What is a Information Security Risk?


TeleResult assesses the Information Security risk for all our processes and Information assets.


Typical risks are

  • Unauthorised external access to client and TeleResult information stored on our IT systems (ie hacking or one or more of our assets)
  • Phishing messages to encourage staff to release confidential information
  • Sending by staff of confidential information (eg phone numbers, financial information, call details etc) to unauthorised requestors
  • Creation of logins with incorrect client access
  • Vulnerabilities in TeleResult application code
  • Lack of information availability due to infrastructure and/or back up failure
  • Data corruption or lack of integrity due to application failure


See Reporting a Security Incident if any of these issues occur.


Risk Assessment

 

All risks are assessed to determine their Likelihood and Consequence. 

  • Consequence of Occurrence is a determination on to the effect upon business operations if the risk were to occur. 
  • Likelihood of Occurrence is a determination to the likelihood that the risk will occur. 


The matrix below is used to determine the seriousness of the risk and whether any mitigation is required, and allocate a Risk Status.



Information Assets

To assist in identification of risks TeleResult has created a register of all “Information Assets” in the ISMS scope where an asset is “anything that has a value to the organisation” – i.e., of all assets which may affect confidentiality, integrity, and availability of information in the organisation. 

Assets may include documents in paper or electronic form, applications and databases, people, IT equipment, infrastructure, and external services/outsourced processes.


Each asset has been allocated a category from

  • People
  • Applications and databases
  • Documentation (in paper or electronic form)
  • IT, communication, and other equipment
  • Infrastructure
  • Outsourced services

 

Risk and Asset owners 

For each identified asset a Asset owner and Risk owner has been assigned with roles as follows.


The role of the Risk Owner:

The role of the Asset Owner:

  • The individual responsible for managing threats and vulnerabilities that may be exploited. 
  • The person for whom the risk is relevant to their job and who has the authority to do something about it.
  • Someone closely related to processes and operations where the risks have been identified.
  • The person who will feel the “pain” if the risks materialise – that is, someone who is very much interested in preventing such risks from happening.
  • They must be positioned highly enough so that their voice would be heard among the decision makers.
  • The person responsible for the day-to-day management of assets.
  • An asset owner is generally lower in the organisational hierarchy than the risk owner.
  • Asset owners identify risks that may impact their assets

 

Risk Register

TeleResult maintains a risk register which for each risk shows

  • Risk Status
  • Whether it is an acceptable risk or requires Mitigation
  • Whether any mitigation has been completed 

Risk Review

The risk assessment requires regular review by Risk and Asset owners. Triggers for this include

  • A regular review by the Asset or Risk owner
  • The completion of a Risk Mitigation
  • The raising of a non-conformity report
  • The evaluation of new business requirement, new technologies, a new supplier, or an improved process


Change log


ChangeBy WhomWhen
Initial Release
David Street03/08/2022
Typical risks updated to include Availability and Integrity risksDavid Street08/08/2022