Risk Analysis and Management Policy, word file, 147KB, new window

advertisement
Risk Analysis and Management Policy
May 2013
NRS
Risk Analysis and Management
Policy
May 2013
This Document was initially
Prepared
by:
Information Manager (IM)
August 2006
Reviewed
by:
ISSWG
August 2006
ISWG
November 2007
Document Distribution
All members of staff in the National Records of Scotland (NRS).
Status Control
Version Date
Status
Prepared by
1.0
1.1
2.0
2.1
06/09/2006
09/11/2007
27/11/2007
17/11/2010
Final
Draft
Final
Final
IM
IM
IM
ISC
3.0
15/5/13
Final
Head of IA
Author: Head of IA
Filepath: Quickr/Business Material/Security
and Confidentiality
Page 2 of 7
Reason for
Amendment
Annual Review
After Annual Review
Review carried out by
ISWG 09/11/2010
Full review after merger.
Comments from Head of
Records Services and IS
Team
Date last saved05/02/2016
Version 3.0
NRS
Risk Analysis and Management
Policy
May 2013
Table of Contents
1.
Introduction
2.
Scope
3.
Risk Analysis and Management
4.
Establishing security requirements
5.
Assessing and managing security risks
6.
Assets
7.
Threats
8.
Vulnerabilities
9.
Risk Assessment Process
10. Risk Register / Risk Treatment Plan
11. Monitoring / Audit
Author: Head of IA
Filepath: Quickr/Business Material/Security
and Confidentiality
Page 3 of 7
Date last saved05/02/2016
Version 3.0
NRS
Risk Analysis and Management
Policy
May 2013
1. Introduction
1.1
Paragraph 3.17 of the NRS Information Systems Security Policy states
that a formal risk analysis method should be used for NRS Information
Systems. This policy sets out the guidelines that should be followed in all key
outward facing systems and will help to form part of the risk management
approach defined in the HMG Infosec Standard 1/2 - Risk Management and
Accreditation Document Set (RMADS).
1.2
This policy was introduced in September 2006 and has been reviewed
on a number of occasions.
2. Scope
2.1
While the policy emanates from Information Systems guidance, the
methodology can be used for all information assets whether contained on
systems or in hard copy format.
3. Risk Analysis and Management
3.1
Risk Analysis and Management is a formal method of identifying the
risks facing an Information System and determining their impact (the risk
analysis), and identifying and applying security control measures that are
appropriate and justified by these risks (the risk management).
3.2
A risk analysis and management exercise must be completed by the
Division who owns or retains the Assets for every new Information System, if
the system is significantly modified or when there has been no review in the
previous three years.
3.3
Assistance and guidance on this exercise can be obtained from the
NRS Information Security team.
4. Establishing security requirements
4.1
There are three main sources of requirements for security in NRS:



the unique set of security risks (threats and vulnerabilities) to assets,
and their potential consequences for the business;
any statutory and contractual requirements that NRS must satisfy;
any principles, objectives and requirements for information processing
that NRS has developed to support its business operations.
Author: Head of IA
Filepath: Quickr/Business Material/Security
and Confidentiality
Page 4 of 7
Date last saved05/02/2016
Version 3.0
NRS
Risk Analysis and Management
Policy
May 2013
4.2
The implementation, or absence, of security controls to protect
Information Assets must not present any major obstacles to achieving efficient
business operations. The objective should be to build in the right controls and
the required degree of flexibility from the start of the IS planning process.
5. Assessing and managing security risks
5.1
Expenditure on Information security controls needs to be balanced
against, and be appropriate to, the business value of the information and
other assets at risk, and the business harm likely to result from security
failure.
5.2
Generic Risk Assessment and Management Model
The main components of the model are to:







