Dial Ratings

Data not waste

The collection of IT assets is essentially a collection of data from you the data controller. If not done correctly there is potential for a data loss/breach.

The ADISA ICT Asset Recovery Standard 8.0 helps you (the data controller) and S2S Group (the data processor) manage the asset recovery process to a set standard.

Data Impact Assurance Levels (DIAL) put you in control. You are now able to control risk against a simple set of variables. Based on the answers provided, you will be able to receive an overall DIAL rating.

The service S2S Group provide as a data processor will match the rating you have generated and agree with you an ADISA accredited asset recovery plan.

How do DIAL Ratings and the new ADISA ICT ASSET RECOVERY STANDARD 8.0 work together?

The ICT Asset Recovery Standard 8.0 is the new accredited ADISA standard for the physical processing of your data.

Your DIAL rating is the framework for assessing your risk, by you the data controller. This is then submitted to us as a data processor.

Once we have received your DIAL rating, we can build a service plan which uniquely matches your requirements. Our service plans, no matter the DIAL rating will meet the new ADISA standard (ICT Asset Recovery Standard 8.0)

What are the DIAL variables?

Risk levels can be judged for an ITAD collection based on 5 factors that we call VICTAR,

• Volume
• Impact
• Category
• Threat
• Appetite to Risk

VICTAR

Volume of Data

This refers to the volume of data due to be processed. Asset recovery is a physical process and focuses of overall storage capacity. Therefore, we would need to (as a data controller) determine the overall capacity of storage rather than a volume of data.

• Low Risk –  A known number of data carrying media are being disposed of which contains a total of under 10Tb of overall capacity of storage.
• Medium Risk –  A known number of data carrying media are being disposed of which contains over 10Tb of overall capacity of storage.
• High Risk –  An unknown number of data carrying media are being disposed of.

Impact of a breach on your business

As a data controller you need to assess the impact would have on your business. When deciding this impact, take into consideration your business type, the scale of data being processed, your profile and lastly the type of data you wish to be processed.

• Low – Press coverage and brand erosion.
• Medium – Possible legal action by data subjects and possible regulatory action.
• High – Same as (2) but possible share price damage and / or competitive advantage erosion.

Categories of data

Refers to the categories of data you need processing. These categories align with UK GDPR.

• Low Risk – Non-confidential data which might be available in the public domain.
• Medium Risk –  Personal Data and Corporate Data.
• High Risk – Same as (2) but including special category and / or corporate secret data.

Threat to the Business (Based on the ADISA threat matrix)

You as a data controller need to determine where threats to your data/business are likely to come from. Who is likely to want to gain access to this data? What are the motivating factors behind their actions? Is it financial, intellectual property theft or is it another purpose?

• Low Risk –  Casual or opportunistic threat actor only able to mount unsophisticated attacks.
• Medium Risk –  Motivated, targeted threat actor such as organised crime or journalists or hackers applying professional methods to access the physical device and / or data.
• High Risk – Government-sponsored organisations using sophisticated techniques with unlimited time and resources to access the physical device and / or data.

Appetite to Risk

This refers to the levels of risk that your business is willing to take. Businesses will want to consider the previous risk factors and judge the levels of service required.

• Low Risk –  All results must lead to no further actions or risk treatments.
• Medium Risk – Additional risk treatments are available but at additional cost.
• High Risk –  Most cost-effective risk management approach which manages risk but has recommendations for additional risk treatments.