Assessing Risks¶
Assessing risks is an important activity when building secure software, it should be used to help prioritise work on fixing vulnerabilities, and to highlight risks to the system that have not yet been resolved. When assessing vulnerabilities, you will generally consider the impact should the vulnerability be exploited, against the likelihood the vulnerability will/could be exploited.
If there is an Information Security Officer (ISO) assigned to your team, you should work with them to make sure you are assessing the risks associated with your service on a regular basis and that you are tracking risks that are unresolved appropriately.
Risk assessment methods¶
CDDO have produced a handy guide on performing a security risk assessment that aligns to the NCSC basic risk assessment and management method. The guide includes several steps:
- Establish the scope and method
- Collate your asset analysis
- Collate your threat analysis
- Assess the vulnerabilities
- Identify and analyse the risks
- Create a risk register
The NCSC basic risk assessment and management method is a good framework for assessing the risks to your service.
Risk registers¶
Your service should maintain a risk register that tracks the associated risks to their service. This can be done in a risk register spreadsheet and should be shared and reported with the assigned ISO.
Risk acceptance procedures¶
DfE acknowledges that not all risks will be remediated immediately if there are cases such as where the cost outweighs the benefit of the fix. Senior Responsible Officers/Owners can accept risks to a certain degree, but this must be an exception rather than a rule. The risk must be raised on a risk register, be reviewed on a quarterly basis to reassess if the imbalance still applies, and the initial acceptance must be reported to an ISO before it is signed off first time.
Critical and high risk issues cannot be accepted without remediation.