University of Wisconsin–Madison

What determines risk?

The Office of Cybersecurity has worked with many of our campus partners to assess the risk of using new and unknown vendors and their tools. One of the most difficult questions we must answer is “When do I have to do a risk assessment?” Most of the time, our response is “It depends.” Unfortunately, that is not a very helpful or quantitative response. To try to clarify our process for assessing risk, we asked ourselves, as a team, “What does the risk depend on?” Below you will find a summary of the key components.

What does the risk depend on?

Scope and data classification are the most important pieces of information when deciding on whether or not to assess risk. Data flow will then impact the decision and may move it towards or away from an assessment .

These factors together, and many more, are the basis for determining risk.

Key determining factors

Risk depends on the relationship between scope, data classification, and data flow as it pertains to RMC.

Line art image of a computer with arrows going outward

Scope

Risk Management & Compliance will consider the number of pieces of data or people that the data will be made available for when determining risk. Is this tool going to be used in one class of 30 students or for the entire campus? Knowing the scope of the data will also clarify the desirability of the data that a bad actor is looking for. Inappropriately collecting the data for 30 students is far less impactful than collecting the data for the entire campus for a bad actor.
Line art image of a decision tree branching off into different sections

Data classification

To determine risk, we need to understand what security steps need to be taken to protect the data. The way we determine this is to refer to UW Policy 504 – Data Classification.  If the data you are working with is public data, then you should be able to use almost any tool. If a bad actor were trying to collect information, public data is easily attainable and would not offer the bad actor any additional information that is not available to everyone else! However, if your data has medical information (PHI), Student data (FERPA), credit card data (PCI) or any of several other protected data classification types, then we would want to use all the tools available to ensure the security of this data.

Impacts assessment decision

Line art image of a cloud with arrows going up and down

Data flow

Much of the data we are dealing with will have a “path” that it follows from the person who has the data to the place that it will eventually end up. All the stops along the way and the methods for moving the data give bad actors opportunity to take that data if it is not protected. We would ask questions like: Where is the data coming from? How is it being moved? Where is it going? Where will it be stored? Who will have access to it? How long will it be here? Who will delete it when it is done being used?