{"id":10243,"date":"2024-11-13T13:04:41","date_gmt":"2024-11-13T11:04:41","guid":{"rendered":"https:\/\/oigusaktid.taltech.ee\/?p=10243"},"modified":"2024-11-20T15:49:47","modified_gmt":"2024-11-20T13:49:47","slug":"guidelines-for-information-security-risk-management","status":"publish","type":"post","link":"https:\/\/oigusaktid.taltech.ee\/en\/guidelines-for-information-security-risk-management\/","title":{"rendered":"Guidelines for Information Security Risk Management"},"content":{"rendered":"

[showhide show_caption=”Table of Contents \u00bb\u00bb\u00bb” hide_caption=”Close Table of Contents \u00ab\u00ab\u00ab”]<\/p>\n

1 General provisions<\/a><\/p>\n

2 Risk management process<\/a><\/p>\n

2.1 Establishing the context<\/a><\/p>\n

2.2 Risk assessment<\/a><\/p>\n

2.2.1 Risk identification<\/a><\/p>\n

2.2.2 Risk analysis<\/a><\/p>\n

2.2.3 Risk evaluation<\/a><\/p>\n

3 Risk treatment<\/a><\/p>\n

3.1 Risk avoidance<\/a><\/p>\n

3.2 Risk mitigation<\/a><\/p>\n

3.3 Risk sharing\/transfer<\/a><\/p>\n

3.4 Risk acceptance<\/a><\/p>\n

3.4.1 Residual risk<\/a><\/p>\n

4. Monitoring and reviewing risks<\/a><\/p>\n

5. Communicating. Informing. Consulting<\/a><\/p>\n

6. Roles<\/a><\/p>\n

6.1 The Director for Administration<\/a><\/p>\n

6.2 The Chief Information Security Office<\/a><\/p>\n

6.3 The risk owner<\/a><\/p>\n

7. Annex 1 Impact analysis<\/a><\/p>\n

[\/showhide]<\/p>\n

1 General provisions<\/h1>\n

Risk management<\/strong> (hereinafter referred to as \u201crisk management\u201d) is a set of coordinated activities to direct and control an organization with regard to risk.
\nThe purpose of risk management is<\/strong>:<\/p>\n

\u2022 to maintain the lowest level of economically justified risk that ensures the business continuity and long-term competitiveness of the university;
\n\u2022 to identify and manage risks associated with the university\u2019s activities, taking into account the scope and complexity of the processes and the existing experience;
\n\u2022 to establish a foundation for self-assessing risks and implementing measures to prevent losses caused by risks.<\/p>\n

Information security risk management<\/strong> focuses on information systems and IT assets (by addressing risks related to confidentiality, integrity, and availability). Risk management<\/strong> supports the information security risk management (ISRM) process. Risks affecting the university are systematically and continuously identified, assessed, treated and monitored.<\/p>\n

2 Risk management process<\/h1>\n

The risk management process consists of the following stages:<\/p>\n

\"\"<\/a><\/p>\n

Figure <\/span>1<\/span> Risk management process<\/span><\/span><\/span><\/span><\/span><\/p>\n

2.1\u00a0 Establishing the context<\/h2>\n

The framework for managing risks shall be designed considering both the internal and external context of the university.
\nExamining the external context should include the following:<\/p>\n

\u2022 the social, cultural, political, legal, regulatory, financial, technological, economic and environmental factors, whether international, national, regional or local;
\n\u2022 key drivers and trends affecting the objectives of the organisation;
\n\u2022 external stakeholders\u2019 relationships, perceptions, values, needs, contractual relationships and commitments;
\n\u2022 the complexity of networks and dependencies.<\/p>\n

Examining the external context should include the following:<\/p>\n

\u2022 the organisation\u2019s vision, mission and values;
\n\u2022 governance, organisational structure, roles and accountabilities;
\n\u2022 strategy, objectives and policies;
\n\u2022 the organisation\u2019s culture;
\n\u2022 standards, guidelines and models adopted by the organisation;
\n\u2022 capabilities, understood in terms of resources and knowledge (e.g. capital, time, people, intellectual property, processes, systems and technologies);
\n\u2022 data, information systems and information flows,
\n\u2022 relationships with internal stakeholders, taking into account their perceptions and values;
\n\u2022 contractual relationships and commitments.<\/p>\n

