Risk Assessment: Cyber Security¶
Document Reference: RA_HO_05
Issue Date: 04/07/2025
Review Date: 04/07/2026
Assessed By: HSQE Consultant
Approved By: Aaron Mason
Task/Activity¶
Protection against cyber threats and maintaining information security
Location¶
All digital work environments
Persons at Risk¶
- All staff
- Company data and systems
- Client information
- Supply chain partners
Hazards and Controls¶
| Hazard | Existing Controls | S | L | R | Additional Controls | S | L | R |
|---|---|---|---|---|---|---|---|---|
| Phishing attacks | Email filtering, basic training | 4 | 2 | 🟡 8 | Simulated phishing tests, advanced training | 3 | 1 | 🟢 3 |
| Ransomware | Antivirus, backup systems | 4 | 2 | 🟡 8 | Advanced threat detection, isolated backups | 3 | 1 | 🟢 3 |
| Data theft | Firewall, access controls | 4 | 2 | 🟡 8 | Enhanced monitoring, security awareness campaign | 3 | 1 | 🟢 3 |
| System compromise | Password policies, updates | 4 | 2 | 🟡 8 | Zero-trust architecture, regular penetration testing | 3 | 1 | 🟢 3 |
| Weak passwords | Password policy, complexity requirements | 3 | 3 | 🟡 9 | Password manager provision, biometric authentication | 3 | 1 | 🟢 3 |
| Unsecured Wi-Fi | VPN provision, security guidance | 3 | 2 | 🟡 6 | Mandatory VPN use, home router security | 2 | 1 | 🟢 2 |
| Social engineering | Awareness training, verification procedures | 3 | 2 | 🟡 6 | Enhanced training, challenge protocols | 3 | 1 | 🟢 3 |
| Supply chain attacks | Vendor assessments, software controls | 4 | 2 | 🟡 8 | Enhanced vetting, isolated environments | 3 | 1 | 🟢 3 |
PPE Requirements¶
- Not applicable
Training Requirements¶
- Security awareness training
- Phishing identification
- Password management
- Incident reporting
- Data handling procedures
- Social engineering awareness
Emergency Procedures¶
- Cyber incident response plan
- System isolation protocols
- Evidence preservation
- Recovery procedures
- External reporting (ICO, NCSC)
Monitoring¶
- Security event logging
- Threat intelligence monitoring
- Vulnerability assessments
- Training completion rates
- Phishing test results
Risk Assessment Summary¶
Risk Scoring Matrix¶
- Severity (S): 1=Negligible, 2=Minor, 3=Serious, 4=Catastrophic
- Likelihood (L): 1=Remote, 2=Unlikely, 3=Likely, 4=Almost Certain
- Risk Rating: 🟢 Low (1-5), 🟡 Medium (6-11), 🔴 High (12-16)
Document Control¶
- All risk assessments reviewed annually
- Update following incidents or changes
- Approved by senior management
- Communicated to all relevant parties
Related Documents¶
- APP_07 Hazard Identification Log
- MAN01_INTEGRATED MANAGEMENT SYSTEM (IMS) MANUAL
- APP_12 Training Matrix
These Risk Assessments form part of A M Water Services Limited's Integrated Management System and should be read in conjunction with the IMS Manual (MAN_01) and relevant Standard Operating Procedures.