Risk modeling and visualization

Edit online

Use IBM Data Risk Manager to evaluate risks that are associated with sensitive data assets of an organization. You can then visualize the risks in IBM Data Risk Manager Dashboard to take necessary actions to protect your business.

IBM Data Risk Manager evaluates risk based on a combination of intrinsic nature of the data assets, and various infrastructure risk vectors. The intrinsic nature of the data assets refers to any applicable properties such as sensitivity of the data assets, classification level of the data assets, or whether a data asset has special characteristics, such as association with legal or policy-based obligations. Infrastructure vectors refer to vulnerabilities, events, and assessment risks that are associated with an infrastructure, which holds data assets.

Risk levels

IBM Data Risk Manager uses a three-point scale while assessing risks.
High [Red] If a data asset is evaluated as High risk, the chances of breach or magnitude of potential breach is high. Immediate corrective actions are needed.
Medium [Amber] If a data asset is evaluated as Medium risk, the chances of breach or magnitude of potential breach is medium. Corrective actions are needed within a reasonable period of time.
Low [Green] If a data asset is evaluated as being at Low risk, the chances of breach or magnitude of potential breach is low. Corrective actions are not needed.

Risk factors and scoring

The risk factors and the telemetry data that is associated with risk factors are accumulated in a manner, which can be assimilated by IBM Data Risk Manager Risk Analytic Engine.

IBM Data Risk Manager considers factors that are described in the following sections to automatically evaluate information asset risk in a selected program.

Risks due to inherent attributes of data asset

In IBM Data Risk Manager, the following attributes determine inherent value of the data assets. A composite scoring of the attributes forms the basis to determine information asset risks.
Crown jewel
Represents the most valuable data asset within an organization. Typically, an organization possesses not more 2% of the total volume of data.
Category
Represents the data asset categories that are defined in IBM Data Risk Manager.
  • Publicly Available
  • Internally Controlled
  • PII Confidential
  • Company Confidential
  • Highly Confidential/Restricted
  • Public
  • Official Use Only
  • Confidential
Compliance
Represents regulatory obligations that are associated with the data asset.
Sensitivity level
Indicates the confidentiality, integrity, and availability requirements for the data asset.

Infrastructure risks

Infrastructure risk is an indication of security posture of the underlying infrastructure platforms. The data assets are located in infrastructure elements such as databases or file servers.

The following risk vectors are considered to calculate infrastructure risks.
Enforcement risks
Enforcement risks of the infrastructure are evaluated based on the following controls.
  • Encryption
  • Monitoring
  • Vulnerability scan run
Vulnerability risks
Vulnerability assessment scans are run periodically to identify security issues. You can trigger a vulnerability scan from IBM Data Risk Manager or import from various sources to identify vulnerabilities. Vulnerability risks are evaluated based on combined weightage of the following risk factors.
  • Severity and count of the vulnerabilities that are discovered.
  • Status of the remediation actions.
Monitoring risks
Threats are logged to the syslog server (alert events) from various integration servers that are configured with IBM Data Risk Manager. Monitoring risks are evaluated based on combined weightage of the following risk factors.
  • Severity and count of the alerts that are logged.
  • Status of the remediation actions.
Qualitative risks
Qualitative risk analysis evaluates and documents the probability and the impact of assessment risks against a pre-defined scale. IBM Data Risk Manager assessment risks are evaluated based on combined weightage of the following risk factors.
  • Severity and count of the risks.
  • Status of the remediation actions.
  • Status of the risks.

Participation

The participation of an infrastructure node to an information asset determines contribution of the node towards the risk score. The participation is determined as a percentage of data elements, which is contributed by the node towards the information asset.