DRAFT

Information risk assessment checklist

This checklist aims to ensure that when a new project is initiated which involves sharing or distributing
information online, we have properly assessed and mitigated risk where possible, and that there is senior
acknowledgement and support for the level of risk we are accepting.

• Please fill in what you can – it’s OK to leave blanks, but please use these as a prompt to discuss the
issue with relevant colleagues in DIUS

• If you have taken some steps to mitigate risks, describe them here

• Think carefully about the potential impact of information being revealed, lost or defaced: could it
cause real harm to DIUS’ reputation or operation, or simply short term embarrassment?

• Importantly, please ensure this assessment is discussed with the senior sponsor for the project, so
they are aware of the proposed approach and risk mitigation in place.

Background to the project

1. Your name and contact details (phone/email):

2. In a sentence or two, what are you trying to achieve?

3. Who are the intended audiences? e.g. internal DIUS staff, limited to trusted external stakeholders,
open to wider public etc

4. How long will it run for? e.g. between specific dates, indefinitely etc

5. How will using this method of sharing information benefit the project?

About the information

6. Please briefly describe the kind of information that you will be sharing:

7. How will access to the information be controlled – who will have access to administer the tool or
website, manage users etc?

Information risk
8. What would the impact be if the information were revealed publicly? If the information is confidential
or commercially sensitive, please give details

9. What would the impact be if the information were changed without authorisation or defaced
maliciously?

10. What would the impact be if the information were not available for an extended period?
 DRAFT

Technical details
11. What technology are you planning to use? i.e. name of web-based tools etc

12. Where will the information be hosted/stored? Do you know if the tool/provider is UK-based?

13. Who will provide support/help to users?

14. Who is able to provide technical advice on the tool and maintain it in future?

15. What do you have in place to back up the information in the short term, and archive it long term for
the future if appropriate?

Senior awareness and involvement

16. Please describe how the project is owned and managed in DIUS:

a. Ministerial sponsor/owner:

b. Senior official owner:

c. Information Asset Owner: (DD-level contact responsible for this info)

d. Day to day responsibility:

e. Others involved:

17. Has the tool/service been bought according to DIUS procurement rules?

18. Have you discussed this project with the following? (n.b. it may be OK if you haven’t, but please
indicate if you have)

f. DIUS Social Media/Comms Channels teams

g. DIUS IT Unit

h. Press Office

What next?

Thanks for completing this assessment. You should discuss it with the relevant colleagues listed above as
appropriate, to ensure they are aware and comfortable with the approach you have taken. For your own
records, you should keep this assessment with your other project files.

If you have any questions about this assessment, or would like to get advice or help on this project,
please contact XXXXXXXX