UoB Risk Assessment Methodology

Transcription

1 [Type here] UoB Risk Assessment Methodology The Risk Assessment Methodology describes how information security risk will be managed, including guidance for assessing, scoring, choosing acceptance or treatment and the mechanisms for reviewing risk periodically. Last updated Q North 24 th April 2015 This document and other Information Services documents are held online on our website:

2 University of Brighton Information Services Contents 1 Risk Assessment Methodology Introduction Identification of Assets Identification of Threats Risk Analysis and Assessment Confidentiality Integrity Availability Financial & Reputation Risk Decision Risk Score Risk Treatment... 7 Page 2 24 th April 2015

3 UoB Risk Assessment Methodology Document Details Author Approver Creation Date Version Andy Whillance Quentin North 24 April Version History 0.1 Draft prepared by Andy Whillance 1.0 Final issue by Quentin North 1 Risk Assessment Methodology 1.1 Introduction The University is committed to understanding where the organisation might be at risk to loss of confidentiality, integrity or availability of any of its information assets. Identifying potential threats to information assets, and to understanding where specific vulnerabilities may cause those threats to be exploited will assist this. Any vulnerability deemed to pose an unacceptable risk must be treated. This will be done either by implementing a control to reduce the risk, transferring the risk, or by implementing regular monitoring, audit or checking of existing controls. Residual risk, documented in the Asset and Risk Register will be accepted by management at an annual Management Review meeting. 1.2 Identification of Assets The Information Security Management Representative will sit with a representative from each departmental area, to identify assets that must be protected. These assets will be held on the departmental asset register. 1.3 Identification of Threats Threats to information assets will be stated within a Risk Register for each department. Where a specific vulnerability exists, this will also be stated. Threats may include but will not be limited to: Confidentiality Integrity Availability Theft Database corruption Hardware failure Unauthorised access Incorrect input Comms Failure Employee misuse Unauthorised modification Accidental Damage Printed Thursday, 06 August 2015 Page 3

4 University of Brighton Information Services Hacking Public website hacking Malicious Damage Incorrect information handling Incorrect information storage Loss during receipt/delivery Multiple versions of key documentation Unmaintainable source code Unauthorised modification to configuration Environmental (Fire, Flood etc.) Denial of Service Attacks Unavailability of key staff Application failure 1.4 Risk Analysis and Assessment On at least an annual basis, each area which maintains a Risk Register must review the list of identified assets. A list of generic threats will be assessed for each asset and, where the person performing the assessment feels there is a material risk, this will be recorded in the register. Where threats are not thought to pose any risk there is no need to record this in the register. The Risk Register should only contain those threats that cause concern. For each threat listed, the likelihood of the vulnerability being exploited is assessed based on the following categories: Likelihood 1 Is unlikely ever to happen 2 Likely to happen at some point if not addressed 3 Likely to happen within the six months, or has happened recently. For each threat, the impact to the organisation should a vulnerability be exploited is assessed based on the following guidance. The tables below are a guide to the risk assessor. The highest score identified out of the categories below will be used as the risk impact score: Confidentiality Impact 1 Data going missing would be an inconvenience, but it is unlikely to result in any issue (e.g. Leak of an internal procedure) 2 Public exposure of confidential information would require at least Page 4 24 th April 2015

5 UoB Risk Assessment Methodology an apology to a small number of individuals. 3 Public exposure of confidential information would lead to significant embarrassment for the organisation. External interest would be possible. 4 Public exposure of confidential information would lead to significant negative media interest, fines by the ICO and could cause distress or harm to those people affected. External interest would be very likely Integrity Impact 1 Loss or corruption of data would not cause any immediate problems. The problem may or may not be rectified. 2 Loss or corruption of the asset would need to be fixed at some point. Resource would be required to do so. 3 Loss or corruption of the asset would need to be fixed in a short time-scale. Significant resources would be required to do so. External interest would be possible. 4 Loss or corruption of data would mean that significant areas of the organisation would be required to recover from the error. External interest would be very likely Availability Impact 1 The asset may not ever be replaced, or recovery could be done at any point in the future 2 Recovery from downtime would require some effort to recoup any data or work lost. The recovery could be planned for a future date. 3 Recovery from downtime would require significant resource, and would need to be completed as soon as possible. External interest would be possible. 4 Unavailability of the system or function could result in harm to individuals and would significantly affect organisation activities for a long period. Immediate recovery would be required. External interest would be very likely Financial & Reputation Impact 1 No significant financial cost 2 A potential cost in terms of departmental budgets 3 Potential fines or loss of contracts or revenue totalling 100,000 Printed Thursday, 06 August 2015 Page 5

6 University of Brighton Information Services or more. External interest would be possible. 4 Potential fines or loss of contracts or revenue totalling 100,000 or more. External interest would be very likely. 2 Risk Decision 2.1 Risk Score The risk score is calculated based on the product of likelihood and impact. Risk Score Permitted Action 12 Action must be taken to reduce the risk 9 Action should be taken to reduce the risk. The IS Governance Board may accept 8 Reduce or accept by the Governance Board and Risk Owner 6 Risk Owner must accept or seek to reduce risk 4 Risk Owner must accept or seek to reduce risk 3 Can be accepted without any treatment 2 Can be accepted without any treatment 1 Can be accepted without any treatment The decision above should be based on the following guidance: Low (Score 1-3) Where risk is scored as low (Green), acceptance may be assumed. No immediate or future action is required. Controls will be subject to monitoring as part of checks, Internal Audit, in order to verify that controls are being adequately enforced. Medium (4-7) Where risk is scored at low-medium (Yellow), asset owners may accept the risk, although the value of the asset against which the threat is noted will be taken into consideration. Resources should be allocated to investigate potential future controls, or improvements to existing controls. Some monitoring of existing controls may be initiated. High (8+) Where risk is scored as high (Red), the risk should be treated, either by implementation of a new control, improvement to existing controls or transferring the risk to a third party. Close monitoring of existing controls will be initiated until the risk is reduced. Risk must be reviewed on a more regular (monthly) basis. Where action is chosen (e.g. reduce, transfer, avoid) the residual risk will be recorded using the same formula as for the net risk. Page 6 24 th April 2015

7 UoB Risk Assessment Methodology 2.2 Risk Treatment At a Management Review, the highest risks will be discussed by the management team. A decision to accept, treat or transfer the risks will be stated and recorded in the Risk Register. Any actions assigned will be tracked by the Departmental Information Security Representative. Progress will be reviewed at regular management meetings. Printed Thursday, 06 August 2015 Page 7