Part 1: Risk Assessment Scoring
When officers at the City of London police wish to download information onto a portable media device, they must file a formal application to do so. This is the form decision-makers use to evaluate the risk with the proposed data download. (To read about how the police force uses the tool, see "How To Tell If That USB Download Is Really Worth the Security Risk.")
|
Area |
Response |
Score |
|
Amount of information |
Small <100kb Medium < 5Mb Large > 5Mb |
35 40 50 |
|
Is the use of the device restricted to specific users? |
Yes No |
-5 10 |
|
Can transfers of information be audited? |
Yes No |
-10 10 |
|
Can the information be checked for malicious code? |
Yes No |
-10 20 |
|
What is the classification of the information involved? |
Unclassified Restricted Confidential Secret |
0 20 40 80 |
|
Can the information be easily accessed if the device/media is lost? |
Yes No |
20 -30 |
|
What are the consequences of losing the device/media? |
None Embarrassing Endangers cases Endangers individuals |
0 10 50 200 |
|
How easily can the information be transferred to other devices/media? |
Easy Difficult Not possible |
50 10 -50 |
|
Are there effective procedures in place that will reduce risk of misuse? |
Yes No |
00 50 |
|
Are there effective procedures in place that will reduce risk of accidental loss? |
Yes No |
00 50 |
Read on to see an excerpt of the City of London's benefits assessment scoring methodology.
Part 2: Benefits Assessment Scoring
When officers at the City of London police wish to download information onto a portable media device, they must file a formal application to do so. This is the form decision-makers use to evaluate the benefits of the proposed data download. (To read about how the police force uses the tool, see "How To Tell If That USB Download Is Really Worth the Security Risk.")
Benefits are less easy to quantify directly. Three areas should be considered in determining benefits:
|
Area |
Response |
Scoring |
|
Does the proposal directly save money or generate income for the force? |
The sale of material prepared in the force. |
Scale from 0-40 |
|
Does the proposal have a direct operational benefit? |
Improve communications, reduce staff hours, or eliminate re-entry of information. |
Scale from 0-60 |
|
Does the proposal put officers at risk? |
For instance of corruption. |
Yes Scale -50 to 0 No = 0 |
Read on to see an excerpt of the City of London's risk/benefit comparison.
Part 3: Risk/Benefit Comparison
When officers at the City of London police wish to download information onto a portable media device, they must file a formal application to do so. Based on the scores assessed in parts one and two, this is the criteria decision-makers use to compare the risks and benefits of the proposed data download. (To read about how the police force uses the tool, see "How To Tell If That USB Download Is Really Worth the Security Risk.")
This section defines how the scoring from the risk and benefits sections are compared. This section is included for informational purposes only and is used only by the decision maker. It is included to demonstrate transparency of process. The following table is intended to give guidance on the trade off between risk and benefit. It also defines the levels of approval required for the business case dependent on risk.
|
Benefit Risk |
0-45 |
45-200 |
200+ |
|
< 20 |
Rejected Insufficient Benefit |
RejectedInsufficient Benefit |
Rejected Unacceptable risk |
|
Between 20 & 40 |
Low risk & BenefitAuthority |
RejectedDisproportionate risks to benefit |
Rejected Unacceptable risk |
|
Between 40 & 60 |
AcceptableISO Authority |
Medium Risk & Benefit Information Manager Authority |
RejectedUnacceptable risk |
|
60+ |
AcceptableISO Authority | AcceptableISO Authority |
High Risk & Benefit Information Management Board Authority |