Publication by EDPS of Security Risk Management Guidance for EU Institutions
On March 21 2016, the European Data Protection Supervisor (EDPS) issued a Guidance on Security Measures for Personal Data Processing. The purpose of the guidance is to explain Article 22 of Regulation 45/2001 and provide information on the main practical steps EU institutions and bodies should take in order to conform to it. The document does not only recall the security obligations outlined in EU law but also builds upon accepted best-practice recommendations in respect of information security risk management (ISRM). Instead of prescribing particular safety measures to be imperatively implemented to mitigate risk, the EDPS notes that “state of the art” risk assessment and management must be applied at all times. For the EDPS, a specific tool to manage and monitor risk on an on-going bases is of utmost importance and the adoption of an ISRM framework responds to this practical need. The Guidance unfolds precisely how this framework ought be applied. The indicated procedures should prove a valuable instrument for any organization looking to rationalize and focus its ISRM processes.
The Guidance describes an ISRM process with the subsequent steps:
“1. Context Establishment: Relevant facts are gathered, risk evaluation criteria are established, roles and responsibilities are assigned, and the scope and objectives of the process are defined.
2. Risk Assessment
a. Risk Identification: Relevant risks to the organization are identified.
b. Risk Analysis: Identified risks are analyzed to determine the probability and consequences of each one.
c. Risk Evaluation: Risks are evaluated using the criteria established in the Context Establishment stage and prioritized accordingly.
3. Risk Treatment: The organization decides whether to reduce, avoid, or share each risk; residual risks are calculated.
4. Risk Acceptance: The organization either accepts each residual risk or engages in additional risk treatment to attain an acceptable level of residual risk.
5. Risk Communication and Consultation: Risk-related information is communicated to relevant stakeholders to obtain buy-in.
6. Risk Monitoring and Review: Risks are consistently monitored to ensure the organization’s management of each one is appropriately adjusted in response to changes in the risks. For instance, the guidance states: “Since threats, technologies, processes and other factors relevant for the risk assessment evolve constantly, it is necessary for EU institutions to regularly review their risk assessment and the selection of security measures.”