The organization periodically carries out two general risk assessment processes and the risk of losing the rights and freedoms of individuals (DPIA). The methodology is common and is based on:

• ISO 31000 (risk classification, risk analysis, risk assessment, risk plan)
• ISO 27005 (catalogue of assets and threats to organisations),
• CRAMM(CCTA Risk Analysis and Management Method).

The risk classification stage is to determine:

• Data processing processes,
• Asset determination (ISO 27005) B)
• Hazard determination (ISO 27005) C)
• Adoption of the CRAMM method (including the level of probability of risk, the level of risk effect and the level of risk itself).

The risk analysis phase isbased on the ream matrix where therisk level is calculated on the basis of:

• internal control organisation,
• audits (in accordance with Article 28 GDPR) of processors,
• External risk expertise in IT systems

The risk assessment phase includes administrator decisions against risks greater than low risks (i.e. medium and high risks),

The risk plan step shall specify:

• Current level of risk,
• Method of reducing it,
• Time
• Risk reduction scans
• Owner of residual risk

In view of unauthorized IT activities, the organization uses UTM devices that alert the administrator about suspicious activities. Preventive actions to secure your organization’s data are: 24/7 antivirus scanner, DLP(Data Leak/Leakage/Loss Protection/Prevention), port and IP lock, snapshot copies,  etc….

In conclusion, risk estimation is based on international standards such as ISO standards and national guidelines with a particular focus on the loss of rights and freedoms of individuals.