Risk Analysis and Management Policy May 2013 NRS Risk Analysis and Management Policy May 2013 This Document was initially Prepared by: Information Manager (IM) August 2006 Reviewed by: ISSWG August 2006 ISWG November 2007 Document Distribution All members of staff in the National Records of Scotland (NRS). Status Control Version Date Status Prepared by 1.0 1.1 2.0 2.1 06/09/2006 09/11/2007 27/11/2007 17/11/2010 Final Draft Final Final IM IM IM ISC 3.0 15/5/13 Final Head of IA Author: Head of IA Filepath: Quickr/Business Material/Security and Confidentiality Page 2 of 7 Reason for Amendment Annual Review After Annual Review Review carried out by ISWG 09/11/2010 Full review after merger. Comments from Head of Records Services and IS Team Date last saved05/02/2016 Version 3.0 NRS Risk Analysis and Management Policy May 2013 Table of Contents 1. Introduction 2. Scope 3. Risk Analysis and Management 4. Establishing security requirements 5. Assessing and managing security risks 6. Assets 7. Threats 8. Vulnerabilities 9. Risk Assessment Process 10. Risk Register / Risk Treatment Plan 11. Monitoring / Audit Author: Head of IA Filepath: Quickr/Business Material/Security and Confidentiality Page 3 of 7 Date last saved05/02/2016 Version 3.0 NRS Risk Analysis and Management Policy May 2013 1. Introduction 1.1 Paragraph 3.17 of the NRS Information Systems Security Policy states that a formal risk analysis method should be used for NRS Information Systems. This policy sets out the guidelines that should be followed in all key outward facing systems and will help to form part of the risk management approach defined in the HMG Infosec Standard 1/2 - Risk Management and Accreditation Document Set (RMADS). 1.2 This policy was introduced in September 2006 and has been reviewed on a number of occasions. 2. Scope 2.1 While the policy emanates from Information Systems guidance, the methodology can be used for all information assets whether contained on systems or in hard copy format. 3. Risk Analysis and Management 3.1 Risk Analysis and Management is a formal method of identifying the risks facing an Information System and determining their impact (the risk analysis), and identifying and applying security control measures that are appropriate and justified by these risks (the risk management). 3.2 A risk analysis and management exercise must be completed by the Division who owns or retains the Assets for every new Information System, if the system is significantly modified or when there has been no review in the previous three years. 3.3 Assistance and guidance on this exercise can be obtained from the NRS Information Security team. 4. Establishing security requirements 4.1 There are three main sources of requirements for security in NRS: the unique set of security risks (threats and vulnerabilities) to assets, and their potential consequences for the business; any statutory and contractual requirements that NRS must satisfy; any principles, objectives and requirements for information processing that NRS has developed to support its business operations. Author: Head of IA Filepath: Quickr/Business Material/Security and Confidentiality Page 4 of 7 Date last saved05/02/2016 Version 3.0 NRS Risk Analysis and Management Policy May 2013 4.2 The implementation, or absence, of security controls to protect Information Assets must not present any major obstacles to achieving efficient business operations. The objective should be to build in the right controls and the required degree of flexibility from the start of the IS planning process. 5. Assessing and managing security risks 5.1 Expenditure on Information security controls needs to be balanced against, and be appropriate to, the business value of the information and other assets at risk, and the business harm likely to result from security failure. 5.2 Generic Risk Assessment and Management Model The main components of the model are to: Identify the assets supporting the service(s); Identify the threats to these assets; Determine the value of the business service(s) to NRS. (What is the impact of loss of confidentiality, integrity or availability of the service(s) irrespective of how this may occur?); Evaluate and prioritise the risks in terms of business impact of the assets' compromise on NRS and probability of occurrence; Decide how the risks are to be managed within current constraints and security requirements (e.g. organisational, financial, personnel, time, legal, technical); Decide on suitable controls for managing the risks and implement those not already in place; Review and re-assess risks and effectiveness of controls on a regular basis. 6. Assets 6.1 Assets will be identified from the guidance provided in Annex B of the ISO 27005:2011 standard from the British Standards Industry (BSI)1. NRS will consider risks against the following asset types as appropriate: 1 physical – e.g. PCs, servers, racks, switches and routers; software – e.g. desktop operating system, proprietary and bespoke applications, utilities; information – e.g. databases; paper – e.g. licences, reports, logs, contracts, personnel records; people – e.g. new employees, employees, ex employees, visitors, contractors; Copies are held with Information Manager in Ladywell House and the Information Security Administrator in New Register House Author: Head of IA Page 5 of 7 Date last saved05/02/2016 Filepath: Quickr/Business Material/Security Version 3.0 and Confidentiality NRS Risk Analysis and Management Policy May 2013 services – e.g. gas, water, telephone, mail, electricity; environmental – e.g. Health & Safety, site access; reputation and image – e.g. web site. 7. Threats 7.1 NRS will use whatever potential threats are applicable to a particular system. These will come from the example list provided in Annex C of ISO 27005:2011 standard . In most cases NRS will use the following threats Fire; Flood; Theft/Damage; Hardware Failure; Software Failure and any other deemed appropriate. 8. Vulnerabilities 8.1 NRS will use example scenarios given in Annex D of the ISO 27005:2011 standard to aid with the assessment of vulnerabilities. This list will be assessed against the statement “Am I prepared for it now”. 9. Risk Assessment Process 9.1 While there are several software tools that can provide assistance with the process, many are extremely expensive and require specific extensive consultancy to aid navigation and understand all the concepts. 9.2 The BSO offer guidance in the ISO 27005:2011 standard . Part 8 of this standard relates to risk assessment and NRS will follow the principles set down in this section and in the remainder of the standard. This standard expands upon the BS ISO / IEC 27001:2005 standard (previously known as BS7799) and in particular paragraph 4.2.1.2 9.3-7 [not published] 9.8 The risk statement will fall into at least one of the following categories 2 Control the risk – e.g. through policies and procedures to perform detection, deterrence, prevention, limitation, correction, recovery, monitoring and awareness; Transfer the risk – e.g. outsource the asset or service; Copies are held with Information Manager in Ladywell House and the Information Security Administrator in New Register House Author: Head of IA Page 6 of 7 Date last saved05/02/2016 Filepath: Quickr/Business Material/Security Version 3.0 and Confidentiality NRS Risk Analysis and Management Policy 10. May 2013 Avoid the risk– dispose of the asset; Accept the risk – where the scenario is unlikely to happen; Mitigate the risk – by insuring or duplicating/distributing the asset; Deploy countermeasures within a Business Continuity or Disaster Recovery Plan. Risk Register / Risk Treatment Plan 10.1 The calculations listed in the risk assessment process above will form the basis of a risk register. The final sheet of this register will be the risk treatment plan and will summarise how the risks have been treated. An example of the tables to be used is contained at Appendix A to this document. Blank copies are included at Appendix B. 11. Monitoring / Audit 11.1 Monitoring of risk assessments will be carried out by the NRS Division and auditing will be the responsibility of the Information Security team. Sections 9.3-7 and Appendix A have not been published for reasons of security. Author: Head of IA Filepath: Quickr/Business Material/Security and Confidentiality Page 7 of 7 Date last saved05/02/2016 Version 3.0