It is University Policy that:
- adequately manage information security risk and carry out risk assessments on IT systems and business processes where appropriate. Information security risk assessments should be:
- carried out on all information systems on a regular basis in order to identify key information risks and determine the controls required to keep those risks within acceptable limits
- repeated periodically and carried out as required during the operational delivery and maintenance of the University's infrastructure, systems and processes
- included in the business case for any new ICT system that may be used to store confidential information
Provided you are in compliance with the University's baseline information security standards (these describe the minimum levels of security required) and information asset handling rules, no other security risk assessments are required by the University.
However, if external parties, such as funders or partners, require a risk assessment or you are requesting an exemption from the baseline standards or handling rules (due to a legitimate business or technical constraint), you must carry out and document a risk assessment.
You must also ensure risk assessments are signed off by an appropriate risk or information asset owner.
To fulfil your risk management obligations:
- apply the University's baseline information security standards to all information systems managed by your division, department or faculty and
- ensure that information asset handling rules are being followed (these are determined by Information Asset Owners in accordance with the baseline standards)
- carry out and document a risk assessment if you are deviating from baselines and/or prescribed handling rules (a recommended approach to this can be found in the Risk Assessment Handbook, and the Information Security Team can provide further support if you need it)
The Information Security Team is responsible for maintaining and acting upon a University-wide information security risk register.