Make risk assessments

At Inland Norway University of Applied Sciences, we make risk assessments to prevent breaches of information security. 

There will always be a certain amount of risk associated with the processing of information and the use of systems and services. 

One of our goals is to reduce risk as much as possible, and risk assessments are a means of doing this. 

What is a risk assessment? 

A risk assessment identifies adverse incidents (threats) that we expect may happen. It assesses the likelihood of threats occurring, and the consequence if they occur. 

The sum of the likelihood and the consequence provides the risk level regarding the threat in question. 

If the level is sufficiently high, we will take measures to lower the risk level. The measures can help reduce the likelihood of incidents occurring, the consequence if they occur, or both. 

Risk-reducing measures do not necessarily bring the level of risk down to zero. The remaining risk is called ‘residual risk’. We must either accept this, or conclude that the risk remains too high so that we cannot continue as we intended. 

Who should make the assessment? 

Unit managers and system owners are responsible for ensuring that risk assessments are carried out, but they do not necessarily have to make the assessments themselves. 

Unit managers and system owners must also accept the risk assessments, the measures to reduce risk, and accept the residual risk after measures have been implemented. 

Risk assessments should be processed further up the system when cases involve a high level of risk or services that process large amounts of information about many people. This is especially the case if confidential information is involved. 

In the first instance, such cases are referred to the IT Director, and in some cases to the Director of Digitalisation who is primarily responsible for information security and exercises authority as the data controller pursuant to the Personal Data Act. 

When should we make risk assessments? 

The information security management system stipulates that risk assessments must be carried out: 

  • when the threat changes 
  • before the processing of personal data starts 
  • at the start of research projects 
  • when establishing or changing ICT systems 
  • when organisational changes occur that may affect information security 

Risk assessments must be regularly reviewed to see if the measures worked according to plan, if the threat has changed, or if the premises for the assessments have changed (new technology, etc.). 

How to make a risk assessment? 

INN University uses guidelines prepared by Unit - ​the Norwegian Directorate​ for ICT and Joint Services ​in Higher Education & Research​​. These are based on recognised standards. 

More information about risk assessment of security information can be found here (norwegian only): https://www.unit.no/risikovurderinger-informasjonssikkerhet  

Unit has also created its own guides for cloud services and administrative systems (norwegian only): https://www.unit.no/risikovurderinger-informasjonssikkerhet