One moment please... Risk Assessment and Management Policy | Havoc Shield
Select Page

Risk Assessment and Management Policy

{Company name as you’d like it to appear in your policy:6} Risk Assessment and Management Policy

Last Updated: {date_today:9}

Created By: {user_displayname:10}

What is this Policy?

In order for {Company name as you’d like it to appear in your policy:6} to adequately protect the data we use, it is essential to identify the risks our data faces and ensure we’ve prepared adequate safeguards against such risks.

Key Takeaways

  • {Company name as you’d like it to appear in your policy:6} must identify its risk tolerance and conduct a risk assessment at least once a year.
  • The risk assessment should identify risks which could impact our assets or business processes.
  • All identified risks must be categorized and assigned a Risk Score.
  • Risks must be mitigated to an acceptable level before they are accepted.

Overview, Purpose, and Scope

In order for {Company name as you’d like it to appear in your policy:6} to adequately protect the data we use, it is essential to identify the risks our data faces and ensure we’ve prepared adequate safeguards against such risks.

This risk assessment and risk management policy applies to all {Company name as you’d like it to appear in your policy:6} assets and operations. The scope of risk assessment activities must include all systems where {Company name as you’d like it to appear in your policy:6} data is stored, processed, and transmitted, while risk management activities should encompass all of {Company name as you’d like it to appear in your policy:6}’s operations to ensure our data remains secure.

Roles & Responsibilities

Senior management at {Company name as you’d like it to appear in your policy:6} is responsible for ensuring adequate risk assessments are conducted. The results from these assessments are a key input to management decisions on how to manage risk, which must follow one of the approved options stated in this policy.

{Company name as you’d like it to appear in your policy:6} management reviews and approves this policy, but if you identify an issue you should bring it to the attention of your manager.

Requirements

Risk Management Process

Risk Assessment and Management at {Company name as you’d like it to appear in your policy:6} is an iterative process, designed to help the business adapt to changing needs, counter evolving threats, and continuously improve. This process is adapted from NIST Special Publication 800-30, Guide for Conducting Risk Assessments, which may be used as supplemental guidance for implementing the requirements of this policy.

  • Frame: {Company name as you’d like it to appear in your policy:6} must establish a risk tolerance based on company goals and operating environment. This provides guidance on how much risk is acceptable, and should be expressed subjectively in terms of tolerance, such as high-, medium-, or low-tolerance.
    • The Risk Tolerance is an indicator of how much risk {Company name as you’d like it to appear in your policy:6} is willing to accept. It will be informed by relevant industry regulations and company culture; for example financial services firms may be heavily regulated and therefore less tolerant of risk than technology startups.
    • Illustrated examples of Risk Tolerance:
      • High: a company willing to accept a great deal of risk. Highly prone to attacks, breaches, and system outages due to lack of controls in place to mitigate risks.
      • Medium: a company with some aversion to risk, which seeks to implement mitigating controls. Will tolerate some risks due to the cost of mitigating them, e.g. uses tape backup rather than live database replication because the cost of an outage is less than the cost of high availability.
      • Low: a company that is totally risk-averse, which requires all risks to be substantially mitigated. This may be driven by regulation, such as with healthcare or financial data, where the ramifications of a data breach are significant.
  • Assess: With {Company name as you’d like it to appear in your policy:6}’s risk tolerance in mind, an assessment of relevant business operations and assets must be conducted. This should include an analysis of threats, vulnerabilities, likelihood, and impact in the event a risk is realized.
  • Respond: The assessment step should create a prioritized list of risks based on their likelihood and impact. {Company name as you’d like it to appear in your policy:6} must identify adequate measures to reduce the risks, per the acceptable risk treatment options below.
  • Monitor: Risk assessment and management should be an ongoing process. Once responses have been implemented, they should be monitored to ensure they continue to provide adequate risk treatment. {Company name as you’d like it to appear in your policy:6} must review the decisions and assumptions used in the Frame step, and update the company’s risk tolerance as needed when circumstances change.

Risk Assessment Process

Risk assessments must be conducted at least annually. Senior Management will designate a risk assessment coordinator who will lead the process, document the results, and report findings and action plans to senior management.

