Privacy risk analysis for ENAV
Legislative Decree 196/2003 defined the principles and rules to ensure respect for privacy, that is, to treat and store personal data and in particular the "sensitive" data contained in the archives with criteria of confidentiality, integrity and availability. in information systems. An analysis of the risks plays an important role in the process that ensures that companies achieve and maintain compliance, so much so that it was explicitly provided for in the Legislative Decree. The risk analysis aims to identify the main events potentially harmful to data security, assess the system's inherent vulnerabilities and prevent possible consequences or limit their severity in relation to the physical and environmental context of reference. The risk analysis is developed with four procedural steps:
- assessment or identification of the risks that may arise;
- collection of results and their valorisation, impact assessment, ranking of intervention priorities;
- analysis and evaluation of results: gap analysis and global level of risk;
- general indications, intervention recommendations, timing for planning countermeasures;
The analysis can be conducted in order to obtain qualitative results (generally expressed with a risk matrix) or quantitative results, according to an attribution of scores for the various identified risks. Downstream of the risk analysis, the company will have to proceed with risk management:
- planning and implementation of "countermeasures" to mitigate the consequences;
- control over the possible occurrence of new risks and verification of the implementation of countermeasures.
CODIN believes that the qualitative and quantitative method can coexist, in such a way as to have the benefits of immediate comprehensibility of the results of the qualitative method with the numerical valuations and the possibility of repetitiveness of the measurements and comparison of the quantitative one. The risk analysis methodology adopted (ARES) is based on the detection of key parameters or indicators which, once valorised, allow the assignment of "scores". These are also called "enterprise scores" and contribute to defining, for each category of risk, the components of "hazard" (or exposure to danger) and "severity" (ie how important or confidential the data processed) that give rise taken together, at the "global level of risk".
Note: ARES acronym = Assessment of Risks by Enterprise Scores
Development of the assessment
A qualitative Questionnaire is prepared, composed of questions divided into various sections, some dedicated to the Function responsible for Privacy, others to the Departments and to the Information Systems Function, through which we want to have evidence of the Company's general compliance with the Legislative Decree and in particular Annex B - Technical regulations on minimum security measures. In addition to the qualitative questionnaire, the Information Systems Function responds to the As-Is Questionnaire on the current security situation of the IT system and network structure. The ARES sheet is a third important detection tool. It concerns the treatments carried out at the Departments and therefore involves the processors of the various organizational units. Its compilation has the purpose of quantitatively detecting the methods of processing personal data, the type of data itself, the complexity of the managed archives and the level of security deployment, with reference to the procedures in operation in the various areas of competence.
The adoption of the numerical measurement parameters (the company "scores") allows to obtain a "fine" evaluation of the results relating to the criteria chosen for the analysis (in our case hazard and severity), and also allows to report these results also to the qualitative metric for a further very immediate presentation method. The use of the same "scores" year by year, allows to obtain measurable and repeatable results, so that the reported variations can be highlighted and the gap between the results obtained and expected results predefined as "target" can be assessed.
A list of treatments is obtained, for each of which the characteristic input data are collected, from which the key indicators of the treatment / data (the "scores") are derived, which are then processed by the analysis team. It is therefore possible to calculate the hazard and severity of the risk categories that have been predefined to systematically classify the events that can cause damage to systems and data. As part of the assessment phase, the workshops that lead to the definition of the event-risk matrix have a particular role, with the following steps:
- risk categorization, matrix examination,
- review of predefined events, any new events,
- preliminary assessment of the danger and severity of the individual events,
- first results, sharing a starting point for subsequent analysis.
The collection of information is supplemented by checks and interviews with key people in the organization.
Collection and exploitation of the results
From the processing done, a numerical quantification of the hazard and severity for each category of risk is obtained. It can generally be said that the danger increases with the critical mass of the data processed and decreases with the increase in the corporate score and the level of the deployment of the securities. The combination of the two hazard and severity criteria derives the impact for each category of risk. By ranking these categories, i.e. by ordering the risks by importance, the points of vulnerability of the system are highlighted, which is the prerequisite for planning actions to strengthen the protections, or for implementing risk mitigation measures.
Analysis phase and evaluation of results
These findings are analyzed by the work team in order to detect the actual situation of the Company's exposure to the risks related to the processing of personal data. In this phase, the analysis team prepares the reference tables and develops the graphs deemed useful to give greater evidence to the contents. It therefore becomes possible to evaluate the positioning (which can be positive or negative) between the situation defined as "responding to the minimum safety measures" (according to Legislative Decree) and the situation detected. In the event of a positive positioning, ie greater safety than that indicated by the minimum measures, the global level of risk is calculated, the value of which has the meaning of "percentage of risk not covered" or "share of residual risk". This value allows to evaluate the gap between the detected situation and the optimal situation, that is the share of residual risk that, in an absolutely conscious and rational way, the Company defines as "acceptable", having identified the potential risks and assessed the costs and the timing of mitigation actions.
The analysis provides general indications, intervention recommendations, timing for the planning of countermeasures. For example, it is recommended to do a short-term planning, selecting the most easily applicable measures, with immediacy, and a medium-long term planning for the most expensive and complex measures. Short-term measures often produce a significant improvement (reduction in the level of risk) both in absolute value and in comparison with the required effort. Vice versa, medium-long term measures concern more complex structural improvements, concerning various aspects of wide-ranging security: organizational, personal, regulatory, procedural, technological, logistical.