RISK ASSESSMENT AND TREATMENT POLICY
Document Identification |
HSNZ/POL/30 |
|
Document Name |
Risk Assessment and Treatment Policy |
|
Master Copy |
CISO |
|
Version Number |
1.3 |
|
Date Of Release |
15 Aug 2023 |
|
Prepared By |
Eparama Tuibenau |
CISO |
Approved by |
Kevin McAfee |
Managing Director |
VERSION HISTORY
Sl No |
Version No. |
Prepared by |
Approved by |
Description of Version |
Date |
Reason for Version Change |
|
From |
To |
||||||
1 |
1.0 |
- |
CISO |
MD |
First Release |
14 Apr 2020 |
No changes made |
1 |
1.0 |
1.1 |
CISO |
MD |
Updated |
04 Aug 2021 |
Modifications due to changes in HealthSafe |
1 |
1.1 |
1.2 |
CISO |
MD |
Reviewed |
28 Jul 2022 |
Annual review |
1 |
1.2 |
1.3 |
CISO |
MD |
Reviewed |
15 Aug 2023 |
Annual review |
DOCUMENT STATUS
Date |
Document Status |
14 Apr 2020 |
Modified |
04 Aug 2021 |
Reviewed |
28 Jul 2022 |
Reviewed |
15 Aug 2023 |
Current |
Table of Contents
1 Purpose
2 Scope
3 Input
4 Output
5 Procedure
6 Documentation and Records
1 PURPOSE
This procedure is applicable for all the assets which are within the scope of the HealthSafe NZ Information Security Management System.
2 SCOPE
This procedure defines the responsibilities, methodology and processes used to assess risks to the assets and mitigating the same by applying right controls.
3 RESPONSIBILITIES
Responsibilities of risk assessment lie with the ISMS Team.
4 TERMS AND DEFINITIONS
Terms |
Definition |
Asset |
Anything that has value to the organisation, its business operations and their continuity |
Impact |
The result of an unwanted incident |
Information Security |
Preservation of confidentiality, integrity and availability of information. |
Confidentiality |
Ensuring that information is accessible to only those authorised to have access. |
Integrity |
Safeguarding the accuracy and completeness of information and processing methods. |
Availability |
Ensuring that authorised users have access to information and associated assets when required. |
Risk |
Combination of the probability of an event and its consequence. |
Risk Assessment |
The overall process of risk analysis (systematic use of information to identify sources and to estimate the risk) and risk evaluation (process of comparing the estimated risk against given risk criteria to determine the significance of risk). |
Risk Management |
Coordinated activities to direct and control an organisation with regard to risk. It includes risk assessment, risk treatment, risk acceptance and risk communication. |
Risk Treatment |
Process of selection and implementation of control to modify risk. |
Residual Risk |
The risk remaining after the risk treatment. |
Security Control |
A practice, procedure or mechanism that reduces security risks. |
Threat |
A potential cause of an unwanted incident, which may result in harm to a system or organisation. |
Vulnerability |
A weakness of an asset or group of assets, which can be exploited by a threat. |
5 PROCEDURE
Risk Assessment Approach
The assessment of risk has been carried out as an overall process of risk analysis (systematic use of information to identify sources and to estimate the risk) and risk evaluation (process of comparing the estimated risk against given risk criteria to determine the significance of risk).
The risk assessment includes the following factors:
- Identification and valuation of assets
- Identification of all security requirements, i.e. threats and vulnerabilities, legal and business requirements
- Assessment of the likelihood of the threats and vulnerabilities to occur, and the importance of legal and business requirements
- Calculation of risk resulting from these factors
- Selection of the appropriate risk treatment options; and
- Selection of controls to reduce the risks to an acceptable level.
All this results in a Statement of Applicability which presents the control objectives, and controls that have been selected. This selection is linked to the results of the risk assessment and risk treatment processes. It indicates the justification and rationale for the selection of control objectives and controls.
Risk Assessment & Analysis:-
Step 1: The HealthSafe location is identified and for the identified location information assets and their owners are identified.
Step 2: For the identified area/location their respective threats and vulnerabilities are identified.
Step 3: Identify the Confidentiality, Integrity & Availability value and multiplication of the CIA value is the Business Impact Value(C*I*A*=Business Impact Value)
Asset Value |
Explanation |
Scale |
Degree |
||||||
Confidentiality |
The Property that information is not made available or disclosed to unauthorised individuals, entities or processes. |
1 |
Low |
||||||
Integrity |
The property of safeguarding the accuracy and completeness of Assets |
2 |
Medium |
||||||
Availability |
The property of being accessible and usable upon demand by authorised entity |
3 |
High |
||||||
Business Impact Value = C*I*A Step 4: Based on the identified Business Impact Value, multiply the likelihood value which will give the risk level. |
|||||||||
Probability |
Explanation |
Score |
Colour Coding |
||||||
Low |
Unlikely or Rare Occurrence |
1 |
|
||||||
Medium |
Not so frequent Occurrence |
2 |
|
||||||
High |
Frequent Occurrence |
3 |
|
||||||
Risk |
|||||||||
Risk = Business Impact Value * Likelihood |
|||||||||
Risk Value |
Risk Level |
Colour Coding- Risk Classification |
|||||||
3 to 26 |
Low |
|
|||||||
27 to 53 |
Medium |
|
|||||||
54 to 81 |
High |
|
|||||||
Risk Acceptance Level
The HealthSafe management has decided to agree or accept the risk level which are anything below 26. No additional control measures are required.
Risk Treatment Plan
Based on the identified risk, four methods of risk treatment will be established: Risk Control (RC), Risk Acceptance (RA), Risk Avoidance (RAV) and Risk Transfer (RT).
Residual Risk calculation
- Upon identification of controls, the residual risk shall be calculated.
- The residual risk shall be the risk that shall still persist after implementing the identified controls.
- To arrive at the residual risk calculation, rework on the probability of occurrence of threats and vulnerabilities after implementation of control.
- For all the identified residual risk, management approval shall be obtained.
Residual Risk (RR) = CIA Value*Likelihood Value
Note: Residual risk should be calculated based on the existing controls. The residual risk assessment will be carried out after completion of one full cycle of implementation and certification.
Review of risk assessment:-
- The risks, vulnerabilities and the threats vary as the time passes and hence it is important to review and reassess the risks associated with information assets at least once every 6 months. However, the review may not wait for the cycle to complete but can be carried out as and when required by the business.
6 DOCUMENTATION & RECORDS
- Risk identification & evaluation
- Risk determination
- SOA/Controls & Control Objectives