Guidance for conducting a risk analysis

The purpose of conducting a risk analysis is to create a basis for deciding which security measures to implement and to raise awareness of threats, vulnerabilities and risks among those involved in the analysis. A risk analysis consists of answering these four questions:

• What could happen?
• How likely is this?
• What will be the consequences?
• What do we do about it?

Before starting the analysis

Before starting the risk analysis, the object of analysis should have been identified and the information classified. Make use of the information classification guidance.

Prepare a workshop

Appoint an individual to lead the analysis and invite participants to a workshop where you will conduct the analysis. Describe the purpose and the information to be analysed. Suitable participants can include system owners, system administrators, information owners and IT system administrators, for example.

Prepare a detailed description of the asset in advance

If there a classification has been made, this should be provided as a basis for further risk analysis. Are there system descriptions of the existing IT environment? Find out which laws and requirements may come into play.

• Decide on delimitations
• Identify any external and internal requirements
• Describe the information asset (retrieved from the information classification). Is there specific data worthy of protection?
• General Data Protection Regulation (GDPR): Does personal data, personal data meriting special protection or sensitive personal data exist?
• Is there research data? Any data or information that could later lead to a patent application?
• Is there a purpose? Amount of information? Take into account the life cycle of the information asset.
• Threat scenario — use general and current descriptions of threat scenarios in sources, such as trend and annual reports (international, national and sector-specific). Are there past incident reports within the organisation to be consulted?

Conduct the risk analysis

1. Identify threats and vulnerabilities

Now is the time to answer the question "What can happen?". What threats and vulnerabilities have been identified that could cause an undesirable event to occur that could have negative consequences?

Use the Excel "Risk och sårbarhetsanalys mall" (in Swedish). It includes the risk analysis itself and provides support for further work on managing the identified risks. It is found in the column on the right.

2. Assess the risks

Now assess how likely each risk is and how big the consequences are if they occur.

Consequences

See examples of specific consequence levels in the risk analysis template for valuation and briefly describe the consequence.

Keep in mind that GDPR requires that a specific impact assessment be conducted if the risk analysis shows that a particular processing of personal data is likely to have a high risk of limiting the rights and freedoms of natural persons. In such cases, the Data Protection Officer at Umeå University is to be contacted. This does not preclude carrying out a general impact assessment in other cases from an operational, financial, trust and individual perspective.

Probability

Use probabilities or frequency to estimate the probability that the event will occur.
Enter the value for probability and consequence in the risk assessment.

Determine which risks are to progress to step 3.

3. Managing the risks

Assess what security measures can be put in place to eliminate or reduce the risk.

Consider any current protections. We need to start with university-wide solutions and services. This contributes to both sustainability and stability. Use ISO 27001 Table A to find appropriate technical and organisational security measures.

• Prioritise and assign a risk owner and someone responsible for enacting the security measure.
• Set a schedule and follow up.
• Specify risk assessment after the measure is introduced.