HMRC internal manual

Shared Workspace Business Manual

Risk Assessing: Information Security Risk Assessment

You should check the other guidance available on GOV.UK from HMRC as Brexit updates to those pages are being prioritised before manuals.

Having completed the Business Implementation Risk Assessment SW03420 and deciding to use Shared Workspace you must also risk assess the information security and take steps to reduce any risks identified.

Introducing Shared Workspace to an HMRC Business Unit or Customer Organisation will change the way that business is conducted. This will reduce existing risks and introduce new risks to the continuity of business and the security of the information in the Room.

What risks may be identified?

  • The members of the Room may be unaware of the policies within the Shared Workspace Business Manual,
  • The members of the Room may be unaware of the training that is available,
  • The Room purpose isn’t clearly understood,
  • The design of the Room is unclear, or
  • Other risks specific to the HMRC Business Unit or Customer Organisation.

Any, or a combination, of these risks could lead to

  • incorrect or inappropriate information being uploaded to the Room, or
  • information being uploaded to wrong part of a Room and shared inappropriately.

HMRC Business Units

It is mandatory that the HMRC Business Authorising Officers (BAO) responsible for the Room carries out a complete Risk Assessment of the Room and its use before implementation.Following the Risk Assessment the BAOs will need to introduce measures to reduce the level of any risks identified.

The BAOs must also carry out further Risk Assessments at regular intervals, and following a significant change in the design of the Room.

Once a risk has been identified the business needs to consider how the risk can be eliminated or reduced. This may involve publicising the Room purpose and policies among the Room membership or the development of a bespoke training package covering the use of the Room.

Customer Organisations

It is for the Customer Organisation to decide how best to minimise the risk to their business.