Risk assessment

When working with data at Aarhus University, it is important to consider how to protect the data for which you are responsible.

Learn more about preparing a risk assessment.

What is a risk assessment?

A risk assessment is an assessment of cyber and information security aimed at preventing sensitive information from falling into the wrong hands through unforeseen events.

Good information security serves to protect data and ensure the confidentialityintegrity and availability of such data, while unforeseen events could be seen as disclosure or loss of critical data or incidents that compromise the data. If you are aware of the risks, appropriate security measures can be taken to avoid incidents.

A good risk assessment is a structured procedure to identify any risks, the possible consequences if an incident occurs, and the probability that it will occur. Risks must be analysed in order to prevent, manage or reduce risks, so that the task, activity or project can be completed/carried out safely.

A risk assessment consists of three phases:

  • BEFORE the risk assessment: System and data classification.
  • DURING the risk assessment: Completion of the risk assessment template.
  • AFTER the risk assessment: Annual follow-up.

The outcome of the risk assessment will indicate the extent to which information needs to be protected.

When should a risk assessment be prepared?

A written risk assessment must be carried out prior to any processing of confidential and/or sensitive data. The risk assessment should be conducted by the system owner or the person responsible for processing, storage or transfer of this type of data.

Go to the bottom of this page for a risk assessment template.

Note that if your project includes personal data, you must also prepare a data protection risk assessment.

Who should prepare a risk assessment and why?

You are obligated to carry out a risk assessment if you are the system owner or if you are otherwise responsible for an area/task or a project including confidential and/or sensitive information, including personal data, at Aarhus University. This also applies to publicly available personal data.

It is your responsibility to protect the confidentiality, integrity and credibility of data by adopting appropriate security measures on an informed basis.

This is your task, because you know how the system or the processing of information is to be implemented and you are best able to assess any risks.

Note that if you are going to process personal data, you must also prepare a data protection risk assessment.

What is the difference between a risk assessment and a data protection risk assessment?

A risk assessment is an assessment of systems, access to buildings, research materials, etc.

If you are processing personal data, a separate risk assessment must be carried out: a data protection risk assessment.

The data controller (In Danish only) must take the place of the data subject and consider the risks to which the data subject will be exposed in the planned processing activity(ies) to be performed by the data controller.

If your job function at Aarhus University entails that you are responsible for a unit, a system, a task or a project that involves access to confidential information or sensitive personal data processed at the university, it is your responsibility to carry out a risk assessment.