Skip to main content
SDUnet

Search

Dansk
Menu

Data protection and information security

Risk assessments of IT systems

Here you will find a purpose description and introduction to risk assessments at SDU as well as links to relevant guides from the Danish Data Protection Agency and Sikkerdigital.

How we do risk assessments

  • Først kortlægger vi systemer, data og/eller andet, der skal risikovurderes og identificerer de mest kritiske områder. Dette kan inkludere både hardware, software, netværk og data.

  • Vi skal vide, hvilke trusler vores systemer står over for, fx menneskelige fejl, phishing, datatab og identificere eventuelle sårbarheder.

  • Vi skal evaluere, hvor sandsynligt det er, at en trussel vil materialisere sig, og hvilken konsekvens det vil have for organisationen og/eller de personer, der får behandlet deres personoplysninger i systemet.

  • Baseret på risikoniveauet skal vi tage stilling til, hvilke tiltag vi skal iværksætte for at reducere sandsynligheden for sikkerhedsbrud. Det kan fx være at sikre systemet bedre mod hacking eller at begrænse konsekvenserne, hvis et brud skulle ske – fx ved at have færre data i systemet, som kan blive lækket.

  • Vi skal dokumentere hele processen, herunder vores fund, beslutninger og de trufne foranstaltninger, så vi og andre kan se, hvad der er tænkt og besluttet.

Risk assessments at SDU

As part of our responsibility to ensure information security and protect the rights of data subjects, it is important that we conduct and document risk assessments.

Risk assessments are fundamental to SDU's security because they are the starting point for the organisation's knowledge and documentation of compliance challenges.

The Danish Data Protection Agency's requirement for documentation that personal data is processed effectively and lawfully means that risk assessments of the processing of personal data must be prepared. The Danish Data Protection Agency regularly conducts inspections of organisations, where the Danish Data Protection Agency may request documentation such as risk assessments. They only accept risk assessments made prior to receiving the request.

A risk assessment is a process where we analyse and evaluate the risks associated with our IT systems and workflows. The goal is to understand how vulnerable our systems are to threats such as misdirected emails, data loss, unauthorised access and other security breaches. By identifying and prioritising these risks, we can make informed decisions about how to best protect our systems and data.

The purpose of the risk assessment process is that together we get an overview of the risks associated with our work tasks.

When the damage happens and there is a compromising incident, we need to know what it could mean. In some situations it's not so dangerous, in others it's more serious.

The risk assessments help give us a qualified basis to act quickly and appropriately. Risk assessments allow the organisation to provide resources and action where needed, and it gives the employees who actively work with the processes the opportunity to draw attention to irregularities that pose a risk to SDU.

The overall responsibility for risk assessment and the choice of actions lies with the system owner (management). The system owner has overall responsibility for a given IT system and must ensure that it functions properly, is secure and meets the needs of the organisation. This includes hardware, software, network and data.

During the risk assessment, we involve many other employees with knowledge of the system, not least the system manager who is responsible for the daily operation of the system.

The system owner is responsible for prioritising the mitigating actions and implementation plan within the framework of the overall risk appetite decided by management.

Some of the conclusions from the risk assessment have significance across SDU and affect prioritisation across IT systems. At the same time, the overall risk picture is part of the management's overall decisions.

There is also a need for coordinated planning and follow-up, especially if there are risks or initiatives that cut across systems. Therefore, the overall conclusions from the risk assessments are presented to senior management at SDU, and various initiatives are implemented to communicate and follow up on the risk assessments. See below how.

  • SDU IT, Governance, Risk & Compliance is responsible for the process where all risk assessments are collected and relevant information is passed on.

    SDU IT, Governance, Risk & Compliance coordinates and consolidates information from different system owners and risk assessments.

  • Senior management needs to understand the risk landscape and the potential threats affecting the organisation.

    By having a comprehensive overview, management can prioritise resources and strategy for SDU's risk profile.

  • SDU IT, Governance, Risk & Compliance must regularly pass on the risk picture to senior management. This is done once a year by the UID (Committee for Information Security and Data Protection) being informed of the overall risk picture for all SDU's systems and taking a position on SDU's overall risk appetite, after which they recommend it for final approval by the Executive Board/Rectorate.

    This is done through reports, presentations and meetings where the most important risks and possible consequences are discussed.

  • A plan for follow-up and implementation of the necessary measures must be established. Some are taken between system manager and system owner, others are taken centrally.

    After receiving the information, senior management must communicate with system owners and other relevant stakeholders.

  • The risk landscape changes over time. Therefore, any deviations, new threats or vulnerabilities must be continuously recorded as part of a risk assessment.

Do you have any questions?

The GDPR and Information Security Coordinators are your local contact and advisor for day-to-day data protection and information security at SDU.

Want to know more?