4. Risk Assessment and the Classification of Information

4.1. Risk assessment of information held

The degree of security control required depends on the sensitivity or criticality of the information. The first step in determining the appropriate level of security therefore is a process of risk assessment, in order to identify and classify the nature of the information held, the adverse consequences of security breaches and the likelihood of those consequences occurring.

Given the devolved nature of the University’s structure, the risk assessment should be carried out in the first instance by departments, as defined in paragraph 3.3 above. However, the departmental assessment must be consistent with the general principles in this section.

The risk assessment should identify the department’s information assets; define the ownership of those assets; and classify them, according to their sensitivity and/or criticality to the department or University as a whole. In assessing risk, departments should consider the value of the asset, the threats to that asset and its vulnerability. (An example of a risk assessment is at Annex A.) Further guidance on risk assessment and the classification of information is available in the Toolkit.

Where appropriate, information assets should be labelled and handled in accordance with their criticality and sensitivity.

Rules for the acceptable use of information assets should be identified, documented and implemented. The University’s Regulations and Policies applying to all users of University ICT facilities are available from http://www.ict.ox.ac.uk/oxford/rules/.

Information security risk assessments should be repeated periodically and carried out as required during the operational delivery and maintenance of the University’s infrastructure, systems and processes.

4.2. Personal Data

Personal data must be handled in accordance with the Data Protection Act 1998 (DPA) and in accordance with the University’s policy and guidance on personal data.

The DPA requires that appropriate technical and organisational measures are taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

A higher level of security should be provided for ‘sensitive personal data’, which is defined in the DPA as data relating to ethnic or racial origin, religious beliefs, physical or mental health, sexual life, political opinions, trade union membership, or the commission or alleged commission of criminal offences.

Up: Contents Previous: 3. Responsibilities Next: 5. Protection of Information Systems and Assets