Risk assessment

Seite 1

Ausfüllhinweis (optional)

The pre-filled texts serve as examples commonly found in research practice. The examples are not to be understood as exhaustive, complete or universally applicable – they serve solely as guidance and must all be checked to see whether they are relevant to the specific research project. All examples that are not applicable must be deleted or amended accordingly, and missing information must be added.

With regard to the wording of Art. 40 (8) (d) DSA, the focus is on data confidentiality and security ("are able to comply with the specific data security and confidentiality requirements associated with each request and to protect personal data"). From the perspective of the data subjects, the other risk scenarios (data unavailable, incorrect, etc.) are generally only relevant insofar as the measures also concern the disclosure/transfer of their data. Beyond that, it is of little significance to the data subjects if their data is not available for research purposes. For the researchers involved, however, the availability and integrity of the data are the very basis of their work. Not least in their own interest, they should therefore ensure that risks in this regard are also minimised.

Email address

The finished document will be sent to this email address.

Your name

Your organisation

Confidentiality – risk scenario: unlawful access to data

Risk source/vulnerability	Risk description	Potential damage – physical, material, immaterial	Probability of occurrence	Degree	Severity of damage	Degree	Basic measures for risk management (according to 1.5)	Risk index for basic measures	If necessary according to 4.3: Risk index for additional measures	Justification of the new risk index for additional measures
Risk source/vulnerability Project participants	Risk description Project participants unintentionally/intentionally grant access to unauthorised persons	Potential damage – physical, material, immaterial Unauthorised access to data, information leakage	Probability of occurrence Limited, possible in the event of incorrect authorisation due to faulty operation; negligible in terms of intentional actions based on experience to date	Degree	Severity of damage Potentially substantial	Degree	Basic measures for risk management (according to 1.5) Rights and roles concept is implemented at the technical level, separate user and administrator IDs are used (users cannot perform administrative tasks); training and awareness raising	Risk index for basic measures	If necessary according to 4.3: Risk index for additional measures	Justification of the new risk index for additional measures
Risk source/vulnerability Admin	Risk description Former project participants can still access data after leaving/rights are not revoked unintentionally/intentionally after leaving	Potential damage – physical, material, immaterial Unauthorised access to data, information leakage	Probability of occurrence Limited in terms of unintentional administrative errors; negligible in terms of deliberate action based on experience to date	Degree	Severity of damage	Degree	Basic measures for risk management (according to 1.5) Internal instructions for revoking access after changes/ automatic withdrawal, monitoring, training and awareness raising	Risk index for basic measures	If necessary according to 4.3: Risk index for additional measures	Justification of the new risk index for additional measures Despite measures taken, a normal residual risk exists in the dynamic research environment The additional measures mean that only a low residual risk is assumed
Risk source/vulnerability Systems of the research institution/systems of service providers/systems of project participants (business)/systems of project participants (private) by hackers/cybercriminals	Risk description Direct attack on IT systems and network components Systems (e.g. systems that are not patched or hardened; eavesdropping of communications)	Potential damage – physical, material, immaterial Unauthorised access to data, information leakage	Probability of occurrence	Degree	Severity of damage	Degree	Basic measures for risk management (according to 1.5)	Risk index for basic measures	If necessary according to 4.3: Risk index for additional measures	Justification of the new risk index for additional measures
Risk source/vulnerability Admins by hackers/cybercriminals	Risk description Targeted attack, authentication information is obtained through phishing, viruses, etc., data is accessed through the compromised account	Potential damage – physical, material, immaterial Unauthorised access to data, information leakage	Probability of occurrence Based on experience or given circumstances, the occurrence is unlikely	Degree	Severity of damage	Degree	Basic measures for risk management (according to 1.5) Encryption, vulnerability management, MFA, training and awareness	Risk index for basic measures	If necessary according to 4.3: Risk index for additional measures	Justification of the new risk index for additional measures
Risk source/vulnerability Project participants affected by hackers/cybercriminals	Risk description Targeted attack, authentication information is obtained through phishing, viruses, etc., data is accessed through the compromised account	Potential damage – physical, material, immaterial Unauthorised access to data, information leakage	Probability of occurrence Attack technically possible and likely.	Degree	Severity of damage	Degree	Basic measures for risk management (according to 1.5) Encryption, MFA, training and awareness	Risk index for basic measures	If necessary according to 4.3: Risk index for additional measures	Justification of the new risk index for additional measures
Risk source/vulnerability Software/system of the research institution, admin	Risk description Access no longer restricted to defined roles/rights concept after faulty update/configuration	Potential damage – physical, material, immaterial Unauthorised access to data, information leakage	Probability of occurrence Possible in the event of configuration errors, e.g. due to faulty updates of the or manual errors	Degree	Severity of damage	Degree	Basic measures for risk management (according to 1.5) Monitoring access/role rights concepts, training and awareness	Risk index for basic measures	If necessary according to 4.3: Risk index for additional measures	Justification of the new risk index for additional measures
Risk source/vulnerability IT system of service provider (software provider, etc.)	Risk description Access to data by service provider personnel	Potential damage – physical, material, immaterial Unauthorised access to data, information leakage	Probability of occurrence	Degree	Severity of damage	Degree	Basic measures for risk management (according to 1.5) AV contract with service provider	Risk index for basic measures	If necessary according to 4.3: Risk index for additional measures	Justification of the new risk index for additional measures
Risk source/vulnerability authorities, network providers	Risk description Access to data, e.g. through eavesdropping on communications	Potential damage – physical, material, immaterial Unauthorised access to data, information leakage	Probability of occurrence Access technically possible, but low probability	Degree	Severity of damage	Degree	Basic measures for risk management (according to 1.5) Data is only stored in the IT systems of the university	Risk index for basic measures	If necessary according to 4.3: Risk index for additional measures	Justification of the new risk index for additional measures
Risk source/vulnerability US authorities and secret services	Risk description access to data within the framework of legal regulations of the USA	Potential damage – physical, material, immaterial Unauthorised access to data, information leakage	Probability of occurrence Access technically possible but low probability	Degree	Severity of damage	Degree	Basic measures for risk management (according to 1.5) AV measures for compliance	Risk index for basic measures	If necessary according to 4.3: Risk index for additional measures	Justification of the new risk index for additional measures