2.2 Risk assessment<\/h2>\n

Risk assessment is the overall process of risk identification, risk analysis and risk evaluation. Risk assessment is performed based on the information system and information assets. Risk assessment is performed at least once a year. <\/strong>In addition, risk assessment is performed in the event of any significant change to a system.<\/p>\n

Risk identification<\/span><\/span><\/span><\/span><\/span><\/span><\/h3>\n

The purpose of risk identification is to identify any incidents or situations that may affect the achievement of the university\u2019s objectives, the performance of its tasks and its planned operations.
\nA risk exists when there is a threat that can exploit a vulnerability in the university. Depending on the specific field,\u00a0 there may be a variety of threats and vulnerabilities that must be identified, documented, and analysed.
\nThe following sources may serve as input for identifying risks:<\/p>\n

\u2022 public or internal statistics,
\n\u2022 survey results,
\n\u2022 expert assessments,
\n\u2022 recorded incidents, their analysis and experience gained,
\n\u2022 experience gained from previous risk assessments,
\n\u2022 external party experience and\/or materials, assessments.<\/p>\n

Each identified risk is assigned a unique identifier and documented in a reproducible format. In subsequent stages of risk management, this information will be supplemented with additional details. Risks are recorded in the risk register (in JIRA).
\nRisks are defined using the following structure: a \u2018risk factor\u2019 induces a \u2018risk event\u2019, which causes \u2018loss or impact resulting from the risk\u2019.<\/strong><\/p>\n

Identifying risks within information systems and IT assets<\/em><\/strong><\/p>\n

When identifying risks to information systems and IT assets, an impact analysis is first conducted based on the nine categories outlined in Annex 1. The results of the impact analysis are documented in JIRA in the information system or IT asset map.<\/p>\n

Further risk identification and analysis for information systems is not required if the following conditions are met:<\/p>\n

1. the average score across the nine categories of the impact analysis is less than 3;
\n2. none of the nine impact categories receive a score of 4 or 5.<\/p>\n

In case of an information system or IT asset with an average impact analysis score of 3 or higher, or a score of 4 or 5 in one or more categories, the risks contributing to the high score must be identified.
\nBoth internal and external risks \u2014 those occurring within information systems the university has control over, as well as those beyond its control\u2014must be identified. In the course of identifying risks, the potential impact of a confidentiality, integrity, and\/or availability breach on assets must be ascertained.
\nVulnerabilities can be found in the following areas: organisational structure, processes and procedures, administrative routines, personnel, physical environment, configuration of the information system , hardware, software or communication devices, dependency on external parties.
\nSource data shall be provided by the owners of the information systems or information technology assets, process managers, IT project managers, superusers, IT project managers, partners and other related parties.
\nThe output of identifying information systems and IT assets is a list of risks, which includes the following:<\/strong><\/p>\n

\u2022 the name of the information system or IT asset;
\n\u2022 the name of the information system or IT asset component (such as a server, database, etc.);
\n\u2022 the vulnerability, i.e. the weak point, in an IT asset, information system, or process, or the inadequacy or absence of a security measure (security gap). (The existence of a weakness does not cause any losses in and of itself);
\n\u2022 the attacker and the attack method capable of exploiting the weakness\/vulnerability (who, how, and what). These threats can cause significant loss and are realistic for a specific application and use. According to the Estonian Information Security Standard (E-ITS): elementary threats, module threats, or external threats);
\n\u2022 the risk factor (i.e., when a threat exploits a vulnerability);
\n\u2022 the risk event (confidentiality, integrity and availability);
\n\u2022 the description of the risk impact (effects, damage, consequences).
\n\u2022 the largest possible loss (loss of service, financial loss, loss of reputation,
\n\u2022 the risk (risks are defined using the following structure: a \u2018risk factor\u2019 induces a \u2018risk event\u2019, which causes \u2018loss or impact resulting from the risk\u2019.)
\n\u2022 risk owner (the business project manager of the information system or the owner of the IT asset).<\/p>\n

Each identified risk is assigned a unique identifier and recorded in the risk register in Jira. In subsequent stages of risk management, this information will be supplemented with additional details.<\/p>\n

