Procedures for risk management - information security
- Act number: UFV 2018/211
- Decision maker: Head of Division
- Decision date: 2021-10-06
- Contact: email@example.com
- Processing body: Security and safety division
About the document
Table of contents
The following procedures describe a process for assessment and addressing of security risks in information systems or other information management.
The procedures are part of the university's overall routines for information security (UFV 2017/93), which are based on the Swedish Civil Contingency Agency’s regulations on information security for governmental authorities (MSBFS 2020: 6).
These procedures replace previous procedures for risk management of information systems (2015/322).The risk management process in its entirety is carried out in the steps described below. Each of the steps can also be performed separately or in a combination with other steps. (It is important to note that the result from the information classification is always a prerequisite in order to be able to proceed to the subsequent steps.
- Consequence analysis (with regard to system failure)
- Information classification
- Requirement analysis
- Risk analysis
- Management of identified security vulnerabilities