Information risk management policy

Contents

• Purpose
• Objectives
• Scope
• Compliance
• Review
• Policy statement

Purpose

Information that is collected, analysed, stored, communicated and reported upon may be subject to theft, misuse, loss and corruption.

However, the implementation of controls to protect information must be based on an assessment of the risk posed to the University, and must balance the likelihood of negative business impact against the resources required to implement the mitigating controls, and any unintended negative implications of the controls.

This policy sets out the principles that the University uses to identify, assess and manage information risk, in order to support the achievement of its planned objectives, and aligns with the overall university risk management framework and approach.

This high-level Information Risk Management Policy sits alongside the Information Security Policy‌ and Data Protection Policy to provide the high-level outline of and justification for the University’s risk-based information security controls.

Objectives

The University’s information risk management objectives are that:

• our information risks are identified, managed and treated according to an agreed risk tolerance
• our physical, procedural and technical controls are agreed by the information asset owner
• our physical, procedural and technical controls balance user experience and security
• our physical, procedural and technical controls are cost-effective and proportionate.

Scope

The information risk management policy and its supporting controls, processes and procedures apply to all information used at the University, in all formats.

This can include information processed by other organisations in their dealings with the University.

The information risk management policy and its supporting controls, processes and procedures apply to all individuals who have access to university information and technologies, including external parties that provide information processing services to the University.

Compliance

Compliance with the controls in this policy will be monitored by the Information Security team and reported to the Information Governance Board.

Review

A review of this policy will be undertaken by the Information Security team annually or more frequently as required, and material changes will be approved by the Information Governance Board and the University Executive Group.

Policy Statement

Information risk assessment is a formal and repeatable method for identifying the risks facing an information asset. It is used to determine their impact, and identify and apply controls that are appropriate and justified by the risks.

It is the University’s policy to ensure that information is protected from a loss of:

• Confidentiality – information will be accessible only to authorised individuals
• Integrity – the accuracy and completeness of information will be maintained
• Availability – information will be accessible to authorised users and processes when required

Risk assessment

Risk assessments must be completed with access to and an understanding of:

• the University’s business processes
• the impact to the University of risks to business assets
• the technical systems in place supporting the business
• the legislation to which the University is subject
• up-to-date threat and vulnerability assessments

A risk assessment exercise should be completed:

• for every new information-processing system
• following modification to systems or processes which could change the threats or vulnerabilities
• following the introduction of a new information asset
• following changes to the threat environment or detection of new vulnerabilities 

A systems or processes risk score is calculated from Likelihood x Impact Level, giving the results below, consistent with the University’s high level risk management approach.

Threats

The University will consider all potential threats applicable to a particular system, whether natural or human, accidental or malicious.

Threat information will be obtained from specialist security consultancies, local and national law enforcement agencies and security services, and contacts across the sector and region. It is the responsibility of the Information Security team to maintain channels of communication with appropriate specialist organisations.

Vulnerabilities

The University will consider all potential vulnerabilities applicable to a particular system, whether intrinsic or extrinsic.

Vulnerability information will be obtained from specialist security consultancies, local and national law enforcement agencies and security services, technology providers and contacts across the sector and region. It is the responsibility of the Information Security team to maintain channels of communication with appropriate specialist organisations.

Risk register

The calculations listed in the risk assessment process will form the basis of a risk register.

All risks will be assigned an owner and a review date.

The risk register is held in the Information Security document store, with access controlled by the Information Security team.

Risk treatment

The risk register will include a risk treatment decision. The action will fall into at least one of the following categories:

• Pending – where a potential risk has been identified but needs initial investigation. 
• Tolerate the risk – where the risk is already below the University’s risk appetite and further treatment is not proportionate
• Treat the risk – where the risk is above the University’s risk appetite but treatment is proportionate; or where the treatment is so simple and cost effective that it is proportionate to treat the risk even though it falls below the university’s risk appetite
• Transfer the risk – where the risk cannot be brought below the University’s risk appetite with proportionate treatment but a cost-effective option is available to transfer the risk to a third party
• Terminate the risk – where the risk cannot be brought below the University’s risk appetite with proportionate effort/resource and no cost-effective transfer is available

The Information Security team in collaboration with the Information Asset Owner will review medium and low risks, and recommend suitable action.

The Security and Risk Committee will review high risks and recommend suitable action.

Roles and responsibilities

The chair of the Information Governance Board has accountability to the Executive Group and Vice Chancellor for managing information risk.

They will direct the information risk appetite for the University and review the information risk register. They will be involved in assessing and reviewing high risks.

The Chief Information Security Officer is responsible to the chair of the Information Governance Board for managing the risk assessment process and maintaining an up-to-date risk register. The Information Security team will conduct risk assessments and recommend action for medium and low risks, where these can be clearly defined in terms of the University’s risk appetite.

The Information Governance Board is responsible for assessing and reviewing High risks, and will have visibility of the risk register.

Information Asset Owners and Information Asset Managers are responsible for agreeing and implementing appropriate treatments to risks under their control. They must also take an active role in identifying and reporting new risks.

Risk appetite and tolerance

The University has agreed a series of risk appetite statements.

While not exhaustive, these give a good overview of the University’s desire to pursue or tolerate risk in pursuit of its business objectives.

The risk appetite statements give the Information Security team, and the Information Governance Board, a framework within which to conduct risk assessments and make recommendations for appropriate treatments.