspect of risks management.
• Test the plan to make sure it works; if not, adjust the plan and redefine any other aspect of data risk management.
• Monitor risk and provide feedback, use automated tools as much as possible, and get feedback from people around the organization.
• Continual improvement plan and activities, risk management is forever a needed capability of the organization.

Some potential risks to identify and manage:

• Data corruption can happen to data anytime, during reading, writing, transmission, loading, processing, etc. Make sure to identify the data replication, duplication, backup and recovery and manage risk related to each stage in the data management lifecycle.
• Device failure on-premise and cloud where the data resides is essential. Organizations should understand the complete IT device stack and associated data and prepare data risk plans and actions.
• Data compliance be sure to be compliant with both customer and partner-facing as well as industry- and region/nation-specific regulations such as General Data Protection Regulation (GDPR), Health Insurance Portability and Accountability Act (HIPAA), Criminal Justice Information Services (CJIS), Family Educational Rights and Privacy Act (FERPA), International Traffic in Arms Regulations (ITAR) and California Consumer Privacy Act (CCPA). Data privacy and trust have to be managed, and risks accounted for—each one of these regulations emphasizes the necessity for Data risk management.
• Vendor lock-in for data management can be costly. Review contracts and understand cost relative to value.
• Data remanence through data retirement practices, if not done correctly, can result in a risk to the organization. Be sure to verify that this is happening appropriately.
• Identification of security flaws and weaknesses can be done with audits. Data audits are always a good thing to do within organizations for managing risks.
• Long-term storage and management of unused data is costly. Any unused data has no value and, if being managed without a purpose, is a waste of time and effort. This includes governance and compliance issues.
• People policy and behavior – malware, phishing, spyware, etc.
• Cloud SaaS, PaaS, and IaaS risks for each service should be identified and managed. Many organizations do not use all the cloud services but still should be aware of how the other services can affect them related to managing the risk of data.
• Contingency planning for denial of service, data breaches, loss of data, and other issues should be identified and planned.
• Major incident response is critical to have in place when a data management issue occurs. This activity should also be practiced or simulated to ensure it is effective.
• Physical security must always be identified and understood relative to human breaches or environmental breaches, including on-premise and cloud physical security. Organizations should not only understand themselves but how a vendor addresses physical security – particularly in office environments that are oscillating between work-from-home and return-to-office policies.
• 3rd party software and infrastructure risk should be identified. Any 3^rd party vendor is subject to a data breach that can affect its customers. Data breaches that result in software being hacked and then installed in their customers’ environments can have lasting effects on the organization. All organizations should understand how their vendors secure their data, especially the data about their customers.

Some data management areas to be aware of:

• Backups’ importance can not be underestimated for the organization and for us personally. They provide data recovery in case of power failure, hacking, environmental disasters, human error, etc. This is essential for managing data risk.
• Redundancy improves the availability of your organization to do business. Redundancy of data helps manage the risk of data loss from unexpected and expected outages that may occur.

People Risks related to data management should be identified and managed. An essential tactic is to educate people and make them know how to manage data risks within the organization. Make sure people understand and can act when needed for data risks. The practices that they learn at work can also help with personal data leakage and personal data risks.

Today, with organizations adopting Big Data practices and technologies. The risks of big data implementations in an organization need to have a data risk management strategy. An organization should review its Big Data architectures and identify data risks in its on-premise, cloud, and hybrid cloud environments. Cloud Data migration risks and Cloud storage security risks of data should be reviewed carefully. Cloud architecture adjustments may be necessary to address cloud data risks and costs. Big Data risk management should be a component of an overall data risk management strategy.