Skip to main content

Part of Health and social care Cloud Risk Framework

Risk framework

Previous Chapter

Dimensions that affect risk

Current Chapter

Current chapter – Risk framework

View all
Page contents

Two important aspects to risk management are risk analysis and risk appetite. With those aspects measured, a consistent approach to managing risk can be taken.

Risk appetite

Risk appetite may be influenced by a number of factors. For example:

  • the degree to which an organisation believes it may be subject to challenge, perhaps as a result of public fears over the ways in which personal data is processed (see Risk classes)
  • the degree to which an organisation wishes to 'play safe' in its use of public cloud facilities, or alternatively is comfortable in operating at the 'cutting edge'
  • the available budget: a constrained budget will, other factors being equal, drive additional use of elastic public cloud facilities
  • the degree of risk associated with an organisation’s existing infrastructure services

Risk analysis and management

This section describes a risk analysis tool that is based upon the three dimensions described in Part 4: Dimensions that affect risk, to aid in a consistent approach to the assessment of risk in the use of public cloud facilities.

This is not intended to be an overly prescriptive model; rather it is to inform an organisation’s assessment and promote consistency within an individual organisation and across organisations.

It is assumed that the controls in place by any selected public cloud facility satisfy the NCSC Cloud Security principles and that therefore such use is 'well-executed' as described in recent guidance from GDS.

When assessing processing scenarios, consider the most sensitive aspect where there is more than one involved.

The Risk Framework tool is available separately. An initial impact score is assigned to each data type. That score is then scaled separately by the scaling factors assigned to each measure of scale and persistence, resulting in a 'Risk Impact Score' value.

The tool maps the generated Risk Impact Score to one of five 'Risk Profile Levels'. This provides an overall view that reflects the 'degree of risk or contentiousness' of the described use of public cloud.

In general, all potential uses – and risks – should be weighed against the benefits of public cloud facilities (for example in terms of cost, time-to-launch, flexibility).  The Risk Appetite Level may also be subsequently affected by a privacy-enhancing technique, or additional controls, that are added to a processing environment (at either an infrastructure or application layer, or both).

Following those steps, the table below provides an overview of the impact of the resulting level in terms of governance. This takes into account the degree to which, at present, there is relatively little use of high-profile public cloud take-up across health and care, but with the expectation that, over time, we would expect to modify these expectations given greater experience.

Risk profile level Governance expectation
Class I All organisations are expected to be comfortable operating services at this level.
Class II Whilst there may be some concerns over public perception and lock-in, most organisations are expected to be comfortable operating services at this level.
Class III At this level, risks associated with impact of breach become more significant, and the use of services at this level therefore requires specific risk management across all risk classes described in Part 3: Risk classes, requiring approval by Chief Information Officer/Caldicott Guardian level.
Class IV At this level, it is likely to become more difficult to justify that the benefits of the use of public cloud outweigh the risks. However, this case may still be made, requiring approval by CIO/Caldicott Guardian, and would be required to be made visible to the organisation’s Board. Specific advice and guidance may be provided by NHS Digital on request.
Class V Operating services at this level would require board-level organisational commitment, following specific advice and guidance from NHS Digital.

In addition, the Risk Profile Level drives the level of controls that are required to be implemented by the public cloud provider. The description of these controls is provided separately.

Last edited: 14 October 2021 11:17 am

Chapters

  1. Health and social care Cloud Risk Framework
  2. Background and context
  3. Risk classes
  4. Dimensions that affect risk
  5. Risk framework