Risk Assessment, Classification and Mitigation

To strike a balance between openness and control as well as costs and benefits, a risk-based approach is taken for cyber security. In a risk-based approach, risks associated with the use of IT resources are first assessed and classified, followed by adoption of appropriate level of risk mitigation strategies.

Risk assessment in cyber security is closely related to business purposes and seldom a solely technological issue: the use of the same technology for different business purposes can often lead to different risk assessments. For instance, the risks associated with using a portable thumb drive for storing a presentation file can be quite different from those when it is used to stored student academic records. In general, risk assessment requires good understanding of prominent business or operational concerns, and can change from time to time. It is useful to classify the assessed risks into different categories. The following definition of risk classification is adopted for capturing the result of risk assessment:

Risk Category Definition Examples
High-risk Items which protection are required by law or that, if compromised, can lead to significant impact on University’s business, safety or finances Personal data, financial data, central data center, central administrative systems, etc.
Moderate-risk Items that, if compromised, can lead to noticeable impact on University’s business, safety or finances E-learning systems, official web sites, office computer, etc.
Low-risk Items that are not classified as “high-risk” or “moderate-risk” Demo systems, published research data, etc.

Depending on the classified risk categories, appropriate risk mitigation strategies, in terms of Minimum Security Standard, must be adopted. It should be noted that low-risk resources also need to be protected, although the focus is often on integrity and availability rather than confidentiality.

For the common IT resources that are better known to the University community, a reference classification can be found in Risk Classification Examples of Common IT Resources for consideration. Since risk assessment is closely related to purposes of use, it is anticipated that the reference classification may not be adequate in certain cases. All members of the University must assess any associated risks before using any IT resource, and always apply the stronger protection measure if in doubt.