Identify the assets supporting the service(s);
Identify the threats to these assets;
Determine the value of the business service(s) to NRS. (What is the
impact of loss of confidentiality, integrity or availability of the service(s)
irrespective of how this may occur?);
Evaluate and prioritise the risks in terms of business impact of the
assets' compromise on NRS and probability of occurrence;
Decide how the risks are to be managed within current constraints and
security requirements (e.g. organisational, financial, personnel, time,
legal, technical);
Decide on suitable controls for managing the risks and implement
those not already in place;
Review and re-assess risks and effectiveness of controls on a regular
basis.
6. Assets
6.1
Assets will be identified from the guidance provided in Annex B of the
ISO 27005:2011 standard from the British Standards Industry (BSI)1. NRS will
consider risks against the following asset types as appropriate:





1
physical – e.g. PCs, servers, racks, switches and routers;
software – e.g. desktop operating system, proprietary and bespoke
applications, utilities;
information – e.g. databases;
paper – e.g. licences, reports, logs, contracts, personnel records;
people – e.g. new employees, employees, ex employees, visitors,
contractors;
Copies are held with Information Manager in Ladywell House and the Information Security
Administrator in New Register House
Author: Head of IA
Page 5 of 7
Date last saved05/02/2016
Filepath: Quickr/Business Material/Security
Version 3.0
and Confidentiality
NRS
Risk Analysis and Management
Policy



May 2013
services – e.g. gas, water, telephone, mail, electricity;
environmental – e.g. Health & Safety, site access;
reputation and image – e.g. web site.
7. Threats
7.1
NRS will use whatever potential threats are applicable to a particular
system. These will come from the example list provided in Annex C of ISO
27005:2011 standard . In most cases NRS will use the following threats





Fire;
Flood;
Theft/Damage;
Hardware Failure;
Software Failure and any other deemed appropriate.
8. Vulnerabilities
8.1
NRS will use example scenarios given in Annex D of the ISO
27005:2011 standard to aid with the assessment of vulnerabilities. This list will
be assessed against the statement “Am I prepared for it now”.
9. Risk Assessment Process
9.1
While there are several software tools that can provide assistance with
the process, many are extremely expensive and require specific extensive
consultancy to aid navigation and understand all the concepts.
9.2
The BSO offer guidance in the ISO 27005:2011 standard . Part 8 of this
standard relates to risk assessment and NRS will follow the principles set
down in this section and in the remainder of the standard. This standard
expands upon the BS ISO / IEC 27001:2005 standard (previously known as
BS7799) and in particular paragraph 4.2.1.2
9.3-7 [not published]
9.8
The risk statement will fall into at least one of the following categories


2
Control the risk – e.g. through policies and procedures to perform
detection, deterrence, prevention, limitation, correction, recovery,
monitoring and awareness;
Transfer the risk – e.g. outsource the asset or service;
Copies are held with Information Manager in Ladywell House and the Information Security
Administrator in New Register House
Author: Head of IA
Page 6 of 7
Date last saved05/02/2016
Filepath: Quickr/Business Material/Security
Version 3.0
and Confidentiality
NRS
Risk Analysis and Management
Policy




10.
May 2013
Avoid the risk– dispose of the asset;
Accept the risk – where the scenario is unlikely to happen;
Mitigate the risk – by insuring or duplicating/distributing the asset;
Deploy countermeasures within a Business Continuity or Disaster
Recovery Plan.
Risk Register / Risk Treatment Plan
10.1 The calculations listed in the risk assessment process above will form
the basis of a risk register. The final sheet of this register will be the risk
treatment plan and will summarise how the risks have been treated. An
example of the tables to be used is contained at Appendix A to this document.
Blank copies are included at Appendix B.
11.
Monitoring / Audit
11.1 Monitoring of risk assessments will be carried out by the NRS Division
and auditing will be the responsibility of the Information Security team.
Sections 9.3-7 and Appendix A have not been published for reasons of
security.
Author: Head of IA
Filepath: Quickr/Business Material/Security
and Confidentiality
Page 7 of 7
Date last saved05/02/2016
Version 3.0
Download