You must prepare a risk assessment to assess threats, for example to a system, and describe the measures to be taken to counter these threats. Find resources for carrying out risk assessments on this page.
At AU, risk assessments of information assets must be carried out to ensure that sensitive or confidential information does not fall into the wrong hands. A risk assessment should therefore result in an action plan for how the information is protected.
Whether information is confidential or sensitive depends on how the data is classified. Read more here.
The system owner or person responsible for processing the information in question is responsible for carrying out a risk assessment.
A risk assessment results in a decision proposal that must be presented to the relevant local management. Who the relevant management is depends on the information asset and your local organisation.
Management can choose to involve the Faculty Information Security Committee (FISU) for an assessment or decide to escalate the decision to the next level of management.
In extreme cases, the decision can be escalated to the senior management team.
A risk assessment follows the steps described below. Each section describes how to get started and includes recommendations for methods, templates and guides.
Put together the right team.
To ensure you cover all aspects of the information asset, you need to involve people with different functions in relation to the system.
You might ask yourself the following question to identify relevant stakeholders:
You should also consider who has the authority to make any final decisions related to the risk assessment. It can also be a good idea to ask your local research information security committee to guide you in putting together the right team.
Assess the risks.
This is where you do the actual risk assessment. If you are assessing an IT system, start with a system classification.
Prior to the risk assessment itself, the scope of the risk assessment must be clearly defined - what should be assessed? And where do you draw the line on what this particular risk assessment should cover?
When scoping this, you need to consider both internal and external factors, as stakeholder requirements can affect the risk assessment.
Please also note that there is a difference between a risk assessment and a data protection risk assessment. If personal data is processed in the information asset in question, a data protection risk assessment must also be carried out. See more under GDPR.
In the system classification, you describe the system’s characteristics and its importance to AU. Based on the simplified inputs, the template will indicate whether the system should be considered as system type A, B, or C. It will also suggest an appropriate level of risk management for the system with regard to the following additional activities:
Preparing and updating a risk assessment (all system types).
Data protection risk assessment and impact analysis (in accordance with the processing of personal data).
Continuity planning (primarily system type A).
A risk assessment is an assessment of the likelihood of an incident occurring as well as an assessment of the potential consequences. Management must then decide which risks are acceptable and which risks require action and how.
The assessment focusses on vulnerability and consequences: vulnerabilities are assessed based on the likelihood of certain events occurring. Consequences are assessed according to their severity. For example, they can be insignificant, cause financial losses or lead to loss of life. See more in the risk assessment template.
Tools for risk assessment
Prepare a decision proposal.
The relevant local manager(s) decide whether to accept the risks described or whether to take measures to lower the risk. If management is not in a position make this decision, you can choose to escalate the decision to the next management level.
Once the decision is made, you can create the action plan.
The proposed action plan submitted to management should include:
Develop an action plan.
The action plan depends on the level of risk acceptance management has decided on and the nature of any measures adopted to lower the risk to an acceptable level.
The action plan makes it possible to follow the progress of activities and measures based on management's decision to act on the risks identified in the risk assessment.
Roles and the division of responsibilities (system/asset owner, risk owner) and who is responsible for implementing the activities must be clearly stated in the action plan.
Track progress and report regularly to the relevant manager(s).
See also the catalogue of measures on the Danish Data Protection Agency website. (In Danish only)
Follow up on risks regularly.
The world is changing rapidly, and we are seeing corresponding changes in the the threat landscape, as well as the possibility of new technical vulnerabilities emerging. That's why it's important that you follow up regularly.
Risk assessments must be reviewed at least once a year or in connection with major incidents.
Here you can download templates and resource material to help you prepare risk assessments.