What are security risks with open data?
The City and County of San Francisco manages everything from the airport to the zoo and some of that data poses security risks. For example, data on water storage tanks, building plans, or non-disclosure agreements can trigger any number of the following types of risks:
- Life / safety
- Operational
- Property
- Rights / Intellectual Property
- Reputation
- Financial
Security risks are different from privacy risks
We already have a toolkit for privacy risks but we recognized a gap for managing the risks mentioned above. Privacy risks are specific to data about individuals. Security risks are about organizational risks related to property, business processes, etc.
Plus, we heard from our data stewards that security risks need to be managed. Since the Privacy Edition was successful, we decided to develop the Security Edition.
4 steps to manage security risks with open data
A toolkit provides a consistent and repeatable process to assess security risks and select controls. The four core steps and substeps are:
- Assess the Value of Publication
- Assess the Risk of Publication
- Identify risks and impact
- Assess the likelihood
- Assign a risk rating
- Compare the Value and Risk of publication
- Select Risk Treatment and Controls
- Select risk treatment
- Select controls
- Publish! We didn’t count this as a step because it’s nothing new ;-)
If you’re familiar with our Privacy Edition of the toolkit, these steps probably look familiar. However, the Security Edition overall is shorter and easier to follow as there is less complexity.
Visit the Security Edition (or check out both editions at /resources/open-data-release-toolkit/).
Send us any feedback via support.datasf.org!