Home » Data Protection » Network Security

How To

Risk Assessment Tool: Application for Removable Device Media

An excerpt from the form that the City of London uses to decide whether or not to grant officers permission to download data onto portable media

Page 3

Part 3: Risk/Benefit Comparison

When officers at the City of London police wish to download information onto a portable media device, they must file a formal application to do so. Based on the scores assessed in parts one and two, this is the criteria decision-makers use to compare the risks and benefits of the proposed data download. (To read about how the police force uses the tool, see "How To Tell If That USB Download Is Really Worth the Security Risk.")

This section defines how the scoring from the risk and benefits sections are compared. This section is included for informational purposes only and is used only by the decision maker. It is included to demonstrate transparency of process. The following table is intended to give guidance on the trade off between risk and benefit. It also defines the levels of approval required for the business case dependent on risk.

Benefit Risk	0-45	45-200	200+
< 20	Rejected Insufficient Benefit	Rejected Insufficient Benefit	Rejected Unacceptable risk
Between 20 & 40	Low risk & BenefitAuthority	Rejected Disproportionate risks to benefit	Rejected Unacceptable risk
Between 40 & 60	Acceptable ISO Authority	Medium Risk & Benefit Information Manager Authority	Rejected Unacceptable risk
60+	Acceptable ISO Authority	Acceptable ISO Authority	High Risk & Benefit Information Management Board Authority