Page 52 - DCAP309_INFORMATION_SECURITY_AND

Page 52 - DCAP309_INFORMATION_SECURITY_AND_PRIVACY

P. 52

Information Security and Privacy

Notes To the extent possible, discussion should be provided of the nature, difficulty, feasibility,
cost and time associated with undertaking research to resolve the key scientific limitations
and uncertainties.
8. Risk Assessment should be multidisciplinary and therefore transparent and understood
by all involved and/or interested parties through their inclusion and involvement in the
process.
This implies the need of reflection at the start of the risk assessment, on who should be
involved in the risk assessment process. Risk assessment is usually not a one man show.
Different parties are involved.

Example: The executive party (the team which actually perform the risk assessment), the
manager or organization taking decisions based on the risk assessment and parties
influenced by these decisions.
Good communication between these parties is vital for the risk assessment
process.
Furthermore, risk assessment exists of different assignments for which different kind of
expertise is necessary. Therefore, risk assessment needs a multidisciplinary involvement
and view on the process.
9. Appropriate procedures for peer review and public participation should be used in the
process of preparing the risk assessment.
These procedures will contribute to scientific objectivity, transparency and acceptance of
the conclusions.

Peer review may include: issuing a draft risk assessment report; considering comments
received on this draft; issuing a “response-to-comment” document that summarizes the
significant comments received and the risk assessor’s responses to those comments; and
providing a rationale for why the risk assessor has not adopted the position suggested by
commenter.
Involvement also ensures that their views are properly represented and are taken into
account. It is particularly important that any risk criteria used adequately reflect the
perceptions and views of the relevant interested parties because risk evaluation must
determine what level of risk is tolerable to them and where and when further treatment
is required. Of course, during risk identification the involvement of a representative
group with a large and diverse experience base always ensures the most comprehensive
of analyses. Finally, those held accountable for the monitoring of control measure
benefit greatly from involvement in the risk assessment that lead to those
controls.
10. Risk Assessment should be dynamic, iterative and responsive to change.
Risks change with time. New risks emerge and others decline. As events occur and control
activities take place, knowledge changes and increases. It is therefore important that risk
assessment is not a ‘one pass’ process and that there is a ‘monitor and review’ element to
ensure that risk assessment and controls reflect the current situation.
Involvement of interested parties and, in particular, decision makers in the risk assessment
process are essential to ensure it remains relevant and up to date.
As relevant and scientifically plausible information becomes available, the risk assessor
shall, considering the resources available, consider: revising the risk assessment to

46 LOVELY PROFESSIONAL UNIVERSITY

47 48 49 50 51 52 53 54 55 56 57