Risk analysis<\/span> <\/span><\/span><\/span><\/span><\/span><\/h3>\n

The purpose of risk analysis is to provide information for risk evaluation in order to determine how to manage identified potential risks and allocate the available resources effectively to address the most critical risks.
\nDuring the risk analysis, the risk owner<\/strong> determines the probability of occurrence<\/strong> of the identified event and the possible consequences, i.e. losses, or the risk impact<\/strong>.
\nUpon impact assessment, or analysis of the consequences, the risk owner shall describe the potential losses that accompany the materialisation of the risk, or exploitation of a vulnerability. The consequence analysis must identify all potential consequences should the risk materialise. When assessing the impact of consequences, it is essential to consider the different types of risks addressed by risk management in combination, taking into account the cumulative effect of multiple risks.
\nA probability analysis identifies the likelihood of the risk materializing. To assess the likelihood, information can be gathered from various sources, including:<\/p>\n

\u2022 incident history, i.e. statistics;
\n\u2022 prognosis, considering the age of the devices, etc.;
\n\u2022 expert assessment;
\n\u2022 comparison with other similar organizations.<\/p>\n

If information about potential consequences and\/or the likelihood of occurrence is unavailable, creating uncertainty, the nature of this uncertainty must be considered in decision-making (the decision-makers must be informed thereof). The likelihood of risks shall be assessed based on the scores in table 2.<\/p>\n

Table <\/span>1<\/span> Risk impact assessment<\/span><\/span><\/span><\/span><\/span><\/span><\/p>\n\n\n\n\n\n\n\n\n
Impact assessment<\/td>\nScore<\/td>\nCriteria<\/td>\n<\/tr>\n
Negligible impact<\/td>\n1<\/td>\nIf the risk materialises, the university\u2019s operations are only minimally disrupted (the operation of minor services, information systems, or IT assets is affected or their use is hindered temporarily or over a longer period, a few dissatisfied and concerned users, the potential financial losses are minimal, and no additional resources are required). If the risk materialises, personal data are not at risk, the information systems and IT assets process public information, and the integrity of the data is non-critical. Does not affect the achievement of the university\u2019s objectives.<\/td>\n<\/tr>\n
Minor impact<\/td>\n2<\/td>\nIf the risk materialises, operations are partially disrupted (the performance of several services is affected, and there are service disruptions, but the disruptions can be managed and resolved operationally (within one to three working days). A few users (10-100) are affected and express dissatisfaction; financial losses are minor; regulators express interest by making inquiries should the risk materialise. If the risk materialises, information intended for internal use may be exposed to the public, but personal data is not at risk. The achievement of the university’s objectives is not at risk.<\/td>\n<\/tr>\n
Moderate impact<\/td>\n3<\/td>\nIf the risk materialises, the university\u2019s operations are significantly disrupted (several services are affected, and the disruptions cannot be resolved operationally (within three working days); a moderate number of persons (100-500) are affected and express dissatisfaction; the\u00a0 financial losses are moderate ( up to 50,000 euros),\u00a0 there may be a single negative media article; regulators take a keen interest in the organisation\u2019s activities; there are legal disputes between the parties). If the risk materializes, sensitive or critical restricted data (e.g., individuals\u2019 salaries) could be exposed to the public, and personal data may be compromised. Additional resources may be required to restore the original situation, but the university\u2019s objectives can still be achieved.<\/td>\n<\/tr>\n
Major impact<\/td>\n4<\/td>\nIf the risk materializes, the university\u2019s operations are significantly disrupted (several critical and essential services are affected and the disruptions cannot be resolved operationally (within three working days); a significant number of users (500-5,000) are affected and express their criticism publicly; there is a substantial financial loss (up to 100,000 euros), occasional negative media articles; regulators are highly interested in intervening in the organization\u2019s activities; there are ongoing extrajudicial disputes between the parties; sanctions have been partially imposed). If the risk materialises, special categories of personal data or classified data are at risk, and there is a likelihood of breach of processed personal data. Significant additional resources are required to restore the original situation. As a result, the university\u2019s core activities may be halted, preventing the achievement of its established objectives.<\/td>\n<\/tr>\n
Critical impact<\/td>\n5<\/td>\nIf the risk materializes, the university\u2019s operations are critically disrupted (long-term disruptions of critical services that cannot be resolved within a week);\u00a0 more than 5,000 users are affected, expressing openly their dissatisfaction and desire to opt out; resulting in huge financial loss ( exceeding 100,000 euros); significant damage to the organization\u2019s reputation due to extensive negative media coverage, regulators have extreme interest in interfering with the organization\u2019s activities; accompanied by court action, legal proceedings, sanctions. If the risk materializes, the university\u2019s most critical data are at risk (can be exposed, destroyed, or otherwise compromised) with a high likelihood of a personal data breach. Restoring the original situation requires significant additional resources, and in some cases, restoration may be impossible\u00a0 If the risk materializes, the university\u2019s core activities can be halted, preventing it from achieving its set objectives.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

