In the infosec world, a method of managing risk is often called a control. This is fitting as the real point of any assessment or audit is to demonstrate control over systems and even more importantly, data as the data is among the most valuable assets an organization has.
For an organization to demonstrate control, the first step is know what data you have and where the data is stored. To illustrate, you might take your spare change and leave it on a nightstand, likely if you have bills they are in a billfold, but if you have thousands of dollars you would keep that in a safe or a bank. The value of the currency determines how you treat it and what controls you put around it, and this should work the same way with your data. You may feel that the controls you have in place are sufficient, yet in almost every case during a functional review our consultants find protected or sensitive data that is either anonymously accessible or accessible to users who should not have access, so that data is lacking the appropriate control.
Organizations need to maintain the control by first identifying data classifications, then making sure all protected, sensitive and private data is identified. Verify that there are proper policies and procedures for allowing access to the data as well as alerting and logging of the access to the data. Be sure that all employees are aware of what is critical data and the policies and procedures to protect it. If someone didn’t know a hundred dollar bill was more than just a piece of paper they might handle it recklessly without any bad intent. Another important step in controlling the data is to make sure the organization hardens the configuration of devices that protect the data or assign access to the data.
If the organization has the proper policy and procedure in place, follows these policies and procedures, and educates it employees to handle critical data accordingly, they will demonstrate proper control and reduce risk.