Risk Assessment

00:00

Welcome to Lesson 2.3 Identiod Risk Assessment.

00:06

So in this video we're going to cover identify category number three risk assessment. We're gonna look at risk assessment methodology and then resources to help you conduct risk assessments.

00:20

So under the identify function we have the risk assessment category. So you'll see the I. D dot R A. And then for the subcategories we have P. One through P. Five.

00:31

So this particular category is focusing on how an organization understands the privacy risks to individuals and how such privacy risk may create following impacts on organizational operations including mission functions and other risk management, priorities from compliance to financial reputation, workforce and culture.

00:51

So the subcategories are going to help you determine how to do the risk assessment.

00:56

So P one shows how you're really looking at contextual fact, contextual factors related to systems products and services. And the data actions are identified for what these systems products or services are doing. For example individuals, demographics or privacy interest or perceptions may be recorded

01:15

um And our process through some of these applications.

01:19

And then you're going to also look at data analytic inputs and outputs. Um And they're gonna also be identified and evaluated for bias. Um So further as you go into the other subcategories you're really gonna start to look at potential for pro problematic data actions.

01:38

And on one of the prime worksheets that does go through um what some of these problematic data actions are.

01:44

And this is really looking at um what are the issues that can occur from data processing from either information being input incorrectly um to someone accessing data that doesn't have access to access that data. Um So those are some of the different problematic data actions that

02:02

um you could possibly encounter based on personal information that you have stored

02:07

and your systems um and applications but like I said there is a worksheet that provides a more comprehensive list of what some of those problematic data actions are and really what you're trying to focus on um is sort of what is the likelihood or impact of those problematic data actions happening and then how what your risk response would be to that.

02:29

So in the next slide we're really going to get into really a proper methodology for how to go about assessing risk.

02:37

So when conducting a risk assessment, we went through it a little bit on the previous screen. But from a risk model you're really looking at um

02:45

one really the problematic data actions, the likelihood of those occurring and then what is the impact to the individual as well as the impact of the organization?

02:54

Um from an assessment approach, this is where you do have to determine and there's no right or wrong way to do this. But what you're really looking at is um the mechanism, the mechanism by which um identified risks or prioritized, you're really going to take an approach either from a quantitative, a semi quantitative or qualitative approach

03:14

and what we mean by a qualitative approaches.

03:16

Um This really tends to be a bit more subjective because you really are looking at the likelihood of a specific risk um occurring um and basically the impact that it's gonna have. So in this instance from a qualitative risk analysis standpoint, you're really trying to determine the severity um really of that uh

03:36

problematic data action or the risk in a sense.

03:38

Um Whereas with a quantitative risk analysis um you really are using more verifiable data um to analyse the risk. Um And this really is taking really a more scientific or data intensive approach um where you really are looking to assign a numerical value to the risk.

03:59

So whichever um

04:01

assessment approach you decide to use, um there's no right or wrong answer to do that. It's worth

04:06

what really is going to work better for your enterprise. And it could be a combination of quantitative and qualitative analysis.

04:14

So once you've been able to do your assessment based on the risk that you've identified, it's really getting into prioritizing those risks and sometimes that's going to depend on a multitude of factors, how you determine uh what risks are the higher priority? It's going to be based on the resources you have at hand um from a personnel standpoint as well as the tools that you have to do privacy risk assessment.

04:39

Um as well as uh really how do you communicate to others in your organization? Um Some may wait a particular risk higher than others, depending on the business function. So those are things that you want to keep in mind as well. Um and then as well, if you're using a security framework sometimes, um how you're assessing your priority risk may be in line with that. Um trying to mirror your privacy uh framework with your security framework because there may be some areas where you already are doing or have particular controls in place that can work here. Um So I said they're different factors that you're going to use to prioritize risk.

05:21

Um the risk that you've identified and assessed at this point, and it's going to depend on many of those factors, and once again, there's no right or wrong way to prioritize those risks is really what your organization feels is going to be vital um to make sure that they are compliant, um at least at a high level standpoint before they start getting down to

05:42

uh really the minutia of building their privacy program.

05:46

And then finally, once you've prioritized the risk, it's really determining how you're you intend to respond. So for particular risk, you may look to be how you can mitigate the damage um as opposed to maybe your transfer, you transfer or share the risk with a partner depending on uh

06:04

the data action that's being done.

06:08

And then there are

06:09

different um controls you may put in place to prevent or avoid the risk altogether. And then finally, there may be some risk that you're just willing to accept. So that's all going to be up to how you choose to do it for your enterprise, as I keep wanting to reiterate, this is a framework and not a standard.

06:29

So there really is no right or wrong way. It just depends on

06:31

what's best for your enterprise, how you're prioritizing and how you're deciding to respond, but just ensuring that you are documenting your risk assessment approach in the event, there is a breach, you can point to how you did your risk assessment um and that's really gonna help mitigate damages. So it's important to make sure that you're documenting whatever approach you decide to take out,

06:54

however you decide to respond to the risk that you're showing um how you got there.

07:00

So some of the resources that are available to you and like I said all of these documents where links are provided in the resources section for this course, um but this does provide a few tools to help you go through the risk assessment

07:15

of how the privacy risk uh will impact the individual um as well as what the impact will be to the organization.

07:24

Um And I mentioned before that they do provide a catalogue of those pro problematic data actions and problems. Um and like I said, that could be from someone accessing data, they have no business accessing someone inputting data incorrectly. Um And this really provides a comprehensive lists of the rest of those problematic data actions

07:43

as well as there's a worksheet for helping you understand how to prioritize your risk

07:47

and developing a risk assessment system. Um that's gonna work best for your enterprise as well as helping you select controls on how to um basically mitigate those risks. So all of these tools um can be very helpful if you don't already have something in place within your organization

08:07

to address risk. Um You could also very well if you already have um a risk assessment process in place, use that to help you determine your privacy risks.

08:16

These are just resources in the event. Um You don't have anything in place, or maybe you want to take a different approach to how to assess your privacy risks.