Establishing a risk profile

This section describes how to establish a risk profile for a website or web service to inform design requirements.

It covers:

  • the nature of inherent threats on the public web and the consequent risks facing any site or service operating on the web
  • an approach to assessing the business impact of risks being realised
  • how to establish a risk profile to inform design requirements.

Action points

  • Align your risk management efforts around the impact of a risk, rather than the likelihood of it happening.
  • Assess and categorise the risks for every website, existing and planned.
  • Create and record a site risk profile – high or moderate sites require more extensive security requirements and testing procedures than low risk sites.

The online threat environment

The internet should be treated as a hostile environment, requiring proactive protection of websites and services. You should assume that any sites or service are regularly scanned for vulnerabilities by those looking to exploit them.

Because of this high level of threat activity on the internet, and because it is difficult to assign precise risk levels for every individual type of threat, you should align your risk management efforts around the impact of a risk, rather than its perceived likelihood. In most cases, likelihood of Internet threats can be treated as high or very high.

Common online threats

Common threats include:

  • data and information theft: data and information can be stolen, and sometimes publicised. This data and information can range from user’s email addresses and passwords, to protected government or public material or users’ private information. This can include identity theft
  • defacement: sites can be defaced, often with objectionable or political content
  • take-down: a site is slowed or stopped, as in ‘denial of service’ attacks
  • drive-by attacks: malware is implanted in insecure sites, which are then used to attack site visitors for the purposes of growing botnets or stealing user data such as credit card numbers from site visitors.

More information on the threat environment can be found in Annex A of the document Agency cyber security responsibilities when transacting online with the public (available from this page), published by the Australian Attorney General's office but still relevant to New Zealand government agencies.

Doing a risk impact assessment

For every web site or service – whether existing or planned – you need to assess and categorise the risks according to the severity of the impact of a security or privacy breach.

Use a standard process to assess breach impact. You may wish to use the following example.

  1. The business team convenes an assessment group of people who are knowledgeable about the site’s content and organisational risk. The group includes the business owner, web or IT adviser, the project lead (where the work is part of a web project) and the Privacy Officer (where personal information is included).
  2. The assessment team:
    • classifies site information according to government security classifications, including endorsements
    • establishes whether the site holds ‘personal information’, as defined by the Privacy Act
    • establishes whether the site holds any unpublished and protected information. This may include business rules embedded in a web application, or API keys enabling access to a service, for example
    • considers the likely impact of a security breach using the agency’s risk assessment framework. The aim is to establish the likely consequences of information theft, or the defacement, corruption or permanent loss of the site and its content. The impact of the breach of personal information on the individuals affected should also be considered.

Assigning a risk profile

From this analysis you can create and record a site risk profile, taking into account what risks your agency deems acceptable.

You should assign a risk profile of ‘high’ or ‘moderate’ to those websites that meet one or more of the following criteria, and seek further advice:

  • the website stores users’ personal information beyond contact details for the purpose of notifying updates
  • the website content carries unpublished protected information
  • the site provides ‘high-stakes’ information (as defined in the glossary to the Web Accessibility Standard) such as emergency management information or important health and safety information
  • an agency chooses to elevate the risk profile for a site for other reasons (for example, high public profile, high traffic, or the possibility of attracting ‘hacktivist’ interest).

Security requirements and testing procedures should be more extensive for sites with a high or moderate risk profile. More details can be found in Designing for security and privacy.

A risk profile of ‘low’ can be assigned to sites which

  • are informational, and do not provide ‘high stakes’ information
  • limit the collection and storage of user information to basic contact details e.g. for the purpose of notifying updates.