Okay, So our first topic determining data sensitivity, we always say, with risk management in risk management is always the foundation of our decisions and our processes. First step of risk management. What am I protecting and what it's worth? So when we talk about terms of Gava,
it's not necessarily that we say this data is worth $100,000. We might look at sensitivity in terms of harm, of compromise, like if you think about a military environment or state secrets
not so much tied to a dollar amount. But you know, top secret information could cause grave national damage. So, uh, that's pretty sensitive data. So we start by looking at the sensitivity of our information that is gonna be available
and six questions that will help us kind of figure out from the level of sensitivity. What's what.
we start by focusing in on impact. Right Probability will address later in risk management. But right now I want to know what's the impact or severity If the information was widely distributed, for instance, so credit cards, social and social security numbers,
public health care, private health care information, private financial information,
uh, you know any of those privately identifiable are personally identifiable information. Any of those types that have a riel impact if it's widely distributed, obviously, that's gonna be a key indicator of how valuable the stab it is, all right? So from this instance, in relations sensitivity.
If someone at the cloud service provider
access the application, what damage could be done? So you know, when we're hosting applications in the cloud we have, you know, I'm starting with somebody of about a recent breach that was on the news. Got a lot of attention, and one of the things that we started talking about is the definition of insider threat is changing,
right? It's not just me and my organization. Now, when I'm hosting, resource is on the cloud.
The Cloud service provider and their employees are now part of the insider threat. So what sort of insider threat could be posed specifically, what kind of impact would happen?
All right, so insider threat. But then also outside her threat. What if an outsider is able to manipulate this process? So we have this Web application that collects information? Is there the possibility code injection? Is there the possibility for disclosure of information. But
it's third pieces outsider through
all right fourth little bullet point here. What if the process did not provide? The expected result
could be as basic as on issue with the difference between internal and external consistency. So, for instance, what happens if But ah, user goes and looks at my own line inventory and they see I have three of the parts they need,
and then they show up at my store, and those three parts don't exist or aren't on the shelf, right? So that's an unexpected result. It's not accurate, but it could also be. Could the application render an output that might be damaging to the end user system?
Could it delivering output that would, you know, have an impact on people's judgments or decisions? So what's the impact there? And that goes right along right along the line with the fifth bullet point? What if there's a change? What if there's a modification that is unauthorized?
What's the impact there,
Right? You're looking at a system where we're pulling a patient records at a hospital and we pull up John Smith's records, and it shows us the wrong blood type That's a critical critical error there. So we have to consider that and then availability.
What happens if this application is not available to be used for an extended period of time? How much damage would there be?
You know, down in Florida and I may have told this story earlier, but essentially on Africa, which I think it's Lake City in Florida. They were the victim of Ransomware, and all of their emergency service's applications were unavailable,
and they were reduced to taking 911 calls and writing them down in handing them out via paper distribution.
That's a big, big deal. We're talking human lives at stake, not just every day but every hour, every minute.
So when we're looking at the data sensitivity, you know you could also call this the application sensitivity that is probably a little bit too narrow for the slide, because some of the issues are with the apse themselves.
But ultimately what you'll see is we're going right back to the C I. A. Triad confidentiality, integrity and availability