The University uses this rating as an indicator of the potential negative consequences should a cyber-attack compromised the resource. The higher the risk rating the greater the potential loss and consequently the more critical it is for security measures to be in place.
Information resources with “High” cyber risk rating (i.e. a score of 10, 11 or 12) are considered cyber critical and required to comply with enhanced security measures. Business Systems Owners of “High” cyber risk rated resources also have additional responsibilities as defined in the Cyber Security Policy (section 5 - Cyber Security Roles and Responsibilities)
Using the below table, the cyber risk rating can easily be established by determining the appropriate score for availability, integrity and confidentiality needs of the resource and summing the three scores up. (if multiple levels are applicable, select the highest score)
SCORE
|
AVAILABILITY1
|
INTEGRITY2
|
CONFIDENTIALITY3
|
0
|
Not time critical
|
Loss of integrity results inLowrated consequences
|
Asset only holds data classified as Public
(e.g. course information, published research, marketing materials)
|
1
|
RTO >= 1 week
|
Loss of integrity results inMinorconsequences
|
Asset generally holds data classified asConfidentialor sporadic more sensitive records
(Confidential: proposed courses, internal procedures, general email correspondence)
|
2
|
RTO < 1 week
|
Loss of integrity results in Moderateconsequences
(e.g. sporadic academic records, administrative contracts)
|
Asset holds volumes (>1000 records) of Confidential Restricted data
(e.g. PII, exam results, standard contracts and financial records)
|
3
|
RTO < 1 day
|
Loss of integrity results in Majorconsequences
(e.g. health records, active defence/restricted research data, volumes of academic records, administrative contracts)
|
Asset holds volumes (>1000 records) ofHighly Restricted data
(e.g. sensitive PII, government ID’s, health records, biometrics, active defence/restricted/animal research, passwords, ethics and data breaches)
|
4
|
RTO < 1 hour
|
Loss of integrity results in Extremeconsequences
(e.g. volumes (>1000 records) of health records, active defence/restricted research data)
|
Asset holds volumes (>1000 records) of Highly Restricted data, including Tax File Numbers (TFN) or Individual Healthcare Identifiers (IHI)accompanied by other PII
|
1Availability requirements as defined in UWA Business Impact Assessments
2Consequence scale as defined in UWA Risk Matrix
3Data classification as defined in UWA Information Protection Policy