Evaluate the risks to an information system
The business owner must select an action and controls for each risk, and sign off on the risk assessment report — using it to manage the risks to the information system.
Select an action to take for each risk
For their evaluation of each risk, the business owner can choose 1 of 4 actions.
Stop the activity that gives rise to the risk, which eliminates the risk.
Risk avoidance is not commonly selected, as it typically results in not being able to take advantage of the opportunities presented by the activity.
Implement controls to reduce the likelihood or impact, or both, of the risk happening.
|Transfer||Transfer all or part of the impact of the risk happening to a third party — for example, insurance or outsourcing.|
When risks are assessed as being within the government organisation’s risk tolerance level, they are usually accepted.
However, risks may also be accepted when it is not practical to avoid, treat or transfer them.
Who can accept risks in each zone
If choosing to accept a risk, the business owner needs to make sure it’s in a zone where they have the authority to accept it. If it’s not, they need to inform the right reporting level and get their authorisation — only then can a government organisation accept a risk in zones 3 and 4.
Table 2 is an example of a risk escalation and reporting table used for getting the appropriate authorisation when choosing to accept a risk.
|Zone||Risk escalation and reporting levels for each risk zone|
|Zone 4||Chief executive|
|Zone 3||Senior leadership team|
|Zone 2||Business owner|
|Zone 1||Service manager or project manager|
The risk zones in Table 2 match those in the example of a risk matrix.
Select controls for each risk
During the risk assessment of an information system, the business owner needs to identify and select controls for each risk. The aim is to get each risk within your organisation’s level of risk tolerance.
To reduce the likelihood or impact, or both, of a risk happening, there are controls that can be used either:
- in combination with each other.
Make sure the controls reduce the final risk rating
Example — Risk scenario, final risk rating: zone 3
On the risk rating matrix, the risk has:
- a likelihood of ‘almost never’
- an impact of ‘severe’.
Recommending a control that reduces the likelihood of the risk happening will not reduce its final rating.
If you select a control, or a combination of controls, that lessen the impact of the risk happening, this will reduce the final risk rating.
Controls must align with security requirements in New Zealand
Government organisations are required to use controls that match the guidance in the New Zealand Information Security Manual (NZISM). The business owner needs to select controls for each risk accordingly.
The NZISM defines mandatory and discretionary controls for the different levels of information classification.
Examples of effective controls
- Implement access control lists on shared folders and files to make sure that only authorised personnel can access the information stored in them.
- Review the patch management process to make sure that it includes all operating systems, applications and firmware. Monthly maintenance windows are defined and agreed on with the business, so that patches are implemented regularly and in a timely manner.
- Set up additional servers and load-balancing hardware to make sure that the service scales meet business and availability requirements if a server fails.
- Start an operational procedure to test the restoration of data from the backup media to make sure that critical data can be restored.
Organise the selected controls
Each control may apply to multiple risks. To keep track of these relationships, define each control in a catalogue that cross-references it with the risks that they reduce.
Sign off and use the risk assessment report
The business owner must acknowledge that the report accurately documents the outcome of the risk assessment.
If the report is not accurate, the business owner needs to seek out the documents and changes needed to make it reflect the risk assessment’s outcome.