VICTAR

VICTAR helps businesses stay compliant whilst avoid data risks.

By filling out a simple form, you can determine the possible risks to your data. Once the form is complete you will be given the overall DIAL rating. This can then be passed on to S2S Group as your ITAD supplier. Based on your dial rating the correct level of service can be agreed on to mitigate risk. If you still require guidance on generating your DIAL Rating, please contact the S2S Group Service Team.

What are the DIAL variables?

Risk levels can be judged for an ITAD collection based on 5 factors that we call VICTAR,

  • Volume
  • Impact
  • Category
  • Threat
  • Appetite to Risk
  • VICTAR

    Volume of Data

    This refers to the volume of data due to be processed. Asset recovery is a physical process and focuses of overall storage capacity. Therefore, we would need to (as a data controller) determine the overall capacity of storage rather than a volume of data.

    • Low Risk –  A known number of data carrying media are being disposed of which contains a total of under 10Tb of overall capacity of storage.
    • Medium Risk –  A known number of data carrying media are being disposed of which contains over 10Tb of overall capacity of storage.
    • High Risk –  An unknown number of data carrying media are being disposed of.
    • Impact of a breach on your business

      As a data controller you need to assess the impact would have on your business. When deciding this impact, take into consideration your business type, the scale of data being processed, your profile and lastly the type of data you wish to be processed.

      • Low – Press coverage and brand erosion.
      • Medium – Possible legal action by data subjects and possible regulatory action.
      • High – Same as (2) but possible share price damage and / or competitive advantage erosion.
      • Categories of data

        Refers to the categories of data you need processing. These categories align with UK GDPR.

        • Low Risk – Non-confidential data which might be available in the public domain.
        • Medium Risk –  Personal Data and Corporate Data.
        • High Risk – Same as (2) but including special category and / or corporate secret data.
        • Threat to the Business (Based on the ADISA threat matrix)

          You as a data controller need to determine where threats to your data/business are likely to come from. Who is likely to want to gain access to this data? What are the motivating factors behind their actions? Is it financial, intellectual property theft or is it another purpose?

          • Low Risk –  Casual or opportunistic threat actor only able to mount unsophisticated attacks.
          • Medium Risk –  Motivated, targeted threat actor such as organised crime or journalists or hackers applying professional methods to access the physical device and / or data.
          • High Risk – Government-sponsored organisations using sophisticated techniques with unlimited time and resources to access the physical device and / or data.
          • Appetite to Risk

            This refers to the levels of risk that your business is willing to take. Businesses will want to consider the previous risk factors and judge the levels of service required.

            • Low Risk –  All results must lead to no further actions or risk treatments.
            • Medium Risk – Additional risk treatments are available but at additional cost.
            • High Risk –  Most cost-effective risk management approach which manages risk but has recommendations for additional risk treatments.