UoB Risk Assessment Methodology



Similar documents
University of Brighton School and Departmental Information Security Policy

Information Security Team

Guidance on data security breach management

Operational Risk Publication Date: May Operational Risk... 3

Guidance on data security breach management

The potential legal consequences of a personal data breach

Sytorus Information Security Assessment Overview

Information Incident Management Policy

Procedures on Data Security Breach Management Version Control Date Version Reason Owner Author 16/09/2009 Draft 1 Outline Draft Jackie Groom

Performing Effective Risk Assessments Dos and Don ts

UMHLABUYALINGANA MUNICIPALITY PATCH MANAGEMENT POLICY/PROCEDURE

Information Security Policy

THE MORAY COUNCIL. Guidance on data security breach management DRAFT. Information Assurance Group. Evidence Element 9 appendix 31

Issue 1.0. UoG/ILS/IS 001. Information Security and Assurance Policy. Information Security and Compliance Manager

Business Continuity Planning in IT

Virginia Commonwealth University School of Medicine Information Security Standard

Information Security

The Influence of Software Vulnerabilities on Business Risks 1

1. Computer Security: An Introduction. Definitions Security threats and analysis Types of security controls Security services

Operational Risk Management Policy

Mitigating and managing cyber risk: ten issues to consider

Risk Assessment Guide

Information Security Office

ICT Disaster Recovery Plan

Outsourcing and third party access

Unit 3 Cyber security

FINAL May Guideline on Security Systems for Safeguarding Customer Information

Risk Management Guide for Information Technology Systems. NIST SP Overview

Information security risk management using ISO/IEC 27005:2008

OVERVIEW. In all, this report makes recommendations in 14 areas, such as. Page iii

Disaster Recovery. 1.1 Introduction. 1.2 Reasons for Disaster Recovery. EKAM Solutions Ltd Disaster Recovery

Third Party Security Requirements Policy

Guidelines 1 on Information Technology Security

Once more unto the breach... Dealing with Personal Data Security Breaches. Helen Williamson Information Governance Officer

Introduction to Security

28400 POLICY IT SECURITY MANAGEMENT

Attachment A. Identification of Risks/Cybersecurity Governance

External Supplier Control Requirements

Risk-Based Assessment and Scoping of IV&V Work Related to Information Assurance Presented by Joelle Spagnuolo-Loretta, Richard Brockway, John C.

a Medical Device Privacy Consortium White Paper

Data Security Breach Incident Management Policy

Schedule 5: SaaS Premium Service Level Agreement

Privacy and Electronic Communications Regulations

Tom Walsh, CISSP Tom Walsh Consulting, LLC Overland Park, KS. Session Objectives. Introduction Tom Walsh

RISK MANAGEMENT STRATEGY

Information security incident reporting procedure

Council, 14 May Information Governance Report. Introduction

External Penetration Assessment and Database Access Review

CYBERSECURITY TESTING & CERTIFICATION SERVICE TERMS

Network Security Policy

Risk Management Policy

RISK ASSESSMENT GUIDELINES

CYBER SECURITY AND RISK MANAGEMENT. An Executive level responsibility

DBC 999 Incident Reporting Procedure

Policy Document. Communications and Operation Management Policy

Information Security Incident Management Policy and Procedure

Demystifying Cyber Insurance. Jamie Monck-Mason & Andrew Hill. Introduction. What is cyber? Nomenclature

University of California, Riverside Computing and Communications. IS3 Local Campus Overview Departmental Planning Template

The Ministry of Information & Communication Technology MICT

CYBER RISK SECURITY, NETWORK & PRIVACY

BUDGET LETTER PEER-TO-PEER FILE SHARING , , EXECUTIVE ORDER S-16-04

Residual risk. 3 Compliance challenges (i.e. right to examine, exit clause, privacy acy etc.)

