Endorsed by the Security Working Group - 31 July 2014. Approved by the Information Risk Governance Group - April 2017. These principles are to be applied on a "comply or explain" basis.
Back to: Information Security Principles
This is an explanation of how to set up, configure and manage services to ensure there is a minimum level of information risk management. This was originally designed for use by the Information Services Division, but has been adapted for application anywhere in UCL.
- Service components should be enumerated to the individual server or operating system instance level. The Service Operations Manager should undertake this task.
- The service should be rated on a scale of 1-3 (see service levels below) according to the classification of the information it handles. This should be done by the Service Owner. The rating can be obtained by carrying out a service risk assessment.
- The service rating should be approved (and the approval documented) by the Risk Owner for the information handled by the service.
When defining the rating, services will:
- Inherit the lowest capability of their components
- Inherit the highest risk rating of their components
- The service owner should curate a list of risks and manage these in conjunction with the business service owner (risk owner). The list should be copied to ISG for review.
- Any risks that are classified as Intolerable should be escalated to the relevant business service owner.
- Any problems with non-compliance with policy, or implementing/maintaining controls should be reported to the service owner for them to address.
Service Levels:
- Not too worried about the security of this service. It's capable of handling information at Normal.
- Security is definitely on our minds when thinking about this service. It's capable of handling information up to and including Restricted.
- Security is the first thing on our minds when thinking about this service. It's capable of handling information up to and including secret.