Table <\/span>2<\/span> Risk likelihood assessment<\/span><\/span><\/span><\/span><\/span><\/span><\/p>\n\n\n\n\n\n\n\n\n
Likelihood assessment<\/td>\nScore<\/td>\nCriteria<\/td>\n<\/tr>\n
Highly unlikely<\/td>\n1<\/td>\nThe risk is primarily theoretical and occurs very rarely in practice; likely to occur less frequently than once every 10 years.<\/td>\n<\/tr>\n
Unlikely<\/td>\n2<\/td>\nThe risk could materialize, though practical examples are rare. It can occur within the next 2\u20133 years.<\/td>\n<\/tr>\n
Possible<\/td>\n3<\/td>\nThere is evidence that the risk is likely to materialize and can occur within the next 2\u20133 years.<\/td>\n<\/tr>\n
Likely<\/td>\n4<\/td>\nThere is evidence that the risk is likely to materialize and can occur within the next year.<\/td>\n<\/tr>\n
Certain<\/td>\n5<\/td>\nThe risk has occurred in the past or is considered inevitable, with potential to materialize within days or weeks.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

 <\/p>\n

 <\/p>\n

 <\/p>\n

 <\/p>\n

 <\/p>\n

 <\/p>\n

 <\/p>\n

 <\/p>\n

 <\/p>\n

 <\/p>\n

 <\/p>\n

When analysing a risk and assessing its impact, it is essential to consider not only the risk itself but also the underlying causes, the source, and the motivational forces driving the source\u2019s behaviour. To analyse a risk realistically, it is important to consider the controls and measures already applied to mitigate it.
\nAs a result of risk analysis, the risk level is defined, which is essential for prioritising the approach to risk treatment in subsequent steps.<\/p>\n

Risk level<\/strong><\/p>\n

The risk level is calculated by multiplying the impact score by the likelihood score. Based on the risk level, a risk matrix is created, and all risks are prioritized from the highest to the lowest. When several risks have the same level, priority is given to the risk with the higher impact score.<\/strong> Risks are identified and the risk level is determined based on table 3 below.<\/p>\n

Table <\/span>3<\/span> Risk level calculation<\/span><\/span><\/span><\/span><\/span><\/span><\/p>\n\n\n\n\n\n\n\n\n\n
Likelihood<\/td>\n<\/tr>\n
Impact<\/td>\n<\/td>\nHighly unlikely (1)<\/td>\nUnlikely (2)<\/td>\nPossible (3)<\/td>\nLikely (4)<\/td>\nCertain (5)<\/td>\n<\/tr>\n
Critical impact (5)<\/td>\n5 \u2013 low<\/td>\n10 \u2013 medium<\/td>\n15 \u2013 medium<\/td>\n20 \u2013 high<\/td>\n25 \u2013 critical<\/td>\n<\/tr>\n
High impact (4)<\/td>\n4 \u2013 very low<\/td>\n8 \u2013 low<\/td>\n12 \u2013 medium<\/td>\n16 \u2013 high<\/td>\n20 \u2013 high<\/td>\n<\/tr>\n
Moderate impact (3)<\/td>\n3 \u2013 very low<\/td>\n6 \u2013 low<\/td>\n9 \u2013 low<\/td>\n12 \u2013 medium<\/td>\n15 \u2013 medium<\/td>\n<\/tr>\n
Low impact (2)<\/td>\n2 \u2013 very low<\/td>\n4 \u2013 low<\/td>\n6 \u2013 low<\/td>\n8 \u2013 low<\/td>\n10 \u2013 medium<\/td>\n<\/tr>\n
Negligible impact (1)<\/td>\n1 \u2013 very low<\/td>\n2 \u2013 very low<\/td>\n3 \u2013 very low<\/td>\n4 \u2013\u00a0 very low<\/td>\n5 \u2013 low<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