Availability of data – risk scenario: data loss

Risk source/vulnerability	Risk description	Potential damage – physical, material, immaterial	Probability of occurrence	Degree	Severity of damage	Degree	Basic measures for risk management (according to 1.5)	Risk index for basic measures	If necessary according to 4.3: Risk index for additional measures	Justification of the new risk index for additional measures
Risk source/vulnerability Members of the research institution by hackers/cybercriminals	Risk description Targeted attack on project participants or other members of the research institution; authentication information is intercepted through phishing, viruses, etc.; data is deleted or made unavailable through the compromised account.	Potential damage – physical, material, immaterial Data cannot be used.	Probability of occurrence	Degree	Severity of damage	Degree	Basic measures for risk management (according to 1.5)	Risk index for basic measures	If necessary according to 4.3: Risk index for additional measures	Justification of the new risk index for additional measures
Risk source/vulnerability Hardware, project participants	Risk description Data is stored incorrectly or incompletely Transportweg unzulässig verändert	Potential damage – physical, material, immaterial Data cannot be used.	Probability of occurrence	Degree	Severity of damage	Degree	Basic measures for risk management (according to 1.5)	Risk index for basic measures	If necessary according to 4.3: Risk index for additional measures	Justification of the new risk index for additional measures
Risk source/vulnerability Hardware, project participants	Risk description Data loss due to defective hard drives/end devices unzulässig verändert	Potential damage – physical, material, immaterial Data loss, data cannot be used.	Probability of occurrence Frequent, due to the number of different, decentralised or unmanaged end devices	Degree	Severity of damage Minimal, as deleted or unavailable data can be recovered	Degree	Basic measures for risk management (according to 1.5) Redundant storage of data in the research organisation's IT systems of the research organisation	Risk index for basic measures	If necessary according to 4.3: Risk index for additional measures	Justification of the new risk index for additional measures
Risk source/vulnerability IT systems of the research institution due to hacker attacks/faulty updates/errors in administration	Risk description The IT systems of the research institution are temporarily unavailable or fail	Potential damage – physical, material, immaterial Failure of devices or systems	Probability of occurrence limited, scenario may occur, but based on experience to date and given the circumstances circumstances, but unlikely	Degree	Severity of damage Minimal, as a failure can be compensated for promptly	Degree	Basic measures for risk management (according to 1.5) Redundant storage of data in the IT systems of the research institution	Risk index for basic measures	If necessary according to 4.3: Risk index for additional measures	Justification of the new risk index for additional measures

Data availability - risk scenario: data loss

Risk source/vulnerability	Risk description	Potential damage – physical, material, immaterial	Probability of occurrence	Degree	Severity of damage	Degree	Basic measures for risk management (according to 1.5)	Risk index for basic measures	If necessary according to 4.3: Risk index for additional measures	Justification of the new risk index for additional measures
Risk source/vulnerability Project participants	Risk description Data is stored incorrectly or incompletely	Potential damage – physical, material, immaterial	Probability of occurrence	Degree	Severity of damage	Degree	Basic measures for risk management (according to 1.5)	Risk index for basic measures	If necessary according to 4.3: Risk index for additional measures	Justification of the new risk index for additional measures
Risk source/vulnerability Hackers/cybercriminals	Risk description Data is unauthorised changes during transport	Potential damage – physical, material, immaterial	Probability of occurrence	Degree	Severity of damage	Degree	Basic measures for risk management (according to 1.5)	Risk index for basic measures	If necessary according to 4.3: Risk index for additional measures	Justification of the new risk index for additional measures
Risk source/vulnerability Hackers/cybercriminals	Risk description Data is unauthorised modification of data	Potential damage – physical, material, immaterial	Probability of occurrence	Degree	Severity of damage	Degree	Basic measures for risk management (according to 1.5)	Risk index for basic measures	If necessary according to 4.3: Risk index for additional measures	Justification of the new risk index for additional measures