Versions Compared

Old Version 25

changes.mady.by.user Øivind Høiem

Saved on

compared with

New Version 26

changes.mady.by.user Øivind Høiem

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

The most common used in the risk assessment process

Adverse event or incident (threat, risk element)
An event that might affect safety in a negative way

Vulnerability
Weakness in a system, process, human or a building that could be exploited by a threat

Probability
A measure of how often an incident occurs

Consequence (of injuries)
Consequence is the impact of an event. It can affect the economy, reputation, loss of personal reputation, life and health or critical functions or lead to prosecution

Risk
Risk is a measure that combines the probability and consequences of an event.


Why should we carry out a risk assessment?

  • Maintaining confidence in a system or service
  • Compliance with legal obligations
  • Maintain quality of service
  • Maintaining an overview of information assets
  • Protecting employees, students and citizens
  • Help protect critical infrastructure
  • Learning and dissemination of knowledge among the participants in a risk assessment workshop


Risk assessment methodology

When we undertake a risk assessment we:

  • Identify adverse events, i.e. events that can lead to violations of information values regarding confidentiality, integrity and availability
  • Assess the risk - probability combined with consequence - for each adverse event
  • Evaluating and managing risks by proposing protection or controls that mitigate risks


Roles and responsibilities

...

Risk treatment and residual risk

Description of process


Risk areas

The organization's ownership of ICT
Information security policy and guidelines
Organization of information security
Resources
Expertise, skills and safety culture
Employee safety
Architecture
Work processes
Roles and responsibilities
Establishment and maintenance of portfolio
Innovation
Decision-making by ICT investments
Acquisition, development and maintenance of ICT systems / services
Quality assurance
Supplier relations

Handling of information assets

Access control
Operation and management
Infrastructure
Software
Data communication security
Cryptography
Malware and logical attacks
Social engineering
Theft or destruction
Disloyal employees
Physical and environmental areas
Geopolitical conditions
Handling of information security incidents
Continuity plans
Compliance with laws, rules and agreements
Communication


Tools/Aids