Risk assessments of systems at SDU

As part of our responsibility to ensure information security and protect the rights of data subjects, it is crucial that we conduct and document risk assessments.

Risk assessments are fundamental to security at SDU, as they provide the basis for the organisation’s understanding of compliance challenges related to personal data protection and information security. They also form the foundation for accountability and its documentation.

The Danish Data Protection Agency requires that any processing of personal data be efficient and lawful, which necessitates conducting risk assessments. The Agency regularly audits organisations and may request documentation, such as risk assessments, which must be conducted and documented prior to the request.

The Purpose of Risk Assessments

The purpose of the risk assessment process is to collectively gain an overview of the risks associated with our tasks.
When an incident occurs, and there is a compromising event, we need to understand its potential impact. In some situations, it may not be very serious, while in others it could be more severe.

Risk assessments provide a qualified basis for quickly taking appropriate action. They allow the organisation to allocate resources and efforts where needed, and they enable employees actively working with the processes to highlight issues that pose a risk to SDU.

What is a Risk Assessment?

A risk assessment involves analysing and evaluating the risks linked to our IT systems and workflows. The aim is to understand our systems’ vulnerabilities to threats like misdirected emails, data loss, unauthorised access, and other data breaches. By identifying and prioritising these risks, we can make informed decisions on the best ways to protect our systems and data.

How to Conduct a Risk Assessment

The main steps in brief are:

Identification of systems and data

First, we map the systems, data, and other elements that need to be risk assessed, identifying the most critical areas. This can include hardware, software, networks, and data.

Identification of threats and vulnerabilities

We need to identify the threats our systems face (e.g., human error, phishing, data loss) and pinpoint any vulnerabilities.

Assessment of risks

We need to evaluate the likelihood of a threat manifesting and assess its potential consequences for the organisation and for the individuals whose personal data is processed in the system

Prioritisation and action

Based on the level of risk, we need to determine appropriate actions to mitigate security breaches. This could involve reducing the likelihood of breaches by enhancing system security against hacking, or minimizing the impact by limiting the amount of sensitive data stored in the system.

Documentation

We must document the entire process, including our findings, decisions, and the measures taken. This ensures that we—and others—can clearly understand the rationale behind our actions and the steps we have implemented.

The overall responsibility for the risk assessment and the choice of measures lies with the system owner (management). The system owner has the overall responsibility for a given IT system and must ensure that it functions correctly, is secure, and meets the organisation’s needs. This includes hardware, software, network, and data.

The system owner (management) holds the overall responsibility for risk assessment and selecting appropriate measures. They must ensure that the IT system functions correctly, is secure, and meets the organisation’s needs, covering hardware, software, network, and data.

During the risk assessment, we involve various employees with knowledge of the system – particularly the system administrator (or IT coordinator?) who manages the daily operation of the system.

The system owner is responsible for prioritising the mitigating measures and the implementation plan within the framework of the management’s overall risk appetite

Reporting and Following up on Risk Assessments

Reporting risk assessments regarding personal data processing to management is crucial for ensuring that the organisation is aware of potential risks and can take appropriate measures to mitigate them. This process helps maintain compliance with data protection regulations, safeguarding sensitive information, and protecting the organisation from potential data breaches and associated penalties.

Some of the conclusions from the risk assessment have implications across SDU and affect priorities across IT systems. The overall risk picture is part of the management’s basis for making overall decisions.

There is also a need for coordinated planning and follow-up, especially if there are risks or measures that span multiple systems.
Therefore, the overall conclusions from the risk assessments are presented to the top management at SDU, and various measures are implemented to communicate and follow up on the risk assessments.

Central reporting

SDU Digital, Compliance is responsible for the process of collecting all risk assessments and forwarding relevant information.

SDU Digital, Compliance coordinates and consolidates data from various system owners and their respective risk assessments.

Prioritisation and decision-making

Senior management must understand the risk landscape and the potential threats affecting SDU.

By having a comprehensive overview, management can prioritise resources and develop a strategy that aligns with the organisation’s overall risk profile.

Collective reporting to SDU management

SDU Digital, Compliance is responsible for regularly reporting the overall risk profile to top management. This process occurs annually, where the UID (Committee for Information Security and Data Protection) is briefed on the risk profile of all SDU systems. This is done through reports, presentations, and meetings, where the most significant risks and potential consequences are discussed. The UID then assesses SDU’s overall risk appetite and makes recommendations for final approval by the Executive Board/Rectorship.

  

Communication and follow-up

Up A plan must be established for follow-up and implementation of the necessary measures. Some actions are managed between the system administrator and the system owner, while others are managed centrally.

After receiving the information, top management must communicate with system owners and other relevant stakeholders.

Continuous monitoring

The risk profile changes over time. Therefore, nonconformities, new threats, or vulnerabilities must be continuously recorded as part of ongoing risk assessments.

Further reading:

• The Danish Data Protection Agency's information on Risk Assessments (in Danish)