Monday, January 11, 2021

Risk Template: Data Breach (Part 2)

Data breaches continue to be a significant risk factor that must be considered in your organization’s risk analysis. There were nearly 1,500 reported data breaches in 2019 accounting form more than 160 million sensitive records exposed. A data breach risk Template with sample verbiage is provided to help you analyze, document, and communicate your organization’s risks.

This is the second in a series of articles to cover risk areas (e.g., compliance, breach, availability). If you read the previous article, the Goal and Process sections are identical. The Template section has been updated for the data breach risk.


Although there are many great resources that can help you complete a risk analysis (such as ISO31000 and NIST), there are limited resources on examples on how to put together your risk report. The template below provides a starting point with verbiage for you to edit for your organization's requirements.


The template below shows the order of how to document your findings. However, the analysis steps are different. Check the template for more detailed directions for each step below.
  1. Determine scope - What data and what data owners are handled by your organization. Please note that even if you do not retain the data, you are still subject to the regulations. See section labelled "Scope: Data Assets".
  2. Review each sub-risk to uncover your vulnerabilities. Consider the various threat actors See Sub-risks Section for Risk A - Risk F.
  3. Determine the risk ranking. See Risk Ranking Section.
  4. Complete the template
Once you have completed your annual security risk assessment, distribute it to the Board of Director members and executives. Resolve risks found focusing on highest risks first. Keep leadership apprised of progress with regular updates throughout the year.

Finally, remember to complete risk assessments throughout the year when there is a significant change planned for the technical, physical or administrative environment.


Risk Description

Here is some verbiage that you may edit for your risk report. 
  • The organization is exposed to financial, reputational, business, and legal consequences due to a confirmed incident in which protected data has been accessed and/or disclosed in an unauthorized fashion.
  • A significant breach may result in multimillion-dollar fines, greater regulatory oversight, terminated carrier contracts, loss of consumer confidence, brand erosion, reduced revenue, a shift in focus from business growth to remediation.
  • A breach that is caused by a lack of basic security controls would only exacerbate these poor outcomes.


The purpose of this section is to provide compelling examples that an investment in reducing the organization's breach risks is warranted.
  • Highlight the most egregious risks found during your analysis
  • Provide statistics and illustrations of challenges your organization faced throughout the year. For example, compared to last year there was an x% increase in accidental forward of data to the wrong entity.
  • Add case studies from other organizations in your space that experienced a data breach that caused significant impact. For example: Company Z was breached and lost x records. The root cause was xxxxx, which is a security capability that is not mature at our organization.

Risk Ranking

Once your analysis is complete (see sub-risk section), then describe the range of risks. Settle on consolidated risk.
  • Likelihood - Low, Medium, High. Select one.
    • Typically compliance risks vary where some are more likely such as inconsistent use of controls and less likely that there are no policies. Provide examples of different likelhood events.

  • Impact - Low, Medium, high. Select one.
    • An example of a lower impact incident is: If an employee inadvertently emails protected data to the wrong customer or business. Although this incident is lower impact, it is not inconsequential:

      • Most business partners require reporting of such incidents. This will likely lead to in-depth review of the organization's cyber and privacy program.
      • Sometimes the customer who received data inappropriately will report the event to the government or social media. 

Threat Actors

The threat actors to consider are listed below.

T1. Unaware insider including BPO

T2. Malicious insider including BPO

T3. Cybercriminal

T4. Property thief

T5. Industry spy

T6. Nation state


The list below defines the multiple potential ways a data breach may occur. The examples are just a starting point of potential root causes. 

Sub-Risk A. Accidental leakage of electronic data


  • Moving of data to less secure zone given the data's categorization including inappropriate use of personal accounts is likely since poor access controls and no DLP. 
  • Forwarding data to the wrong recipient is likely when poor manual procedures exist.
  • A configuration or other human error where data is posted without authentication controls. Department shared drives often have poor access controls.

Sub-Risk B.  Viewing data when not necessary for job role or current activity


  • Employees look up records of family and friends. 
  • Production data is used in non-production environments. 

Sub-Risk C. Stolen electronic data


  •  Limited deployment of basic security controls.

Sub-Risk D. Stolen / lost portable devices containing electronic data


  •  Laptop is stolen from employee’s vehicle that was not properly encrypted
  •  Disposal of decommissioned hardware does not follow required standards.

Sub-Risk E.  Stolen / lost paper documents


  •  Paper documents are not recycled securely
  •  Paper documents are left unsecured on desk or file cabinet.

 Sub-Risk F.  Accidental leakage of verbal conversations


  •  A malicious roommate of a remote employee overhears credit card information and uses it to commit fraud
    •  A malicious employee (without a need to know) overhears a conversation and protected data 

Scope: Data Assets 

The asset list below covers typical assets handled by organizations. Delete those not applicable to your organization. See Risk Template: Compliance post for more details about regulations referenced below; specifically types of data and organizations covered. 

Asset 1: High value client data e.g., SSN, Medicare, credit card, other financial account data, other government ID

Regulations: Basic state breach regulations. GDPR, NY Cyber, NAIC states, CCPA. 

If credit card data, then PCI.

Asset 2:  Employee / contractor tax data

Regulations: Basic state breach regulations. GDPR, NY Cyber, NAIC states, 

Asset 3: Client health data

 Regulations: HIPAA/HITECH for health providers and insurers, GDPR, NY Cyber, NAIC states, CCPA 

Asset 4: 3rd party marketing data

 Regulations: GDPR, NY Cyber, NAIC states, CCPA, Business partners who provided contractual agreements

Asset 5:  Other personal data

Regulations: GDPR, NY Cyber, CCPA, business partners

Asset 6: Contract details

Regulations: Business Partners 

Asset 7: Material nonpublic information that could be used to inform stock trades.

Regulations:  U.S. Security and Exchange Commission Rules


No comments:

Post a Comment