DATA SECURITY BREACH MANAGEMENT POLICY AND PROCEDURE

IT Service Management

Information Security Policy

CITY UNIVERSITY OF HONG KONG Information Security Incident Management Standard

NIGB. Information Governance Untoward Incident Reporting and Management Advice for Local Authorities

5 DEADLY MISTAKES THAT BUSINESS OWNERS MAKE WITH THEIR COMPUTER NETWORKS AND HOW TO PROTECT YOUR BUSINESS

G-Cloud Definition of Services Security Penetration Testing

Business Continuity Plan

Security Incident Management Policy

GUIDE TO MANAGING DATA BREACHES

Business Continuity and Disaster Survival Strategies for the Small and Mid Size Business.

Information Security for Managers

Cyber and Data Security. Proposal form

Cyril Onwubiko Networking and Communications Group ncg.kingston.ac.

Information Technology Services Information Security Incident Response Plan

5.5. Penetration Tests. Report of the Auditor General of the Ville de Montréal to the City Council and to the Urban Agglomeration Council

Version: 3.0. Effective From: 19/06/2014

PAPER-6 PART-1 OF 5 CA A.RAFEQ, FCA

California State University, Chico. Information Security Incident Management Plan

INFORMATION TECHNOLOGY SECURITY STANDARDS

UF Risk IT Assessment Guidelines

Business Continuity Planning

Transcription:

[Type here] UoB Risk Assessment Methodology The Risk Assessment Methodology describes how information security risk will be managed, including guidance for assessing, scoring, choosing acceptance or treatment and the mechanisms for reviewing risk periodically. Last updated Q North 24 th April 2015 This document and other Information Services documents are held online on our website: https://staff.brighton.ac.uk/is

University of Brighton Information Services Contents 1 Risk Assessment Methodology... 3 1.1 Introduction... 3 1.2 Identification of Assets... 3 1.3 Identification of Threats... 3 1.4 Risk Analysis and Assessment... 4 1.4.1 Confidentiality... 4 1.4.2 Integrity... 5 1.4.3 Availability... 5 1.4.4 Financial & Reputation... 5 2 Risk Decision... 6 2.1 Risk Score... 6 2.2 Risk Treatment... 7 Page 2 24 th April 2015

UoB Risk Assessment Methodology Document Details Author Approver Creation Date Version Andy Whillance Quentin North 24 April 2015 1.0 Version History 0.1 Draft prepared by Andy Whillance 1.0 Final issue by Quentin North 1 Risk Assessment Methodology 1.1 Introduction The University is committed to understanding where the organisation might be at risk to loss of confidentiality, integrity or availability of any of its information assets. Identifying potential threats to information assets, and to understanding where specific vulnerabilities may cause those threats to be exploited will assist this. Any vulnerability deemed to pose an unacceptable risk must be treated. This will be done either by implementing a control to reduce the risk, transferring the risk, or by implementing regular monitoring, audit or checking of existing controls. Residual risk, documented in the Asset and Risk Register will be accepted by management at an annual Management Review meeting. 1.2 Identification of Assets The Information Security Management Representative will sit with a representative from each departmental area, to identify assets that must be protected. These assets will be held on the departmental asset register. 1.3 Identification of Threats Threats to information assets will be stated within a Risk Register for each department. Where a specific vulnerability exists, this will also be stated. Threats may include but will not be limited to: Confidentiality Integrity Availability Theft Database corruption Hardware failure Unauthorised access Incorrect input Comms Failure Employee misuse Unauthorised modification Accidental Damage Printed Thursday, 06 August 2015 Page 3

University of Brighton Information Services Hacking Public website hacking Malicious Damage Incorrect information handling Incorrect information storage Loss during receipt/delivery Multiple versions of key documentation Unmaintainable source code Unauthorised modification to configuration Environmental (Fire, Flood etc.) Denial of Service Attacks Unavailability of key staff Application failure 1.4 Risk Analysis and Assessment On at least an annual basis, each area which maintains a Risk Register must review the list of identified assets. A list of generic threats will be assessed for each asset and, where the person performing the assessment feels there is a material risk, this will be recorded in the register. Where threats are not thought to pose any risk there is no need to record this in the register. The Risk Register should only contain those threats that cause concern. For each threat listed, the likelihood of the vulnerability being exploited is assessed based on the following categories: Likelihood 1 Is unlikely ever to happen 2 Likely to happen at some point if not addressed 3 Likely to happen within the six months, or has happened recently. For each threat, the impact to the organisation should a vulnerability be exploited is assessed based on the following guidance. The tables below are a guide to the risk assessor. The highest score identified out of the categories below will be used as the risk impact score: 1.4.1 Confidentiality Impact 1 Data going missing would be an inconvenience, but it is unlikely to result in any issue (e.g. Leak of an internal procedure) 2 Public exposure of confidential information would require at least Page 4 24 th April 2015

