Simply implementing IRM will be completely ineffective if you have not done your homework. In the previous section we made a quick risk assessment to find out how exposed you are to data breaches.
If you have not yet completed the evaluation in the previous post, we recommend that you review it here and then come back to this post.
In this post we will investigate your organisations structure further to identify the risks more closely. This includes identifying what confidential data you have and finding out if any department is at greater risk than another to being exposed to data breaches.
Getting a Birdseye view of organisation-sensitive data
Like most organisations you probably have several departments such as HR, Sales and Payroll. But even if you are just a few people, it is worth taking a step back and just getting the lay of the land.
What is Joe Bloggs working on and does that data contain sensitive information?
Likewise, if you are a larger organisation you will look at key departments such as HR, Payroll, Sales and what data said departments are working with that contains, or could potentially contain, information that would warrant data protection.
Or are all department or people liable to handle sensitive information?
This will allow you to quickly identify key areas of your business where you are most at risk should a data breach occur, but also give a idea on how sensitive that data actually is.
Classify type of information and the sensitivity of your data per department.
Once you have obtained a Birdseye view of your organisation it is time to get deeper into each department and start to classify the information and its sensitivity. You should come up with a rating system; we recommend sticking to something easy like a 1-5, low, medium, high or 100-500 rating of sensitivity. In our examples we will use low to high.
This will allow you to further identify if any department is in greater need of data protection over others. First find out what sort of data the department is handling, then class it between low and high and the quantity. The more information types that are classified as high combined with high quantity in a department will increase that department’s sensitivity value.
Example; Department A handles credit card information which is classed as highly sensitive. In total they have around 100 records with credit card information. The consequences of losing 100 card details are comparatively light and no significant impact should occur if they are leaked. Although the information they handle is classed as highly sensitive, the comparatively light consequences of a data breach reduces the overall sensitivity rating for that department.
You would likely rate your HR department high as they have all your staff's personal details such as bank account details, SSN's, shoe size etc. and the consequences of losing said details can be quite severe even if just one record leaked out.
The sensitivity of the HR department in this case would be classified as high, while your logistics department for instance would be classed as low as their exposure to sensitive data is minimal.
Sales on the other hand might be classed as high as they have a large quantity of customer details and credit card information that can cause massive damage to the business if lost.
If this exercise shows that the sensitivity values for all your departments are low then you have no reason for implementing IRM, but the motivation for implementing IRM should greatly increase if you find many of your departments qualifying as ‘high risk’.
Classify staff privileges
Though not mandatory, while performing the above assessment a medium/large organisation might want to take this opportunity to draw up some basic levels of access their staff should have.
In the HR scenario does a junior member have the same privileges to do the same actions as a senior member, and a senior the same as an HR manager? Possibly not, but perhaps they all need to be able to open the file and perform different actions with the content.
For example, a junior HR trainee should only be able to view the document but nothing else, the senior is allowed to view and email the document and the HR manager is allowed to edit, print and email the document.
This will allow you to roughly draw up Mandatory Access Levels (MAC's) for your organisation. Doing this early will save you a great deal of time when shaping the RMS Policy Templates which applies the IRM rules.
The departments IT skills and adaptability to change
We will discuss this in a later blog post. While looking at each department and classifying their sensitivity, it is a good practice to get an understanding on each department’s IT skills and their response to changes. This will be valuable when looking where to begin deploying IRM if deciding whether it is the right solution for you.
You should now know the hotspot areas where you are most at risk should a data breach occur and know how this will affect your organisation.
We are almost done; there is just one more thing to do and that is to take a look at your work environment and see how staff in each department is actually working.