Information Risk Assessment Guidance

1.Application of Risk

Information Security risks will be identified through several work streams across all Directorates and Faculties across the University. These will include but may not be limited to:

1)Development and maintenance of Information Asset Registers (IAR)

2)Development of Data Flow Maps (DFM)

3)Through the Information Security Manager

4)Through the Senior Information Risk Owner (SIRO)

It is expected that Directorates and Faculties will develop their own InfoSec Risk Registers in relation to IAR and DFM and any other risks that they may identify through normal operational process. Any Risks scored as High (A2, B2 and A1) will be escalated to the central Information Security Risk Register owned by the SIRO and administered by the InfoSec Manager. The SIRO may then decide to escalate any High risks to the Corporate Risk Register.

2.What is Risk?

A risk simply defined is the possibility of something happening. Important to remember is that a risk is something that has not happened. It may never happen but if it did it would impact either negatively or positively on the University. Risks should not be confused with the normal issues and challenges that we face in our day to day work. Issues and challenges are things that are or will happen and of course need management. Forsomething to be a ‘Risk’ it has to have that element of uncertainty, it will be talked about in terms of ‘if’ and ‘may’ rather than ‘when’ and ‘will’.

3.Risk Management

Risk management is not simply about identifying risks and avoiding them. It is about the management of risk in an effective manner. The risk management process can be broken down into a series of common sense steps:

• Identify/assess the risks and log them

• Analyse/evaluate each risk

• Identify and implement ways to manage the risk

• Measure the impact your actions have had

• Keep risks under regular review and update as necessary

4.Identification

The first key step in the risk management framework is the identification of risks. The risks across the University will vary; they are dependent on the nature of the work undertaken in an area. Also a risk could impact on different parts of the University in differing way. Risks can be identified through the development of IARs and DFM but could also be identified through brainstorming, lessons learned from previous experience, specialist knowledge of individuals and plain common sense.

5.Evaluation and analysis

Having identified potential risks it is necessary to evaluate them. The exposure to the risk is measured in terms of the likelihood of the risk occurring and its impact should the risk materialise. As noted above the impact and likelihood of a risk occurring can depend on your place in the organisation. The following tables provide guidelines for the scoring of risk but are in no-way definitive and will depend upon local knowledge.The Risk Score should be calculated by assessing the information in Table 1 (Impact) and Table 2 (Likelihood).

For example,there is a request to email to an external organisation a spreadsheet detailing the medical details of 2000 students. It is necessary before the data is sent to the organisation to assess the risk of the data becoming compromised.

The likelihood of the email being accidentally sent to the wrong address or being intercepted would be “low” and so would score a 3.

The impact if the email did go to the wrong recipient would be “high” according to the Privacy Impact column of Table 1 and so that would be a score of A.

The initial Risk score of the example would be:A3

Table 3 states that a score of A3 is a medium risk. Table 4 states that a medium risk activity cannot proceed unless mitigating actionsare implemented and approved by the Information Asset Owner. In this example the mitigating action would be that the attachment containing the data would be encrypted and the password conveyed by a different mechanism. It is important that the decision is documented and the authorisation by the Information Asset Owner recorded.

1 | Page

Table 1

TABLE 1 RISK IMPACT CATEGORIES
Category / Privacy Impact / Reputation/Publicity / Research Profile & Research Income / Student Experience / Legal Obligations / Service Delivery
Score / Descriptor
C / Low / Exposure of very limited personal data affecting less than 10 individuals
e.g. usernames, email addresses. /
  • Small number of individual correspondence received.
  • Reputation is minimally affected with little or no targeted effort or expense required to recover.
  • Low key local or regional media coverage.
  • Mild stakeholder correspondence received.
  • Negative short term social media pick up.
/
  • Small impact on research activity within specific teams.
  • Minor impact on research income or productivity for wider group.
  • Research Excellence Framework (REF) outcome remains unaffected.
/
  • Student satisfaction affected with noticeable impact on NSS scores in localised area with some effort and expense required to recover.
  • Small increase in student appeals or complaints in specific area.
  • Small impact on the number of student applicants.
  • Small impact on progression rates.
/
  • Fines or claims brought of less than £50K.
  • Case referred by complainantto regulatory authorities whomay request information or records as a result.
  • Regulatory action unlikely or of only localised effect.
  • Advisory/ improvement notices.
/
  • Local service or Education/ Research program delivery problems.
  • Loss, interruption, or compromise of critical business systems or Education/Research program for tolerable period but at an inconvenient time.

B / Medium / Exposure of limited personal data affecting between 10 and 1000 individuals
e.g. names and addresses or application data. /
  • Reputation is damaged in the short to medium term with targeted effort and expense required to recover.
  • Public stakeholder comment and correspondence received expressing concern.
  • Adverse regional or national media coverage.
  • Negative social media pick up.
/
  • Significant impact on REF profile.
  • Medium to long term effect on productivity in more than one discipline.
  • 1 to 4% overall reduction in research income due to loss of confidence/lack of compliance.
/
  • Student satisfaction/NSS scores adversely affected across multiple areas with some effort and expense required to recover.
  • Increase in appeals across multiple disciplines or group complaints.
  • Significant impact on the number of student applicants.
  • Drop in entry standards (but above quality thresholds).
/
  • University is required to report serious matter to regulators.
  • Fines or claims brought of between £50K-£250K.
  • Case referred by complainant to regulatory authorities with potential for regulatory action.
  • Enforcement action notices.
/
  • Major service delivery targets cannot be met.
  • Loss, interruption or compromise of critical business systems or Education/Research program for a protracted period of time.