UoB Risk Assessment Methodology an apology to a small number of individuals. 3 Public exposure of confidential information would lead to significant embarrassment for the organisation. External interest would be possible. 4 Public exposure of confidential information would lead to significant negative media interest, fines by the ICO and could cause distress or harm to those people affected. External interest would be very likely. 1.4.2 Integrity Impact 1 Loss or corruption of data would not cause any immediate problems. The problem may or may not be rectified. 2 Loss or corruption of the asset would need to be fixed at some point. Resource would be required to do so. 3 Loss or corruption of the asset would need to be fixed in a short time-scale. Significant resources would be required to do so. External interest would be possible. 4 Loss or corruption of data would mean that significant areas of the organisation would be required to recover from the error. External interest would be very likely. 1.4.3 Availability Impact 1 The asset may not ever be replaced, or recovery could be done at any point in the future 2 Recovery from downtime would require some effort to recoup any data or work lost. The recovery could be planned for a future date. 3 Recovery from downtime would require significant resource, and would need to be completed as soon as possible. External interest would be possible. 4 Unavailability of the system or function could result in harm to individuals and would significantly affect organisation activities for a long period. Immediate recovery would be required. External interest would be very likely. 1.4.4 Financial & Reputation Impact 1 No significant financial cost 2 A potential cost in terms of departmental budgets 3 Potential fines or loss of contracts or revenue totalling 100,000 Printed Thursday, 06 August 2015 Page 5

University of Brighton Information Services or more. External interest would be possible. 4 Potential fines or loss of contracts or revenue totalling 100,000 or more. External interest would be very likely. 2 Risk Decision 2.1 Risk Score The risk score is calculated based on the product of likelihood and impact. Risk Score Permitted Action 12 Action must be taken to reduce the risk 9 Action should be taken to reduce the risk. The IS Governance Board may accept 8 Reduce or accept by the Governance Board and Risk Owner 6 Risk Owner must accept or seek to reduce risk 4 Risk Owner must accept or seek to reduce risk 3 Can be accepted without any treatment 2 Can be accepted without any treatment 1 Can be accepted without any treatment The decision above should be based on the following guidance: Low (Score 1-3) Where risk is scored as low (Green), acceptance may be assumed. No immediate or future action is required. Controls will be subject to monitoring as part of checks, Internal Audit, in order to verify that controls are being adequately enforced. Medium (4-7) Where risk is scored at low-medium (Yellow), asset owners may accept the risk, although the value of the asset against which the threat is noted will be taken into consideration. Resources should be allocated to investigate potential future controls, or improvements to existing controls. Some monitoring of existing controls may be initiated. High (8+) Where risk is scored as high (Red), the risk should be treated, either by implementation of a new control, improvement to existing controls or transferring the risk to a third party. Close monitoring of existing controls will be initiated until the risk is reduced. Risk must be reviewed on a more regular (monthly) basis. Where action is chosen (e.g. reduce, transfer, avoid) the residual risk will be recorded using the same formula as for the net risk. Page 6 24 th April 2015

UoB Risk Assessment Methodology 2.2 Risk Treatment At a Management Review, the highest risks will be discussed by the management team. A decision to accept, treat or transfer the risks will be stated and recorded in the Risk Register. Any actions assigned will be tracked by the Departmental Information Security Representative. Progress will be reviewed at regular management meetings. Printed Thursday, 06 August 2015 Page 7

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information