Call IT Support Email IT Support

Information Risk Management Policy

This policy sets out the principles that the University uses to identify, assess and manage information risk

Purpose

Information that is collected, analysed, stored, communicated and reported upon may be subject to theft, misuse, loss and corruption.

However, the implementation of controls to protect information must be based on an assessment of the risk posed to the University, and must balance the likelihood of negative business impact against the resources required to implement the controls, and any unintended negative implications of the controls.

This policy sets out the principles that the University uses to identify, assess and manage information risk, in order to support the achievement of its planned objectives, and aligns with the overall University risk management framework and approach.

This high-level Information Risk Management Policy sits alongside the Information Security Policy and Data Protection Policy to provide the high-level outline of and justification for the University’s risk-based information security controls.

Objectives

The University’s information risk management objectives are that:

Scope

The Information Risk Management Policy and its supporting controls, processes and procedures apply to all information used at the University, in all formats.

This includes information processed by other organisations in their dealings with the University.

The Information Risk Management Policy and its supporting controls, processes and procedures apply to all individuals who have access to University information and technologies, including external parties that provide information processing services to the University.

A detailed scope, including a breakdown of users, information assets and information processing systems, is included in the Information Security Management System (ISMS) Framework document.

Compliance

Compliance with the controls in this policy will be monitored by the Information Security team and reported to the Information Governance Board.

Review

A review of this policy will be undertaken by the Information Security team annually or more frequently as required, and will be approved by the Information Governance Board and the University Executive Group where necessary.

Policy Statement

Information Risk Assessment is a formal and repeatable method for identifying the risks facing an information asset. It is used to determine their impact, and identify and apply controls that are appropriate and justified by the risks.

It is the University’s policy to ensure that information is protected from a loss of:

1. Risk assessment

Risk assessments must be completed with access to and an understanding of:

A risk assessment exercise must be completed at least:

A risk score is calculated from Likelihood x Impact Level, consistent with the University's high level Risk Management Policy.‌

2. Threats

The University will consider all potential threats applicable to a particular system, whether natural or human, accidental or malicious.

The University will reference Annex C of the ISO 27005 standard to aid with threat identification.

Threat information will be obtained from specialist security consultancies, local and national law enforcement agencies and security services, and contacts across the sector and region.

It is the responsibility of the Assistant Director of Information Security to maintain channels of communication with appropriate specialist organisations.

3. Vulnerabilities

The University will consider all potential vulnerabilities applicable to a particular system, whether intrinsic or extrinsic.

The University will reference Annex D of the ISO 27005 standard to aid with vulnerability identification.

Vulnerability information will be obtained from specialist security consultancies, local and national law enforcement agencies and security services, technology providers and contacts across the sector and region.

It is the responsibility of the Assistant Director of Information Security to maintain channels of communication with appropriate specialist organisations.

4. Risk Register

The calculations listed in the risk assessment process will form the basis of a risk register.

All risks will be assigned an owner and a review date.

The risk register is held in the Information Security document store, with access controlled by the Information Security team.

5. Risk Treatment

The risk register will include a risk treatment decision. The action will fall into at least one of the following categories:

The Information Security team in collaboration with the Information Asset Owner will review Medium and Low risks and recommend suitable action.

The Information Governance Board in collaboration with the Information Asset Owner will review High risks and recommend suitable action.

In the event that the decision is to Treat, then additional activities or controls will be implemented via a Risk Treatment Plan.

6. Roles and Responsibilities

The Chair of the Information Governance Board has accountability to the Executive Group and Vice Chancellor for managing information risk.

They will direct the information risk appetite for the University and review the information risk register. They will be involved in assessing and reviewing High risks via the Information Governance Board.

The Assistant Director of Information Security is responsible to the Chair of the Information Governance Board for managing the risk assessment process and maintaining an up-to-date risk register. The Information Security team will conduct risk assessments and recommend action for Medium and Low risks, where these can be clearly defined in terms of the University’s risk appetite.

The Information Governance Board is responsible for assessing and reviewing High risks, and will have visibility of the risk register.

Information Asset Owners and Information Asset Managers must be responsible for agreeing and implementing appropriate treatments to risks under their control. They must also take an active role in identifying and reporting new risks.

7. Risk Appetite and Tolerance

The University has agreed a series of risk appetite statements.

While not exhaustive, these give a good overview of the University’s desire to pursue or tolerate risk in pursuit of its business objectives.

The risk appetite statements give the Information Security team, and the Information Governance Board, a framework within which to conduct risk assessments and make recommendations for appropriate treatments.

Information Security