Analyzing Your Risk

Data breaches, where personal information, credit data, or health information is disclosed, are all too common. The results of these breaches  could include fines, legal costs, bad publicity, and most importantly, increased risk and loss to individuals impacted.

The University of Illinois, through its research, education, and business operations, stores much of this High Risk data. This means we are under constant attack and threat. So how does the University manage the threats and secure its data?

Managing risk and conducting risk analysis. The process itself is quite simple. Understanding your risk and minimizing it works for the University and for individuals. It’s easy to do by asking 3 simple questions:

  1. What am I trying to protect?
  2. From whom am I protecting it?
  3. What do I need to do to protect it? 

The first step is to identify and classify your data. High Risk data includes things like credit card and tax data as well as health information. Other sensitive information might be grades or sensitive correspondence. Consider your own data and its value.

Once you’ve identified the data, determine what external threats you face. At the University we see attacks from hackers regularly. In our personal lives we face the same risks from phishing emails and hackers.

After identifying data, and threats, the goal of risk analysis is to put in protections, often called controls, that help to mitigate the risk. Two-factor authentication (2FA)  is an effective way to protect against phishing & account compromise. 
2FA has the potential to save thousands of dollars caused by identity theft. After evaluating the risk and the suggested mitigation strategy, one must ask him or herself,Is it worth the trouble to protect the data?

To answer this question the university uses “Risk Frameworks” and “IT Standards.” There are many frameworks and standards available but as we receive a large number of US Federal grants we focus on the National Institute of Science and Technology (NIST). (https://csrc.nist.gov/) They offer a framework as well as specific standards which are often referenced in National Science Foundation grants such as NIST 800-171. 

The gathered information feeds into the security program where you can learn specifically how the University is tackling risk. The Office of Privacy and Security along with campus stakeholders reviews these standards, and provides them to the campus community to build protections from external threats and data risk. The goal of which is to reduce risk and save the campus money by avoiding a costly breach.

Whether you are working on High Risk University data or just looking to protect your own information, risk analysis will help you ensure you are spending time and money wisely.