Risk assessment control procedure

Contents

Policy statement

This control procedure defines the university’s approach to risk assessment and directly supports the following policy statement from the Information Risk Management Policy:

“Information risk assessment is a formal and repeatable method for identifying the risks facing an information asset. It is used to determine their impact, and identify and apply controls that are appropriate and justified by the risks.”

Audience

This procedure is intended to be read and understood by IT and digital and other staff who are responsible for the introduction of information processing systems, including the implementation of IT systems; and for those involved in scoping projects that may require, or make changes to, the processing of university information.

Control statements

This procedure sets out the guidelines that should be followed to risk assess all key systems and helps to form part of the risk management approach defined in the university’s Information Security Management System.

This approach should be used for all information assets, whether electronic or in hard copy, and all information-processing systems whether tangible (IT systems) or intangible (business processes).

Risk assessments should be completed with the support of a qualified practitioner with access to and a demonstrable understanding of:

  • University business processes
  • The impact to the university of risks to business assets
  • The technical systems in place supporting the business
  • The legislation to which the university is subject
  • Up-to-date threat and vulnerability assessments

A risk assessment must be completed:

  • For every new information processing system
  • Following modification to systems or processes which could change the threats or vulnerabilities
  • Following the introduction of a new information assets
  • When there has been no review in the previous three years

Risk assessment process

Information risk register

Risk treatment options

Risk assessment process

Risk assessment considers the value of the information assets, and the threats and vulnerabilities facing them. All risk assessments should be completed using or consistently with the Information Security Risk Management Template‌.

If the objectives of an asset are extremely important to the university’s business, or if the assets are known to be at high risk, then a detailed risk assessment should be conducted for the particular information asset. This involves in-depth identification and valuation of assets, including business impact assessment; the assessment of threats to those assets; and the assessment of vulnerabilities.

The university will consider whatever potential threats are applicable to a particular system, whether natural or human, accidental or malicious. The university will consider whatever potential vulnerabilities are applicable to a particular system, whether intrinsic or extrinsic. It is the responsibility of the information security team to maintain channels of communication with appropriate specialist organisations for threat and vulnerability information.

The Information Security team can provide advice and assistance at all stages of the risk assessment process.

Information risk register

The calculations listed in the risk assessment process will inform the risk register, maintained by the Information Security team. This register is used to update the Security & Risk Committee and Senior Information Risk Owner on risks currently facing university assets, to record treatment decisions, and to track the treatment activities.

It is appropriate for individual projects or functional areas to maintain their own risk registers provided that the Information Security team are informed of information-related risks.

Risk treatment options

Once the risk has been assessed a response will fall into at least one of the following categories:

  • Tolerate – where the risk is already below the university’s risk appetite and further treatment is not proportionate
  • Treat – where the risk is above the university’s risk appetite but treatment is proportionate; or where the treatment is so simple and cost effective that it is proportionate to treat the risk even though it falls below the university’s risk appetite
  • Transfer – where the risk cannot be brought below the university’s risk appetite with proportionate treatment but a cost-effective option is available to transfer the risk to a third party
  • Terminate – where the risk cannot be brought below the university’s risk appetite with proportionate effort/resource and no cost-effective transfer is available

The Information Security team in collaboration with the Information Asset Owner will review medium and low risks and recommend suitable action.

The Security & Risk Committee will review high risks and those subject to delays in treatment. The Information Governance Board in collaboration with the Information Asset Owners will review high risks by exception as decided by the Chief Information Security Officer. 

In the event that the decision is to treat, then additional activities or controls will be implemented via a risk treatment plan.

Compliance

Failure to comply with this procedure could result in action in line with the university’s disciplinary procedure or performance improvement procedure.

Compliance checks will be undertaken by the university’s Information Governance functions. The results of compliance checks, their risk assessment and their remediation will be managed by the Information Governance Board.

Related documents

This control procedure needs to be understood in the context of the other policies and procedures constituting the university’s Information Security Management System.

Browse Information Security policies and control procedures

Review

A review of this policy will be undertaken by the Information Security team annually or more frequently as required, and will be approved by the Information Governance Board.

Version: 3.3
Release date: 09/10/2023
Review date: 09/09/2024