Procedures for risk management - information security

  • Act number: UFV 2018/211
  • Decision maker: Head of Division
  • Decision date: 2021-10-06
  • Contact:
  • Processing body: Security and safety division

Download

About the document

Table of contents

The following procedures describe a process for assessment and addressing of security risks in information systems or other information management.

The procedures are part of the university's overall routines for information security (UFV 2017/93), which are based on the Swedish Civil Contingency Agency’s regulations on information security for governmental authorities (MSBFS 2020: 6).

These procedures replace previous procedures for risk management of information systems (2015/322).The risk management process in its entirety is carried out in the steps described below. Each of the steps can also be performed separately or in a combination with other steps. (It is important to note that the result from the information classification is always a prerequisite in order to be able to proceed to the subsequent steps.

  1. Scoping
  2. Consequence analysis (with regard to system failure)
  3. Information classification
  4. Requirement analysis
  5. Risk analysis
  6. Management of identified security vulnerabilities
Last modified: 2021-11-18