Risk level = Impact score * Likelihood score<\/span><\/span><\/p>\n

Adjusting the risk level<\/strong><\/p>\n

The level of risk may be adjusted subjectively when there is a valid reason to do so, but it is essential to document the rationale for this decision in writing.<\/p>\n

Risk evaluation<\/span> <\/span><\/span><\/span><\/span><\/span><\/h3>\n

The purpose of a risk evaluation is to ensure that an organization effectively allocates its resources to address the most critical risks. It is important to remember that multiple small, frequent risks can collectively have a significant overall impact.
\nRisk evaluation involves comparing the risk level identified in risk analysis against accepted risk thresholds. (Table 4 The university’s risk thresholds and corresponding actions for each risk level ).
\nThe whole risk assessment process must be documented.<\/p>\n

The university\u2019s risk thresholds, i.e. risk acceptance criteria<\/em><\/strong><\/p>\n

Table <\/span>4<\/span> The university’s risk thresholds and corresponding actions for each risk level<\/span><\/span><\/span><\/span><\/span><\/span><\/p>\n\n\n\n\n\n\n\n\n
Risk level<\/td>\nAction<\/td>\n<\/tr>\n
1-4<\/td>\nVery low<\/span><\/span><\/span><\/td>\nThe risk is accepted, monitored at least once a year.<\/td>\n<\/tr>\n
5-9<\/td>\nLow<\/span><\/span><\/span><\/td>\nThe risk is accepted, monitored at least once a year.<\/td>\n<\/tr>\n
10-14<\/td>\nMedium<\/td>\nThe risk will be addressed when possible. If the decision is made to accept the risk, the risk owner must provide a written justification. The risk is monitored at least once a year<\/td>\n<\/tr>\n
15-19<\/td>\nHigh<\/td>\nThe risk needs to be addressed. The risk owner must prepare an action plan. The risk is monitored at least once every 6 months.<\/td>\n<\/tr>\n
20-25<\/td>\nCritical<\/td>\nThe risk requires an immediate decision by the Rector\u2019s Office and action. The risk owner must inform the Rector\u2019s Office of the risk, provide an explanation, and propose measures for managing the risk. The risk shall be monitored, and actions shall be taken in accordance with the deadlines set out in the decision of the Rector\u2019s Office.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

The actions and the frequency of risk assessments for different risk levels are outlined in Table 4. Risk acceptance is allowed only when the risk score is below 10 and further mitigation measures are not feasible or practical.<\/p>\n

3 Risk treatment<\/h1>\n

All risks that do not meet the risk acceptance criteria must be reduced to an acceptable level through alternative measures. To achieve this, the appropriate risk treatment measure must be selected for each identified risk. The Chief Information Security Officer shall prepare a risk treatment plan. The goal is to reduce identified risks so that the residual risks are acceptable (at least low or moderate).<\/p>\n

Depending on the nature of the risk, the appropriate risk treatment measures must be selected and defined for each risk, including the required actions, deadlines, and responsible parties.<\/p>\n

3.1 Risk avoidance<\/h2>\n

Risk avoidance involves avoiding activities or conditions that pose the risk, such as discontinuing the use of certain equipment, relocating to another area,\u00a0 etc. During the risk avoidance process, new risks may arise as a result of the changes implemented, which will require additional risk management measures.<\/p>\n

3.2 Risk mitigation<\/h2>\n

Risk mitigation involves implementing additional measures\/controls, or eliminating or modifying existing ones, to decrease the impact and\/or likelihood of the risk, resulting in an accepted risk level when reassessed. (For example, E-ITS or ISO 27001 information security controls can be implemented).
\nRisk mitigation measures must be selected to ensure that the risk level is reduced to an acceptable level after implementation of the measure. In addition, factors such as time, budget, technical constraints, etc. must be taken into consideration when selecting a measure. The conditions and options for accepting risks are set out below.<\/p>\n

