Provided you are in compliance with the University's baseline information security standards (these describe the minimum levels of security required) and information asset handling rules, no other security risk assessments are required by the University.
However, if external parties, such as funders or partners, require a risk assessment or you are requesting an exemption from the baseline standards or handling rules (due to a legitimate business or technical constraint), you must carry out and document a risk assessment.
You must also ensure risk assessments are signed off by an appropriate risk or information asset owner.
HOW TO COMPLY
To fulfil your risk management obligations:
apply the University's baseline information security standards to all information systems managed by your division, department or faculty
ensure that information asset handling rules are being followed (these are determined by Information Asset Owners in accordance with the baseline standards)
carry out and document a risk assessment if you are deviating from baselines and/or prescribed handling rules
The Information Security Team is responsible for maintaining and acting upon a University-wide information security risk register.
It is University Policy that:
adequately manage information security risk and carry out risk assessments on IT systems and business processes where appropriate. Information security risk assessments should be:
carried out on all information systems on a regular basis in order to identify key information risks and determine the controls required to keep those risks within acceptable limits
repeated periodically and carried out as required during the operational delivery and maintenance of the University's infrastructure, systems and processes
included in the business case for any new ICT system that may be used to store confidential information
Managing risks is part and parcel of working life - we weigh our options, take decisions and move on. Making sensible informed choices about information security is no different.
As a Head of Division, Head of Department or Faculty Board Chair, you are responsible for protecting information assets your division, department or faculty accesses, processes or stores from avoidable security threats.
In most cases, you can manage these risks responsibly by simply complying with the University’s ‘baseline’ information security standards and information handling rules.