The quarterly publication of the International Legal Technology Association
Issue link: https://epubs.iltanet.org/i/80353
time it would take to fall back to the previous configuration. Those variables are ranked and scored according to a documented change control process. Only after determining the likelihood and impact of those risks will the technology team be able to determine if this particular change request is considered a high- or low-risk change. Process-Based Risk: In this scenario, we are quantifying the likelihood and impact related to processes in the technology department. A typical process in the technology department is regular review of privileged user rights. A technology department must regularly review who has administrative access rights to servers and data. Applying the risk management strategy to this process would require the technology team to ask itself, "How often is appropriate for this process? What is the likelihood that privileged user account changes happen daily? What is the impact to the environment if we only check it once a year? Are we willing to accept that risk?" These are the types of risk assessments that should be done for every process related to the ISO security standard. All firms have a stake in risk management regardless of the size or complexity of the technical operation. The best chance at implementing a risk strategy is including the risk review as part of existing processes, such as project management. Including risk review as a step in an already existing process is an effective way to introduce the risk mentality to the team. The more the risk process becomes systemic, the more likely it is that the technical environment will be more stable, better understood and appropriately mitigated against risk. Classify the Data To better understand data classification, apply the concepts related to grocery shopping. If groceries are not classified in terms of foods that require refrigeration and those that do not, then all of the food would be stored together. If everything goes into the pantry, there is a 100 percent chance that the chicken will spoil. But, if everything goes into the refrigerator, there is a 100 percent chance that nothing will spoil. How many refrigerators will someone need to accommodate this food storage strategy? A simple classification plan could save money, space and energy. Fortunately, the same can be said about data. Data classification allows technologists to determine the scope of critical systems and manage them accordingly. Some basic data classification schemes include: firm confidential, client confidential, firm private, client private, firm public and client public. There are infinite variations of data classifications, but limiting it to four or five makes the information more relevant and easier to manage. Data classification can positively impact the scope of as many as 20 ISO processes, such as risk management, incident management, change control, disaster recovery, business continuity, service-level agreements, etc. A technology department can implement all of these processes effectively for critical systems based on the data classification, in conjunction with a risk assessment to create a manageable scope for their ISO evidence generation. If ISO isn't the goal, important operational metrics can also be gleaned from this process. Peer to Peer 61