Defining the University’s approach to risk assessment
This control procedure defines the University’s approach to risk assessment and directly supports the following policy statement from the Information Risk Management Policy:
Information Risk Assessment is a formal and repeatable method for identifying the risks facing an information asset. It is used to determine their impact, and identify and apply controls that are appropriate and justified by the risks.
This procedure is intended to be read and understood by ISDS and other staff who are responsible for the introduction of information processing systems, including the implementation of IT systems; and for those involved in scoping projects that may require, or make changes to, the processing of University information.
This procedure sets out the guidelines that should be followed to risk assess all key systems and helps to form part of the risk management approach defined in the University’s Information Security Management System.
This approach should be used for all information assets, whether electronic or in hard copy, and all information-processing systems whether tangible (IT systems) or intangible (business processes).
Risk assessments must be completed with the support of a qualified practitioner with access to and a demonstrable understanding of:
A risk assessment must be completed:
Risk assessment considers the value of the information assets, and the threats and vulnerabilities facing them. All risk assessments should be completed using the Information Security risk assessment template.
If the objectives of an asset are extremely important to the University's business, or if the assets are known to be at high risk, then a detailed risk assessment should be conducted for the particular information asset. This involves in-depth identification and valuation of assets, including business impact assessment; the assessment of threats to those assets; and the assessment of vulnerabilities.
The University will consider whatever potential threats are applicable to a particular system, whether natural or human, accidental or malicious. The University will consider whatever potential vulnerabilities are applicable to a particular system, whether intrinsic or extrinsic. It is the responsibility of the Information Security Team to maintain channels of communication with appropriate specialist organisations for threat and vulnerability information.
The Information Security team can provide advice and assistance at all stages of the risk assessment process.
The calculations listed in the risk assessment process will inform the risk register, maintained by the Information Security Team. This register is used to update the Information Governance Board and Senior Information Risk Owner on risks currently facing University assets, to record treatment decisions, and to track the treatment activities.
It is appropriate for individual projects or functional areas to maintain their own risk registers provided that the Information Security Team are informed of information-related risks.
Once the risk has been assessed a treat option will fall into at least one of the following categories:
The Information Security team in collaboration with the Information Asset Owner will review Medium and Low risks and recommend suitable action.
The Information Governance Board in collaboration with the Information Asset Owner will review High risks and recommend suitable action.
In the event that the decision is to Treat, then additional activities or controls will be implemented via a Risk Treatment Plan.
Failure to comply with this procedure could result in action in line with the University’s Disciplinary Procedure or Capability Procedure.
Compliance checks will be undertaken by the University’s Information Governance functions. The results of compliance checks, their risk assessment and their remediation will be managed by the Information Governance Board.
This control procedure needs to be understood in the context of the other policies and procedures constituting the University’s Information Security Management System.
A review of this policy will be undertaken by the Information Security team annually or more frequently as required, and will be approved by the Information Governance Board.