Managing risks
Identifying risk
We use various internal and external sources to identify information risks including:
- local threat assessments
- monitoring compliance with the information security management system
- national advice and guidance
- security incident reporting
- technical and procedural failures
- change management
- information technology health checks and penetration testing
- external statutory and regulatory obligations
- policy exceptions
- Data Protection impact assessments
Recording risk
- information assurance risk register - records a summary of general information assurance risks
- cyber security risk register - records risks relating to the protection of information systems, and the data that resides on them, from cyber-attacks
- information security management system risk register - records risks specific to the management of the information security management system and related controls
- Data Protection risk register - records risks relating to processing of personal data and its associated legal obligations
- records management risk register - records risks relating to our records management approach
- Data Protection Impact Assessments (DPIA) - a DPIA is mandatory for certain types of processing involving personal data. It will be used to identify and remediate privacy risks
Assessing risk
We use a qualitative risk assessment, based on our corporate risk approach, to assess risk. The risk assessment will consider the likelihood of an event happening together with the business impact.
Confidentiality, integrity, or availability of the assets will form part of the assessment.
A scale of 1 to 4 for likelihood and impact is used in line with the corporate risk model.
Treatment of risk
We will address information risk using four key aspects of internal control:
- tolerate - the decision on retaining the risk without further action.
- treat - the decision to introduce, remove or alter controls so that the residual risk can be reassessed as being acceptable. This must be achieved through the following actions:
- preventative – stop undesirable events happening for example limiting action to an authorised person
- corrective – restore normality after the occurrence of undesirable events for example incident management
- directive – encourage desired behaviour or outcomes for example training staff
- detective – detect the occurrence of undesirable events for example audit and monitoring
- transfer – the decision to transfer the risk to another party in order to manage the risk more effectively. Reputational risk cannot be transferred
- terminate – the decision to avoid the risk completely by withdrawing from a planned or existing activity or set of activities
Monitoring risk
We will monitor and review risks and their factors:
- context – identifying changes to underlying assumptions or new factors
- controls – ensuring the controls for risks do not become less effective or irrelevant
- treatments – ensuring risk treatments are appropriately implemented and maintained
Shared risk
We recognise that ownership of information risk can be shared. The impact can therefore be external to the council, for example through partnership working. We will work with our partners to manage risk to ensure organisations can discharge their responsibilities appropriately.