3.3 Risk sharing\/transfer<\/h2>\n

Risk sharing involves transferring a risk to a another (external) party who can best manage that particular risk (e.g. insurance, outsourcing, etc.). It is important to remember that while risk management activities can be shared or transferred to another party, ultimate responsibility still remains with the risk owner. Risk sharing may generate new risks, which will require additional risk management measures.<\/p>\n

3.4 Risk acceptance<\/h2>\n

Risk acceptance involves a deliberate decision to take no further action with regard to the risk and accepting the risk. Accepted risks must also be monitored. If the risk level does not meet the risk acceptance criteria but accepting and retaining is still preferred, the decision must be justified and documented. Such a decision must be approved by the Rector\u2019s Office. In this case the status of the risk is marked as \u2018Open\u2019.<\/p>\n

3.4 Residual risk<\/h2>\n

As a rule, some residual risks remain at a certain level after risk treatment. In most cases, the residual risk is at a level that can be accepted under the risk criteria. There is no residual risk if the threat or vulnerability is eliminated entirely, meaning the risk no longer exists.<\/p>\n

4 Monitoring and reviewing risks<\/h1>\n

Risk owners must consistently monitor identified risks, the effectiveness of the treatment measures, and any new risks that may have emerged.<\/p>\n

Process managers, business project managers of information systems, IT project managers, IT asset owners, and other stakeholders conduct continuous monitoring to identify new risks and shall promptly notify the Chief Information Security Officer when a risk is identified. Once a new risk is identified, the risk assessment process is carried out by the relevant risk owner, with guidance from the Chief Information Security Officer as needed.<\/p>\n

5 Communicating. Informing. Consulting<\/h1>\n

Risk management associated with information systems and IT assets is centralized, with risks recorded in a shared tool that ensures timely communication of risk related information to relevant parties, while maintaining transparency throughout the risk management process.
\nRisk information is provided through consultations, training sessions, and informational materials. Risk communication guarantees the harmonisation of the values and the repeatability of risk management steps in an organisation. Risk communication ensures the coordination of various impressions of risks so that the entire organisation is aware of the process and the results of the risk management.<\/p>\n

6 Roles<\/h1>\n

6.1 The Director for Administration:<\/h2>\n

\u2022 approves the information security risk management procedure;<\/p>\n

6.2\u00a0 The Chief Information Security Officer:<\/h2>\n

\u2022 is responsible for the development and implementation of the information security risk methodology;
\n\u2022 provides advice, guidance, and training;
\n\u2022 compiles a comprehensive overview of information security risks based on recorded incidents;
\n\u2022 analyses incidents and related information security risks;
\n\u2022 if needed, requests additional information about the circumstances of an incident from the person who recorded and\/or the person who resolved it;
\n\u2022 provides the Rector (the Rector\u2019s Office) with an annual overview of the organization\u2019s information security risk management;
\n\u2022 recommends improvements to the risk management process.<\/p>\n

6.3 The risk owner<\/h2>\n

\u2022 A risk owner is a person (a business project manager for information systems or an IT asset owner) who assesses and manages risks, prepares a risk treatment plan, and is responsible for its implementation within his\/her area of responsibility.
\n\u2022 The owner shall assess the impact and the likelihood of the occurrence of the risk, decide on the treatment measures and the persons responsible, incl. agrees on the persons responsible and mitigation actions also outside of his\/her area of responsibility if these are required to manage the risk.<\/p>\n

