Establish a risk profile
Risk profiles should inform design requirements.
What you need to know
- Align your risk management efforts around the impact of a risk, rather than the likelihood of it happening.
- Assess and categorise the risks for every website, existing and planned.
- Create and record a site risk profile – high or moderate sites require more extensive security requirements and testing procedures than low risk sites.
Websites and services need to be proactively protected.
You should assume that any sites or service are regularly scanned for vulnerabilities by those looking to exploit them.
Because of this high level of threat activity on the internet, and because it is difficult to assign precise risk levels for every individual type of threat, you should align your risk management efforts around the impact of a risk, rather than its perceived likelihood.
In most cases, likelihood of internet threats can be treated as high or very high.
Common online threats
Common threats include:
- data and information theft: data and information can be stolen, and sometimes publicised. This data and information can range from user’s email addresses and passwords, to protected government or public material or users’ private information. This can include identity theft
- defacement: sites can be defaced, often with objectionable or political content
- take-down: a site is slowed or stopped, as in ‘denial of service’ attacks
- drive-by attacks: malware is implanted in insecure sites, which are then used to attack site visitors for the purposes of growing botnets or stealing user data such as credit card numbers from site visitors.
More information is available from the Australian Attorney General's office:
Do a risk impact assessment
You need to assess and categorise the risks according to the severity of the impact of a security or privacy breach.
Use a standard process to assess breach impact.
- The business team convenes a group of people who are knowledgeable about the site’s content and organisational risk. The group includes the business owner, web or IT adviser, the project lead (where the work is part of a web project) and the Privacy Officer (where personal information is included).
- The assessment team:
- classifies site information according to government security classifications, including endorsements
- establishes whether the site holds personal information, as defined by the Privacy Act
- establishes whether the site holds any unpublished and protected information. This may include business rules embedded in a web application, or API keys enabling access to a service, for example
- considers the likely impact of a security breach using the agency’s risk assessment framework. The aim is to establish the likely consequences of information theft, or the defacement, corruption or permanent loss of the site and its content. The impact of the breach of personal information on the individuals affected should also be considered.
Guidance from the Government Chief Digital Officer (GCDO) on the risk assessment process:
Assign a risk profile
After analysis you can create a site risk profile, taking into account what risks your agency deems acceptable.
You should assign a risk profile of high or moderate to websites that meet one or more of the following criteria, and seek further advice:
- the website stores users’ personal information beyond contact details for the purpose of notifying updates
- the website content carries unpublished protected information
- the site provides high-stakes information or services such as emergency management information or important health and safety information
- an agency chooses to elevate the risk profile for a site for other reasons (for example, high public profile, high traffic, or the possibility of attracting ‘hacktivist’ interest).
Security requirements and testing procedures should be more extensive for sites with a high or moderate risk profile.
A risk profile of ‘low’ can be assigned to sites which:
- are informational, and do not provide ‘high stakes’ information
- limit the collection and storage of user information to basic contact details, such as for the purpose of notifying updates.