# Risk management
This page list risk management resources for HUNT Cloud. The text is intended for security and privacy officers, compliance administrators in data spaces and lab coordinators on their quest to document, assess and evaluate security and privacy risks for their scientific endeavors in HUNT Cloud.
TIP
See our FAQ on risk management for a collection of frequently asked questions on risk management.
# Roles
Oddgeir Lingaas Holmen holds the role as Chief information officer at HUNT Cloud. The role is responsible for the implementation of the Security and privacy policies, including our risk management activities.
# Clarification of responsibilities
We are responsible to provide your with information on our activities in HUNT Cloud so you can identify and evaluate security and privacy risks related to your organization and/or scientific work.
You are responsible to assess, document and evaluate this information in your own scientific context, and to inform your "risk owner" about any remaining risks (residual risks) that you identified.
Your risk owner (see below) is responsible to evaluate these remaining risks and accept the risks or to require risk reduction before your use the evaluated services.
# Residual risk
It is impossible to eliminate all risks. There will always be some kind of remaining risk left, even after layers of security and privacy controls are implemented. This remaining risk is called "residual risk".
Residual risks needs to be accepted. We call the individual that have the authority to accept such residual risks on behalf of your data and/or organization "risk owner".
# Data Protection Impact Assessment (DPIA)
The data processing in your labs may require a Data Protection Impact Assessments (DPIA) prior to the initiation of scientific activities (GDPR Article 35). See the resources to get going, and contact us for review of written text. We are happy to assist compliance administrators with this work.
# Risk assessment reports (RAR)
Your organization may request risk assessments of your activities when it comes to information security and/or privacy ("ROS-analyse" in Norwegian). We are happy to assist with information and explanations of our system and configurations. See the resources for our initial information, and contact us if you need additional clarifications.
# Risk resources
See the resources section for link to our public security and privacy resources that may support your risk assessment.
# Framework
We build our risk management on the guidelines from ISO 31000 - Risk management (opens new window) and ISO 27005 - Information security risk management (opens new window).