Data Risk Assessments: Defining the Scope

Routine data security risk assessments are considered a vital aspect of many confidentiality agreements, compliance requirements, and internal policies. Nowadays, organisations are expected to know how to do a risk assessment and conduct risk assessments that are driven by regulatory compliance requirements annually.

Data security assessments are crucial so organisations will know if effective controls are available to protect data while it is at in use, in transit, or at rest. With this in mind, organisations are using advanced risk assessment tools like DPOinBox to jumpstart their efforts.

Data Security Risk Assessment Scope

Generally, risk assessment scope is driven by regulatory requirements. Diverse compliance and regulation mandates have different mandates when it comes to data creation, usage, storage, and access of data, as well as destruction and retention.

Different types of data will also have different data custodians, applications, users and owners. To ensure a thorough risk assessment is implemented, it is crucial that key questions are not only addressed but also integrated in the assessment scope:

What are the data types?

If assessment is dedicated to the identification of PII, what constitutes personally identifiable data for the organisation? Is it customer information, phone numbers, addresses, or employee SSNs? On the other hand, if assessment is focused on the PCI, will CVV, credit card numbers, etc. be used?


Who is the business and data owner?

As the assessment goes along, it is vital to know who owns the data as well as the owners of the business processes around the data. It is also important to determine the departments that will be included in the evaluations like governance, IT, legal, or HR. Also, knowing the roles they will play in the assessment is also key.

Where is the data?

What will data discovery involve? Will it involve scanning repository shared or databases, SharePoint sites and FTP, user endpoints, or cloud repositories? Understanding high level data flows and business processes can help identify where data is potentially stored and how it can be exposed.


How is data handled?

Prior to initiating an assessment, it is required that organisations know existing protection controls and proper data handling procedures. Since data assessments are most likely to produce a large number of events, having a clear understanding if a so-called violation is an actual security gap or just part of the standard business process is key.

In essence, success will entail more than just following the correct methodology. It will also require the implementation of a phased approach that will map organisational priorities. For instance, if finding PCI data is a priority and PII data is only secondary, it would be best to focus on the former first as conducting two assessments simultaneously can be very difficult, if not impossible.

Not only that, it would also be difficult to deal with different remediation efforts as well as two large data sets all at once. Basically, “boiling an ocean,” is not the ideal approach when it comes to data assessments in particular and security in general.

As soon as a high level scope has been outlined, organisations will carry out data assessment in 4 phases: application analysis phase, assessment performance phase, data analysis phase, and risk report phase.



Regardless if data security risk assessment is your organisation’s first step in developing a top data protection program or part of your annual compliance requirement, they can provide effective security controls for the data repositories.

That being said, the more effort is exerted in understanding existing protection controls, business process baselines, and data ownership, the better. Why? The organisation will be able to get more value at the end in the form of low false positives and accurate detections.


Leave a Reply

Your email address will not be published. Required fields are marked *