USER RISK ASSESSMENT
FOCUSED ON COMPLIANCE AND DATA DISCOVERY SERVICE BRIEF

It’s a well-established fact that the most common and harmful data breaches often come from within an organisation, and includes both human error and malicious insider activity (OAIC NDB statistics reports). This effect has been compounded by the rise of users working from outside the corporate network and using various services to facilitate productivity outside of the office.

Knowing what data is critical to an organisation, where it is stored and how it is being used is a basic requirement of any data governance and compliance strategy. After all you can’t manage and protect what you don’t know. 

The Goal Group’s e-Safe’s User Risk Assessment and Data Discovery service is a quick and easy way to discover your sensitive data and highlight potential sources of data breach risk that exist inside an organisation, with specific attention to sensitive information as defined by various privacy regulations and standards like NDB (Australia), GDPR, PCI DSS and ISO27K.

Over a period of 4 weeks, Goal Group consultants will classify what information is deemed to be sensitive, in line with legislations, and discover where it is being stored, how it is being accessed, moved and used, and produce a summary of findings in User Risk Assessment and Data Discovery Reports.

The assessment consists of three main phases:

Phase 1 – Information Classification

The first step is to classify sensitive information that should be monitored during the assessment.  The focus of User Risk Assessment is compliance to privacy legislations, regulations and generic data usage trends. This is done using predefined rules that monitor various types of Personal Identifiable Information (PII) and generic data. More specific data sets like company’s IP can be added to the assessment but might incur additional setup charges.

Phase 2 – Data Movement and User Behaviour Monitoring

Once data is classified, the manner in which users are interacting with sensitive data is monitored, and a sophisticated AI-fuelled engine identifies internal risks that could lead to data leakage or non-compliance. Monitoring usually consists of the following areas that are common sources for accidental or malicious data breaches. 

  • Data Discovery Scan
  • Knowing where your sensitive data is critical to ensuring it security. As users interact with data they make local copies and download information from ERPs for work. This results in information creep. The scan helps to locate sensitive data located locally in devices and on servers.
  • Cloud and web transfers
  • Cloud and web transfers are one of the most common methods for sensitive data to exit an organisation’s secure infrastructure, and compromised cloud accounts (Google Drive, DropBox, OneDrive, iCloud, etc.) are frequently the cause for data breaches.
  • USB and other removable storage mediums
  • A misplaced removable storage device is a very common cause of data leakage, as it’s very difficult to prove what information was on it, and whether it was sensitive or not. It is also a common method of stealing data from a company by rogue employees.
  • Email activity
  • Sending sensitive data to personal email addresses is another common method of moving data without being detected, or avoiding security practices to work from outside the office.
  • Recipients not being bcc’d while mass emailing causes them to be visible to all other recipients, which is a privacy breach that must be picked up and reported.
  • Non-Corporate Printing
  • Loss of hard copy sensitive information is common source of data leaks. This is further intensified as users tend to print information using their personal printers which are usually not monitored and audited. 
  • Non-corporate network usage
  • Using non-corporate infrastructure which bypass internal security measures is a common cause of data loss, and is also a method regularly used by insiders looking to avoid detection while moving sensitive data.
  • Shadow-IT
  • Detecting use of unauthorized software by users. This can be a particular cloud based APP or desktop application. Using non-approved software introduces risk to the organisation that users do not fully understand and can also result in data leaks.

Phase 3 – Comprehensive Analysis and Reporting

Based on findings during the assessment period, e-Safe will produce:

  • A comprehensive User Risk Assessment Report (sample report available) to highlight the summary of risk presence within the organisation.
  • Data discovery scan report showcasing where sensitive PII files are being stored. The scan report will cover both local devise and file servers.   
  • A set of recommendations to improve data security practices and compliance to privacy regulations.
  • Actual data from the assessment, so that organisations can drill further into which users are causing the most risk, or which files are in the most danger of being breached.

Risk Assessment Timeline

  • Week 1
    • Set up cloud server and data classification
    • Develop and configure monitoring rules
    • Rollout of e-Safe software host to endpoints of participating staff
  • Week 2 to 4
    • Environment continually monitored without any interaction needed
    • Reclassification of sensitive information performed as required
  • End of Week 4
    • Remove software from endpoints if required
    • Generate User Risk Assessment and Data Discovery Scan Reports based on findings
    • Develop recommendations to improve security practices and compliance
    • Deliver and present report to client

Please register your interest in this Risk Assessment by contacting us.