30. HealthSafe Risk Assessment and Treatment Policy


RISK ASSESSMENT AND TREATMENT POLICY



Document Identification 

HSNZ/POL/30

Document Name

Risk Assessment and Treatment Policy

Master Copy

CISO

Version Number

1.3

Date Of Release 

15 Aug 2023

Prepared By

Eparama Tuibenau

CISO

Approved by

Kevin McAfee

Managing Director

 


VERSION HISTORY


Sl No

Version No.

Prepared by

Approved by

Description of Version

Date

Reason for Version Change

From

To

1

1.0

-

CISO

MD

First Release

14 Apr 2020 

No changes made

1

1.0

1.1

CISO

MD

Updated

04 Aug 2021 

Modifications due to changes in HealthSafe

1

1.1

1.2

CISO

MD

Reviewed

28 Jul 2022 

Annual review

1

1.2

1.3

CISO

MD

Reviewed

15 Aug 2023 

Annual review


DOCUMENT STATUS


Date

Document Status

14 Apr 2020

Modified

04 Aug 2021

Reviewed

28 Jul 2022

Reviewed

15 Aug 2023

Current


Table of Contents

1 Purpose


2 Scope


3 Input


4 Output


5 Procedure


6 Documentation and Records



1 PURPOSE

This procedure is applicable for all the assets which are within the scope of the HealthSafe NZ Information Security Management System.


2 SCOPE

This procedure defines the responsibilities, methodology and processes used to assess risks to the assets and mitigating the same by applying right controls.


3 RESPONSIBILITIES

Responsibilities of risk assessment lie with the ISMS Team.


4 TERMS AND DEFINITIONS


Terms

Definition

Asset 

Anything that has value to the organisation, its business operations and their continuity

Impact

The result of an unwanted incident

Information Security 

Preservation of confidentiality, integrity and availability of information.

Confidentiality

Ensuring that information is accessible to only those authorised to have access.

Integrity

Safeguarding the accuracy and completeness of information and processing methods.

Availability

Ensuring that authorised users have access to information and associated assets when required.

Risk

Combination of the probability of an event and its consequence.

Risk Assessment 

The overall process of risk analysis (systematic use of information to identify sources and to estimate the risk) and risk evaluation (process of comparing the estimated risk against given risk criteria to determine the significance of risk).

Risk Management 

Coordinated activities to direct and control an organisation with regard to risk. It includes risk assessment, risk treatment, risk acceptance and risk communication.

Risk Treatment 

Process of selection and implementation of control to modify risk.

Residual Risk 

The risk remaining after the risk treatment.

Security Control 

A practice, procedure or mechanism that reduces security risks.

Threat 

A potential cause of an unwanted incident, which may result in harm to a system or organisation.

Vulnerability

A weakness of an asset or group of assets, which can be exploited by a threat.


5 PROCEDURE 

Risk Assessment Approach

The assessment of risk has been carried out as an overall process of risk analysis (systematic use of information to identify sources and to estimate the risk) and risk evaluation (process of comparing the estimated risk against given risk criteria to determine the significance of risk).


The risk assessment includes the following factors:

  • Identification and valuation of assets
  • Identification of all security requirements, i.e. threats and vulnerabilities, legal and business requirements
  • Assessment of the likelihood of the threats and vulnerabilities to occur, and the importance of legal and business requirements
  • Calculation of risk resulting from these factors
  • Selection of the appropriate risk treatment options; and
  • Selection of controls to reduce the risks to an acceptable level.

All this results in a Statement of Applicability which presents the control objectives, and controls that have been selected. This selection is linked to the results of the risk assessment and risk treatment processes. It indicates the justification and rationale for the selection of control objectives and controls.




Risk Assessment & Analysis:-

Step 1: The HealthSafe location is identified and for the identified location information assets and their owners are identified.

Step 2: For the identified area/location their respective threats and vulnerabilities are identified.

Step 3: Identify the Confidentiality, Integrity & Availability value and multiplication of the CIA value is the Business Impact Value(C*I*A*=Business Impact Value)




                   
                 

Asset Value

Explanation

 

Scale

Degree

         

Confidentiality

The Property that information is not made available or disclosed to unauthorised individuals, entities or processes.

 

1

Low 

         

Integrity

The property of safeguarding the accuracy and completeness of Assets

 

2

Medium

         

Availability

The property of being accessible and usable upon demand by authorised entity

 

3

High

         
       

Business Impact Value = C*I*A


Step 4: Based on the identified Business Impact Value, multiply the likelihood value which will give the risk level.

         
                   

Probability

Explanation

Score

Colour Coding

           

Low

Unlikely or Rare Occurrence

1

 

           

Medium

Not so frequent Occurrence

2

 

           

High

Frequent Occurrence

3

 

           
                   

Risk

Risk = Business Impact Value * Likelihood

           
                   

Risk Value

Risk Level

Colour Coding- Risk Classification

             

3 to 26

Low

 

             

27 to 53

Medium

 

             

54 to 81

High

 

             
                   


Risk Acceptance Level

The HealthSafe management has decided to agree or accept the risk level which are anything below 26. No additional control measures are required.


Risk Treatment Plan

Based on the identified risk, four methods of risk treatment will be established: Risk Control (RC), Risk Acceptance (RA), Risk Avoidance (RAV) and Risk Transfer (RT).


Residual Risk calculation

  • Upon identification of controls, the residual risk shall be calculated.
  • The residual risk shall be the risk that shall still persist after implementing the identified controls.
  • To arrive at the residual risk calculation, rework on the probability of occurrence of threats and vulnerabilities after implementation of control.
  • For all the identified residual risk, management approval shall be obtained.

Residual Risk (RR) = CIA Value*Likelihood Value

Note: Residual risk should be calculated based on the existing controls. The residual risk assessment will be carried out after completion of one full cycle of implementation and certification. 


Review of risk assessment:-

  • The risks, vulnerabilities and the threats vary as the time passes and hence it is important to review and reassess the risks associated with information assets at least once every 6 months. However, the review may not wait for the cycle to complete but can be carried out as and when required by the business.

6 DOCUMENTATION & RECORDS

  • Risk identification & evaluation
  • Risk determination
  • SOA/Controls & Control Objectives