Assessment of value and risk

Forms for risk assessment OsloMet has its own template for risk assessment in research (excel). This is used for risk assessment of information flow in research. Completed form is stored in the institute/faculty ROS (risk assessment) folder in P360. See guide for adequate storage of ROS-analysis in Public 360 here.

Which projects require a risk assessment?

Risk assessments shall be done by all research- and student projects which process personal information.

When should a new risk assessment be done?

• A risk assessment should be done every 3 years.
• A new risk assessment shall be done as soon as changes are made that have relevance to personal data security.

Vulnerabilities

A risk assessment will reveal the vulnerabilities that exist in the information flow and that may occur in your project. On the basis of this assessment, you should initiate measures that lay the foundation for which routines should be established. There is normally a great risk associated with the start-up phase (collection, conversion, encryption and transmission) before data is stored on a well-secured electronic solution.

Vulnerabilities can easily occur, for example, when collecting raw data that contains personal information and in handling the scrambling key and research file, see the list of definitions. The vulnerability can be people (project staff and / or external within or outside the institution) and systems (the institution’s IT system and / or external systems), and then often a combination of the two.

Incidents

Based on the above, specific events can be identified that may lead to the information becoming:

• known to unauthorised persons (confidentiality)
• modified by unauthorised persons (integrity)
• made not available for a period of time or gone for good (availability)
• not up to date and correct (quality)

Assessment of probability and consequences

Furthermore, you can also assess the probability of a threat being realised and score the risk as high, medium or low, for example. In addition, you can also assess the consequences of a threat and define them as major, medium or minor.

Some examples of risk assessment

Raw data

Raw data stored on a memory stick have gone astray.

• Probability: Medium
• Consequence: Major

Research file

Unauthorised persons may recognise information in the file, because the data has not been adequately de-identified.

• Probability: Medium
• Consequence: Major

Scrambling key

Staff in the ICT department has seen the scrambling key.

• Probability: Medium
• Consequence: Major

Both misleading actions (hacking, viruses, etc.) and static events (technical and human errors) must be included in the assessment.

Implementation of measures and establishment of routines

After the risk assessment have been carried out, the project manager shall establish routines and implement measures, in connection with the information flow, that are necessary to prevent incidents with unacceptably high risk. The above table is a simple example of how a risk assessment can be carried out.

Deviations

The project manager shall ensure that critical incidents and non-conformities are dealt with as they arise and reported to the appropriate body. Non-conformities should be resolved at the organisational level at which they arise. If the non-conformity has led to unauthorised disclosure that has a bearing on confidentiality, the Data Protection Authority must be notified. The project manager shall ensure that all non-conformities and security breaches are closed, which includes requesting assistance from the Department of ICT or the Department of Facilities Management to deal with technical or physical security breaches if necessary.

• Whether the material is sensitive/confidential or not and degree of sensitivity. For more information, see Classification of Data. 
• The degree of personally identifiable factors in the material, directly or indirectly. Direct personally identifying factors include name, national identity number or other personally identifiable characteristics. Indirect personally identifying factors will be background variables. 
• The personal information is anonymised, if the personally identifiable factors have been removed, so that the information can no longer in any way be linked to a single person. Future development must be included in the assessment. If the information is considered to be sufficiently anonymous, then the privacy legislation does not apply. 
• The size of the project, including the number of participants. 
• The duration of the project. 
• The extent to which the institution has technical solutions / obtains services for secure storage of research data. OsloMet uses Service for sensitive data (TSD 2.0), a research platform developed under the auspices of UiO that is used by several Norwegian public research institutions. TSD meets the law’s strict requirements for the processing and storage of confidential research data. TSD is developed and operated by USIT at UiO, and is part of NorStore, the national infrastructure for handling and storing of scientific data. See also our website about storage. 

An assessment of value shall take three factors into consideration: confidentiality, integrity and accessibility. Assessment of value is discussed under OsloMet's information security system. See also sikresiden.no about securing information.

• In principle, unpublished research data have a high degree of confidentiality, meaning that the data must not fall into the wrong hands or be disclosed to unauthorised persons. One way of ensuring confidentiality is to anonymise the data, but that can make it more difficult to achieve the overriding objective of the project.
• The research data shall have a high degree of integrity, meaning that they shall not be altered by unauthorised persons. Good technical data storage solutions (little possibility of unauthorised access and copying) are necessary, as are good training and access control in the project group to safeguard the above-mentioned values.
• The research data must be sufficiently accessible to ensure that it will not be too difficult to complete the research project. The technical solutions must therefore not be so complicated as to prevent the project from being carried out. All the members of the research group, not just the project manager, must have sufficient access to the data to be able to collect and analyse them.

The project manager is responsible for striking a balance between the three value factors. Risk assessment will be a useful tool in this context.

The project manager is responsible for doing a risk assessment of the data flow in their research project. The institute leader/director is responsible for approving the risk assessment and accepting the risk level.

• ROS analysis template (risiko- og sårbarhetsanalyse, eng. risk- and vulnerability analysis) (.xlsx) 

• Storage of ROS analysis in Public 360 (sharepoint.no)
• Documentation of privacy in Public 360
• Risk assessment (sikresiden.no) 
• Guide: Privacy and information security in research projects p.27 
• Norwegian Data Protection Authority’s guide for risk assessment of information systems