\n

Annex 1<\/h1>\n

Impact analysis<\/h1>\n

Tabel <\/span>5<\/span> Impact assessment<\/span><\/span><\/span><\/span><\/span><\/span><\/p>\n\n\n\n\n\n\n\n\n\n\n\n\n\n
Consequences<\/td>\nMinor impact<\/td>\nLimited impact<\/td>\nModerate impact<\/td>\nHigh impact<\/td>\nCritical impact<\/td>\n<\/tr>\n
Score<\/td>\n1<\/td>\n2<\/td>\n3<\/td>\n4<\/td>\n5<\/td>\n<\/tr>\n
Achievement of the university\u2019s objectives<\/td>\nOperations are minimally affected, but the objectives can be achieved without requiring additional resources.<\/td>\nOperations are significantly disrupted, but the objectives can be achieved by reallocating resources within the university, without compromising the achievement of other objectives.<\/td>\nOperations are significantly disrupted, but the objectives can be achieved by reallocating resources within the university, though this may partially compromise the achievement of the objectives.<\/td>\nOperations are significantly disrupted, and significant additional resources are required to achieve the objectives.<\/td>\nThe university\u2019s objectives cannot be achieved, and its core processes are not functioning.<\/td>\n<\/tr>\n
Reputational damage<\/td>\nNegative rumours circulating among a small group of customers, a few customer complaints.<\/td>\n\u2022 Negative rumours circulating among customers, partners, the public.
\n\u2022 Regulators express interest in the organisation\u2019s activities by making inquiries.<\/td>\n		\n

\u2022 A single negative media article.<\/p>\n

\u2022 Regulators\u2019 keen interest in the organisation’s activities.<\/p>\n

\u2022 The university’s credibility is called into question.<\/p>\n<\/td>\n

\n

\u2022 Occasional negative media articles.<\/p>\n

\u2022 Many users openly express criticism.<\/p>\n

\u2022 Regulators\u2019 keen interest or interference in the organisation’s activities.<\/p>\n

\u2022 A substantial decline in the university’s credibility.<\/p>\n<\/td>\n

\n

\u2022 Significant harm to the organization\u2019s reputation due to extensive negative media coverage.<\/p>\n

\u2022 Many users express criticism and a desire to opt out.<\/p>\n

\u2022 Regulators\u2019 extreme\u00a0 interest or interference in the organisation’s activities.<\/p>\n

\u2022 A critical decline in the university’s credibility.<\/p>\n<\/td>\n<\/tr>\n

Affected parties<\/td>\n1-10 users<\/td>\n10-100 users<\/td>\n100-500 users<\/td>\n500-5,000 users<\/td>\nMore than 5,000 users<\/td>\n<\/tr>\n
Legal obligations<\/td>\nAn oral warning.<\/td>\nA written warning.<\/td>\nExtrajudicial disputes, an agreement between the parties is possible.<\/td>\nExtrajudicial disputes, an agreement between the parties is possible, partial sanctions.<\/td>\nFollowed by legal proceedings, litigation and sanctions.<\/td>\n<\/tr>\n
Accompanying costs<\/td>\nup to 2,000 euros<\/td>\n2,000 \u2013 10,000 euros<\/td>\n10,001 \u2013 49,999 euros<\/td>\n49,999 \u2013 100,000 euros<\/td>\nMore than 100,000 euros<\/td>\n<\/tr>\n
Availability<\/td>\nThe operation of individual minor services is affected or temporarily disrupted, but the overall functioning of the university remains unaffected.<\/td>\nThe expected performance of several services is affected, with service disruptions that can be addressed operationally, without affecting the overall functioning of the university.<\/td>\nSeveral services are affected, and the disruptions cannot be resolved operationally (within three working days). The university\u2019s several key processes have been affected, causing partial disruption to the university\u2019s operations.<\/td>\nSeveral critical and essential services are affected, and the disruptions cannot be resolved operationally (within three working days). The university\u2019s core activities are affected, leading to significant disruption to its operations.<\/td>\nLong-term disruptions to critical services that cannot be resolved within a week. The university\u2019s core processes have been severely affected, causing a partial disruption to its operations.<\/td>\n<\/tr>\n
Integrity<\/td>\nData integrity is not a priority, and no separate integrity checks or logging operations are required.<\/td>\nData integrity is important, and it is essential to track any changes made.<\/td>\nData integrity is important, and it is essential to track changes, including the identity of the person making the changes, the timestamp, the source and destination of the request, the request details, and the response received.<\/td>\nData integrity is crucial, and it is essential to track changes, including the identity of the person making the changes, the timestamp, the source and destination of the request, the request details, and the response received.<\/td>\nData integrity is crucial; and it is essential to track changes, including the identity of the person making the changes, the timestamp, the source and destination of the request, the request details, and the response received. It is also crucial to verify the integrity of data, i.e. to perform data integrity checks using cryptographic techniques and to implement control processes to confirm data integrity.<\/td>\n<\/tr>\n
Confidentiality<\/td>\nThe information assets are associated with or process information intended for public use.<\/td>\nThe information assets are associated with or process data and information intended for internal use.<\/td>\nThe information assets are associated with or process sensitive or critical restricted data (e.g. salaries, etc.)<\/td>\nThe information assets are associated with or process\u00a0 special categories of personal data and\/or the university\u2019s secret information.<\/td>\nThe information assets are associated with or process the university\u2019s critical secret information.<\/td>\n<\/tr>\n
Privacy<\/td>\nNo personal data.<\/td>\nA breach of processed personal data is unlikely.<\/td>\nA breach of processed personal data is possible.<\/td>\nA breach of processed personal data is likely.<\/td>\nA breach of processed personal data is highly likely.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n","protected":false},"excerpt":{"rendered":"

