# Risk management

This page list risk management resources for HUNT Cloud. The text is intended for security and privacy officers, compliance coordinators in data spaces and lab coordinators on their quest to document, assess and evaluate security and privacy risks for their scientific endeavors in HUNT Cloud.

TIP

See our FAQ on risk management for a collection of frequently asked questions on risk management in your data space.

# Responsibilities

We are responsible to provide your with information on our activities in HUNT Cloud so you can identify and evaluate security and privacy risks related to your organization and/or scientific work.

You are responsible to assess, document and evaluate this information in your own scientific context, and to inform your "risk owner" about any remaining risks (residual risks) that you identified.

Your risk owner is responsible to evaluate these remaining risks and accept the risks or to require risk reduction before your use the evaluated services.

# Residual risk

It is impossible to eliminate all risks. There will therefore always be some kind of remaining risk left, even after layered security and privacy controls are implemented. This remaining risk is called "residual risk".

Residual risks needs to be reduced or accepted. We call the individual that have the authority to accept such residual risks on behalf of your data and/or organization "risk owner".

# Risk resources

See the resources section for link to our public security and privacy resources that may support your risk assessment.

# Data Protection Impact Assessment (DPIA)

The data processing in your labs may require a Data Protection Impact Assessments (DPIA) prior to the initiation of scientific activities (GDPR Article 35). See the resources to get going, and contact us for review of written text. We are happy to assist compliance coordinators with this work.

# Risk assessment reports (RAR)

Your organization may request risk assessments of your activities when it comes to information security and/or privacy ("ROS-analyse" in Norwegian). We are happy to assist with information and explanations of our system and configurations. See the resources for our initial information, and contact us if you need additional clarifications.

# Audits

We encourage our data controllers to control that our environments are implemented and operated as we state in our policies. Both on-screen and physical audits can be arranged.

We are audited by an independent auditor as part of our ISO certificates yearly for each certificate. The certificates from these audits are available on our certificates page.

Join an internal audit session

Data controllers are welcome to participate in our regular internal audit sessions for educational purposes. Read more.

# Framework

We build our risk management on the guidelines from ISO 31000 - Risk management (opens new window) and ISO 27005 - Information security risk management (opens new window).