• No results found

UoB Risk Assessment Methodology

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "UoB Risk Assessment Methodology"

Copied!
7
0
0

Loading.... (view fulltext now)

Download now ( 7 Page )

Full text

(1)

UoB Risk Assessment

Methodology

The Risk Assessment Methodology describes how information security risk will be managed, including guidance for

assessing, scoring, choosing acceptance or treatment and the mechanisms for reviewing risk periodically.

(2)

Contents

Risk Assessment Methodology ... 3

1 Introduction ... 3 1.1 Identification of Assets ... 3 1.2 Identification of Threats ... 3 1.3 Risk Analysis and Assessment ... 4

1.4 1.4.1 Confidentiality ... 4

1.4.2 Integrity ... 5

1.4.3 Availability ... 5

1.4.4 Financial & Reputation ... 5

(3)

Document Details

Author Approver Creation Date Version

Andy Whillance Quentin North 24 April 2015 1.0

Version History

0.1 Draft prepared by Andy Whillance 1.0 Final issue by Quentin North

Risk Assessment Methodology

1

Introduction

1.1

The University is committed to understanding where the organisation might be at risk to loss of confidentiality, integrity or availability of any of its information assets. Identifying potential threats to information assets, and to understanding where specific vulnerabilities may cause those threats to be exploited will assist this. Any vulnerability deemed to pose an unacceptable risk must be treated. This will be done either by implementing a control to reduce the risk, transferring the risk, or by implementing regular monitoring, audit or checking of existing controls. Residual risk, documented in the Asset and Risk Register will be accepted by management at an annual Management Review meeting.

Identification of Assets

1.2

The Information Security Management Representative will sit with a representative from each departmental area, to identify assets that must be protected. These assets will be held on the departmental asset register.

Identification of Threats

1.3

Threats to information assets will be stated within a Risk Register for each department. Where a specific vulnerability exists, this will also be stated. Threats may include but will not be limited to:

Confidentiality Integrity Availability

Theft Database corruption Hardware failure

(4)

Hacking Public website hacking Malicious Damage Incorrect information

handling

Multiple versions of key documentation Unauthorised modification to configuration Incorrect information storage Unmaintainable source code

Environmental (Fire, Flood etc.)

Loss during receipt/delivery

Denial of Service Attacks

Unavailability of key staff Application failure

Risk Analysis and Assessment

1.4

On at least an annual basis, each area which maintains a Risk Register must review the list of identified assets. A list of generic threats will be assessed for each asset and, where the person performing the assessment feels there is a material risk, this will be recorded in the register.

Where threats are not thought to pose any risk there is no need to record this in the register. The Risk Register should only contain those threats that cause concern. For each threat listed, the likelihood of the vulnerability being exploited is assessed based on the following categories:

Likelihood 1 Is unlikely ever to happen

2 Likely to happen at some point if not addressed

3 Likely to happen within the six months, or has happened recently.

For each threat, the impact to the organisation should a vulnerability be exploited is assessed based on the following guidance. The tables below are a guide to the risk assessor. The highest score identified out of the categories below will be used as the risk impact score:

1.4.1 Confidentiality

Impact 1 Data going missing would be an inconvenience, but it is unlikely

to result in any issue (e.g. Leak of an internal procedure)

(5)

an apology to a small number of individuals.

3 Public exposure of confidential information would lead to

significant embarrassment for the organisation. External interest would be possible.

4 Public exposure of confidential information would lead to significant negative media interest, fines by the ICO and could cause distress or harm to those people affected. External interest would be very likely.

1.4.2 Integrity

Impact 1 Loss or corruption of data would not cause any immediate

problems. The problem may or may not be rectified.

2 Loss or corruption of the asset would need to be fixed at some point. Resource would be required to do so.

3 Loss or corruption of the asset would need to be fixed in a short time-scale. Significant resources would be required to do so. External interest would be possible.

4 Loss or corruption of data would mean that significant areas of the organisation would be required to recover from the error. External interest would be very likely.

1.4.3 Availability

Impact 1 The asset may not ever be replaced, or recovery could be done

at any point in the future

2 Recovery from downtime would require some effort to recoup any data or work lost. The recovery could be planned for a future date.

3 Recovery from downtime would require significant resource, and would need to be completed as soon as possible. External interest would be possible.

4 Unavailability of the system or function could result in harm to individuals and would significantly affect organisation activities for a long period. Immediate recovery would be required. External interest would be very likely.

1.4.4 Financial & Reputation

Impact 1 No significant financial cost

2 A potential cost in terms of departmental budgets

(6)

or more. External interest would be possible.

4 Potential fines or loss of contracts or revenue totalling £100,000 or more. External interest would be very likely.

Risk Decision

2

Risk Score

2.1

The risk score is calculated based on the product of likelihood and impact.

Risk Score Permitted Action

12 Action must be taken to reduce the risk

9 Action should be taken to reduce the risk. The IS Governance Board may accept

8 Reduce or accept by the Governance Board and Risk Owner

6 Risk Owner must accept or seek to reduce risk

4 Risk Owner must accept or seek to reduce risk

3 Can be accepted without any treatment

2 Can be accepted without any treatment

1 Can be accepted without any treatment

The decision above should be based on the following guidance:

Low (Score 1-3)

Where risk is scored as low (Green), acceptance may be assumed. No immediate or future action is required. Controls will be subject to monitoring as part of checks, Internal Audit, in order to verify that controls are being adequately enforced.

Medium (4-7)

Where risk is scored at low-medium (Yellow), asset owners may accept the risk, although the value of the asset against which the threat is noted will be taken into consideration. Resources should be allocated to investigate potential future

controls, or improvements to existing controls. Some monitoring of existing controls may be initiated.

High (8+)

Where risk is scored as high (Red), the risk should be treated, either by

implementation of a new control, improvement to existing controls or transferring the risk to a third party. Close monitoring of existing controls will be initiated until the risk is reduced. Risk must be reviewed on a more regular (monthly) basis.

(7)

Risk Treatment

2.2

References

Download now ( PDF - 7 Page - 356.04 KB )

Related documents

3D Laser Scanner. Extra long range laser scanner combined with a high resolution digital panoramic camera

The seamless data processing capability of Maptek I-Site Studio software ensures that the I-Site 8800 system will become the first choice for all long range scanning

Exploring the antecedents of learning-related emotions and their relations with achievement outcomes

Recent work suggests that learning-related emotions (LREs) play a crucial role in performance especially in the first year of university, a period of transition for

Emergency Medicine

Department of Emergency Medicine Keck School of Medicine University of Southern California Los Angeles, California, U.S.A.. Emergency Medicine G EORGETOWN , T

Meeting their Needs: Transition to College with an Autism Spectrum Disorder

Student affairs professionals should prepare themselves as best as possible to be advocates for the needs of students with visible and invisible disabilities just as social

Forms for Medical DOT

In addition, if I marked "Yes" to any of the above questions, I hereby authorize release of information from my Department of Transportation regulated drug and alcohol

Regarding the unemployment gap by race and gender in the United States

We use dis-aggregated unemployment rate data corresponding to six demographic groups: White Total, White Males, White Females, Black Total, Black Males, and Black Females.. To

Price Regulation and the Financing of Universal Services in Network Industries

With all four financing mechanisms, price control results in a price decrease in both the monopolistic and the competitive region due to the incumbent ’s strong market power.. There

Career concerns and investment maturity in mutual funds

By analyzing the substitutability between explicit and implicit incentives contained in the optimal labor contracts, we then perform a numerical analysis showing that young