[showhide show_caption=”Table of Contents \u00bb\u00bb\u00bb” hide_caption=”Close Table of Contents \u00ab\u00ab\u00ab”] 1 General provisions 2 Risk management process 2.1 Establishing the context 2.2 Risk assessment 2.2.1 Risk identification 2.2.2 Risk analysis 2.2.3 Risk evaluation 3 Risk treatment 3.1 Risk avoidance 3.2 Risk mitigation 3.3 Risk sharing\/transfer 3.4 Risk acceptance 3.4.1 Residual risk 4. Monitoring and reviewing […]<\/p>\n","protected":false},"author":4,"featured_media":0,"parent":8909,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"smart_processes":["https:\/\/smart.taltech.ee\/en\/process\/it-management\/"],"footnotes":""},"categories":[182],"tags":[],"legislation_type":[151],"legislation_approval":[190],"subdivision":[209],"faculty":[],"division":[226],"department":[264],"class_list":["post-10243","post","type-post","status-publish","format-standard","hentry","category-legislation","legislation_type-order","legislation_approval-director-for-administration","subdivision-it-en","division-support-activites","department-information-technology-services"],"acf":{"smart_processes":["https:\/\/smart.taltech.ee\/en\/process\/it-management\/"]},"_links":{"self":[{"href":"https:\/\/oigusaktid.taltech.ee\/en\/wp-json\/wp\/v2\/posts\/10243","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/oigusaktid.taltech.ee\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/oigusaktid.taltech.ee\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/oigusaktid.taltech.ee\/en\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/oigusaktid.taltech.ee\/en\/wp-json\/wp\/v2\/comments?post=10243"}],"version-history":[{"count":0,"href":"https:\/\/oigusaktid.taltech.ee\/en\/wp-json\/wp\/v2\/posts\/10243\/revisions"}],"up":[{"embeddable":true,"href":"https:\/\/oigusaktid.taltech.ee\/en\/wp-json\/wp\/v2\/posts\/8909"}],"wp:attachment":[{"href":"https:\/\/oigusaktid.taltech.ee\/en\/wp-json\/wp\/v2\/media?parent=10243"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/oigusaktid.taltech.ee\/en\/wp-json\/wp\/v2\/categories?post=10243"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/oigusaktid.taltech.ee\/en\/wp-json\/wp\/v2\/tags?post=10243"},{"taxonomy":"legislation_type","embeddable":true,"href":"https:\/\/oigusaktid.taltech.ee\/en\/wp-json\/wp\/v2\/legislation_type?post=10243"},{"taxonomy":"legislation_approval","embeddable":true,"href":"https:\/\/oigusaktid.taltech.ee\/en\/wp-json\/wp\/v2\/legislation_approval?post=10243"},{"taxonomy":"subdivision","embeddable":true,"href":"https:\/\/oigusaktid.taltech.ee\/en\/wp-json\/wp\/v2\/subdivision?post=10243"},{"taxonomy":"faculty","embeddable":true,"href":"https:\/\/oigusaktid.taltech.ee\/en\/wp-json\/wp\/v2\/faculty?post=10243"},{"taxonomy":"division","embeddable":true,"href":"https:\/\/oigusaktid.taltech.ee\/en\/wp-json\/wp\/v2\/division?post=10243"},{"taxonomy":"department","embeddable":true,"href":"https:\/\/oigusaktid.taltech.ee\/en\/wp-json\/wp\/v2\/department?post=10243"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}