A / High / Exposure of data which could cause a significant risk of individuals suffering substantial detriment, including substantial distress
e.g. medical records.
Exposure of personal data of 1000+ individuals. /
  • Significant public and private comment from stakeholders expressing serious concerns.
  • Adverse high profile, national media coverage from reputable media, with some international interest.
  • Sustained social media criticism,shared across multiple platforms.
/
  • Major impact on REF profile.
  • Long term/pan university effect.
  • More than 5% reduction in research income due to loss of confidence/lack of compliance.
/
  • Student satisfaction/NSS scores significantly adversely affected across multiple areas with significant effort and expense required to recover.
  • Significant increase in appeals across multiple disciplines.
  • Significant decrease in progression rates.
  • Significant impact on student recruitment requiring a drop in quality thresholds.
/
  • Fines or claims brought of more than £250K.
  • University is required to reportserious matter to regulators.
  • Formal external regulatory
  • Investigation into organisational practices with potential for suspension of significant elements of the University’s operations.
/
  • Cessation of major criticalbusiness systems or
  • Education/Research programs for an intolerable period at a critical time in theUniversity calendar.

1 | Page

Table 2– Likelihood

TABLE 2 Quality Measure of Likelihood
Score / Descriptor / Likelihood
3 / Low / Not expected to happen, less than 40% chance of occurring
2 / Medium / Will probably happen, between 41% and 80% chance of occurring
1 / High / Highly likely to happen, more than 80% chance of occurring

Table 3 – Risk matrix

Risk matrix
LIKELIHOOD
3 / 2 / 1
IMPACT / A / A3 / A2 / A1
B / B3 / B2 / B1
C / C3 / C2 / C1

Table 4 – Risk treatment

Table 4 RISK TREATMENT TABLE
Risk Mitigation
High Risk / This risk cannot be tolerated. A detailed and comprehensive action plan will need to be implemented as a matter of urgency, and closely monitored, with the aim of reducing this risk to a lower level. To continue as is would require Senior Information Risk Owner (SIRO) authorisation.
Upper Medium Risk / This risk can only be tolerated if significantly increased or additional mitigating actions are implemented and approved by the Information Asset Owner or SIRO for strategic risks.
Medium Risk / This risk can still be tolerated, but some additional mitigating actions will need to be implemented and approved by the Information Asset Owner or SIRO for strategic risks.
Lower Medium Risk / This risk can still be tolerated, but will need to be approved by the Information Asset Owner.
Low Risk / This risk can be tolerated.

6.Measure

When measuring the risk we assess it in terms of:

  • Impact – High Medium or Low
  • Likelihood – High, Medium or Low

7.Manage

Having identified and evaluated a risk we must now put actions in place to manage the risk. We need to put in place actions that:

  • reduces the likelihood of the risk occurring or
  • if the risk materialises reduces the impact that it has on our business.

When managing risks we need to ensure that we use risk controls with mitigating actions. Risk control involves taking the information gained during risk assessments and developing and applying actions to mediate the risks. The actions that are then put in place aim to fall into one or more of the following four major categories:

Tolerate / This is where we decide to accept the risk without doing anything to manage it. This type of response is normally only acceptable where the likelihood and impact of the risk are both relatively low. Risks which are tolerated will still need periodic reviews to ensure that they are still scored within an acceptable level. Even if it is not tolerable, the ability to do anything about some risks may be limited, or the cost of taking any action may be disproportionate to the potential benefit gained. In these cases the response may be to tolerate the existing level of risk. This option, of course, may be supplemented by contingency planning for handling the impacts that will arise if the risk is realised.
Treat / By far the greater number of risks will be addressed in this way. The purpose of treatment is that actions are undertaken to constrain the risk to an acceptable level.
Transfer / For some risks the best response may be to transfer them. This might be done by conventional insurance, or it might be done by paying a third party to take the risk in another way.
Terminate / Some risks will only be treatable, or containable to acceptable levels, by terminating the activity.
Contingency / Equally important to the management of risk is Contingency planning, putting in place plans just in case the risk does occur even after you have tried to manage it. Contingency plans can significantly reduce the impact of the risk, should it occur.

8.Review and reporting

Monitoring, reviewing and reporting risk are essential elements of an effective risk management system.

  • The Information Security Risk Register will be maintained by the Information Security Manager by updating on at least a quarterly basis.
  • The register will be submitted to the SIRO on a quarterly basis
  • The Information Security Manager will provide a quarterly report to the SIRPO incorporating risk analysis
  • The SIRO may choose to submit the report to the UEC if required
  • The Quarter 4 report will become the annual report to the SIRO
  • The SIRO should submit the annual report to the UEC

When reviewing risk and reporting the following questions should be considered:

  • Having taken action, have you actually reduced the risk?
  • What is the net or residual risk?
  • What is the RAG status trend?
  • What is the status of the risk?
  • Have any risks been realised?

1 | Page