Procedures for risk management - information security
1 Introduction
The following procedures describe a process for assessment and addressing of security risks in information systems, storage media, for example USB sticks or external hard drives, or analog information, for example paper notes.
The procedures are part of the university's overall routines for information security (UFV 2017/93), which are based on the Swedish Civil Contingency Agency’s regulations on information security for governmental authorities (MSBFS 2020:6).
2 Definitions
Information or information assets - Includes information and information processing resources that are of value to the university. The term includes all electronic, paper-based, verbal or in other stored or communicated information, as well as the information systems (hardware and software) and communication solutions that handle the information.
Information system - Includes applications, services, storage solutions, cloud services or other components that manage information. The term also includes networks and infrastructure.
Threat - A possible unwanted event which would have negative consequences for the business.
Probability - A measure of how likely it is that a threat results in a negative event.
Consequence - The result of a threat resulting in a negative event. May be financial, reputational or e.g. legal impact.
Risk - The probability and consequence of a threat resulting in a negative event.
Gap analysis - Identification of the difference between implemented security measures and the security measures that are identified as necessary.
3 Purpose
These procedures are intended to provide practical and domain-specific support for continuous risk management of the university's information resources with regard to confidentiality, integrity and availability.
4 Goal
That the University's information resources are protected in accordance with the University's current Procedures for information security (UFV 2017/93).
5 Process
The risk management process in its entirety is carried out in the steps described below. Each of the steps can also be performed separately or in a combination with other steps.
It is important to note that the result from the information classification always is a prerequisite in order to be able to proceed to the subsequent steps.
- Scoping
- Consequence analysis (with regard to system failure)
- Information classification
- Requirement analysis
- Risk analysis
- Management of identified security vulnerabilities
6 Approach
It is recommended that the process is carried out in one or more workshops with representatives from the relevant department, division or working group, preferably with a process leader from the university's security division.
7 Implementation
7.1 Scope
Before information classification and the subsequent steps can begin, the scope must be defined, e.g. per system or research project.
7.2 Information classification
Information classification is the basis for a secure information management. It is a process where the required level of protection of the information is determined based on the aspects of confidentiality, integrity and availability.
Confidentiality Information must not be made available or disclosed to unauthorized parties, systems or processes.
Integrity Information must not be modified, manipulated or altered, either by unauthorized parties, by mistake, or due to system failure.
Availability Information must be accessible and available for use in the expected manner, and within the desired time.
Information classification is carried out by the organization that owns the information. Examples of organizations that owns the information is head of department/equivalent, E-area managers (e-områdesansvariga) etc.
The required level of protection with regard to each of the information security aspects mentioned above, must be classified in one of the levels between 0 and 3. The classification value of an information asset is expressed in a three-digit number combination, for example 321, where the initial digit refers to the assessment for the confidentiality aspect, the second digit for the integrity aspect and the third for the availability aspect.
Instructions for carrying out information
7.3 Requirement analysis
The requirement analysis is closely associated with information classification since requirement analysis is aimed at a system or a group of systems. In the requirement analysis step, the result from the information classification is mapped against the system or systems that are relevant in the context. In this step classification values for the information assets in question are initially transferred from Template for carrying out information classification to Template for carrying out requirement analysis.
The highest classification value for each of the aspects (confidentiality, integrity and availability) among the information assets that the system handles is used to select the correct set of requirements to place on/have on the system.
Example: A system handles information assets A, B and C - classified as follows:
Information asset A: 132
Information asset B: 331
Information asset C: 222
In this example, the current system being analyzed needs to meet the requirements corresponding to the security level 332.
The step of selecting requirements from the list of all requirements is carried out with the support of the Template for carrying out requirement analysis.
In the requirement analysis, the level of compliance with the university's routines for information security (UFV 2017/93) is assessed/examined.
The security areas covered by the guidelines and objectives for the security measures in these areas are described below.
Procedures/guidelines | The university's guidelines for information security are known within the organization. |
Organization and responsibilities | Responsibilities and areas of responsibility for information security work are stated within the organization. |
Employee safety | Employees and other related parties are aware of their own responsibilities for information security. |
Asset management | The information resource(s) are protected in an appropriate manner. |
Access control | Only authorized users have access to the information resource(s). |
Encryption | Sensitive information is protected by encryption. |
Physical and environmental security | Premises and system equipment are protected against unauthorized access, damage and interference. |
Operations security | The operation of the information resource(s) takes place in a correct and secure manner. |
Communications security | Data transmission to and from the information resource(s) is protected in an appropriate manner.
|
Procurement, development and maintenance of systems | Information security is managed as an integral part of the information resource(s) over its entire life cycle.
|
Provider relations | Information security requirements according to the university's guidelines are regulated in agreements with external providers. |
Incident management | Procedures for handling information security incidents are known within the organization. |
Continuity management | The organization has a documented and verified plan for access to the information in a crisis or disaster situation. |
Compliance | The organization complies with regulatory and contractual information security requirements and obligations. |
7.4 Risk analysis – A method for risk assessment
The risk analysis assesses the threats that the organization faces due to previously known or suspected security vulnerabilities or the vulnerabilities that are detected during the implementation of the requirement analysis. For each of the identified threats the consequences that the threat resulting in a negative event could have on operations as well as the probability of the threat resulting in a negative event is assessed.
For each identified threat, a risk factor is calculated balancing the assessed levels of consequence and probability. The risk factor categorizes the risk into one of the following groups that indicate how the risk is to be managed by the organization.
Negligible risk | Accept |
Low risk | Monitor |
Medium risk | Plan to implement a risk mitigation measure at the appropriate time, e.g. version upgrade or equivalent. |
High risk | Immediate action is required. |
Template for carrying out requirement analysis can be used as support for carrying out the risk analysis.
7.5 Management of the identified security vulnerabilities
In a situation where security vulnerabilities have been identified in connection with a requirement analysis, there is a clear indication that the analyzed system does not meet the required level of security. Every identified vulnerability needs therefore to be analyzed and assessed by carrying out a gap analysis. The results from the gap analysis provide a basis for appropriate risk-mitigating measures.
8 Incident management
All incidents must be reported to the University Service Desk (servicedesk@uu.se).
This applies to all the incident types described below:
- An incident that has affected the confidentiality, integrity or the availability of the information deemed to be in need of extended protection, or
- Meant that information systems that process the information that is deemed to be in need of extended protection have not been able to maintain the intended functionality, or
- Affected the authority's ability to carry out its mission, or
- May otherwise seriously affect the security of the information management for which the authority is responsible, or in services that the authority provides to another organization, or
- Has affected the confidentiality, integrity or availability of personal data. An incident has occurred if personal data has been destroyed, unintentionally or illegally, lost or altered or disclosed to any unauthorized person.
The service desk will then assess which incidents, if any, that are to be reported to MSB or to the Swedish authority for privacy protection (IMY), in accordance with current regulations.
Please note that it is important to gather all incidents, even those who are not reported to MSB or IMY, in order to remedy problems and disruptions, as well as reduce the risks of data log, cyber attack etc.
9 Appendixes
Instructions for carrying out information classification
Template for carrying out information classification
Template for carrying out requirement analysis
Template for management of identified security vulnerabilities