The following steps should be used to conduct the risk assessment:

  • Start by identifying key assets including data and the systems which store, process, or transmit it, as well as {Company name as you’d like it to appear in your policy:6}’s critical business processes. The asset inventory should include hardware, software, and facilities, whether they are {Company name as you’d like it to appear in your policy:6}-owned or externally operated (such as cloud services, hosted data centers, etc.).
  • Identify risks by listing potential threat sources, threat events, and vulnerabilities which could impact the identified assets and processes (for reference, see NIST SP 800-30, Appendices D and E).
    • This Impact should take into account the classification of data processed or stored by a system (e.g. a software vulnerability impacting a Public system will have a lower impact than one impacting a Restricted system). See Data Security Policy for details.
  • Categorize all identified risks for the likelihood that they will happen and impacts to confidentiality, integrity, and availability of systems and data.
    • The categorization may be qualitative (high, moderate, low) or quantitative (a measurable element such as time, monetary cost, lost capacity, etc.).
  • These categories should be used to calculate a risk score: Score = Likelihood x Impact
  • Identify the effectiveness of any controls currently in place which reduce the likelihood or impact of identified risks. Risks scores should be properly adjusted based on these controls.
  • Produce a Risk Assessment Report (RAR), detailing all assets and business processes assessed, risks identified, and the corresponding risk scores. The RAR should also contain recommendations for risk treatment.

Action Plans

Identified risks which are above {Company name as you’d like it to appear in your policy:6}’s risk tolerance must be treated before acceptance. Risk which are below the defined tolerance may also be treated. All risk treatment must have a documented action plan identifying ownership of the risk, ownership of the remediation process, timeframe for treatment, and defined milestones.

Residual Risk

{Company name as you’d like it to appear in your policy:6} recognizes that risk can never be totally removed; it is therefore imperative that residual risk be calculated. Residual Risk is the amount of risk remaining after controls/safeguards have been put in place, and is calculated by identifying the effect of such controls or safeguards.

For example, the likelihood of data theft is High and its impact is also High; the overall risk score is High. By using proper encryption the impact of data theft is reduced to Low, which gives a residual risk score of Moderate.

All risks in the RAR should be reported with the initial risk score, current controls/safeguards, any future planned controls/safeguards, and a residual risk score. The following table may be used as guidance.

Asset Risk Likelihood Impact Risk Score Current Controls / Safeguards Planned Controls / Safeguards Residual Risk Score
Customer Database Theft High High High Encryption Multi Factor Auth. Low
Data Center Fire Moderate High High Fire detection system Fire suppression system Moderate

Annual Reassessment

Reevaluation of prior year results should not be the sole focus of ongoing risk assessments. Prior assumptions should be re-evaluted, and the adequacy of currently implemented controls should be verified. In addition, the adequacy of detection methods should be reviewed to identify how {Company name as you’d like it to appear in your policy:6} is alerted to and responds to control failures.

The main focus of annual reassessments should be on identifying any changes to {Company name as you’d like it to appear in your policy:6}’s business processes, assets, or threat environment (such as new vulnerabilities, regulatory concerns, etc.), and properly assessing risks arising from those changes.

Prioritization and Treatment

Once risks have been identified and categorized, they must be prioritized for treatment. Higher risks should be dealt with first. All risks must be treated to bring the residual risk below {Company name as you’d like it to appear in your policy:6}’s risk threshold.

Risk Treatment Options

{Company name as you’d like it to appear in your policy:6}’s acceptable treatment options are detailed below. This is a hierarchical list, and all risks should be treated using one or more of these options, in the order listed.

  • Avoid: {Company name as you’d like it to appear in your policy:6} does not engage in the practice which causes the risk, e.g. do not store sensitive data that poses a risk of theft. This may not be possible, so it is not unusual for this option to be unused.
  • Reduce/Mitigate: Put controls and safeguards in place to mitigate risks. Examples include encryption of data, security systems (anti-malware, Intrusion Detection/Prevention Systems), physical security mechanisms (doors, locks), and processes to detect and correct issues (audits). This will be the most frequently used option, and should be utilized to reduce risk to an acceptable level. Note: Control/safeguard selection should always balance the costs against the benefits, e.g. a risk that is $100,000 should not be mitigated by a tool that costs $500,000.
  • Transfer: {Company name as you’d like it to appear in your policy:6} shifts the risk to another party, typically by purchasing insurance against a risk being realized. Examples include physical facility insurance (fire), as well as Cyber risk (data breach, loss of availability). It is not unusual for insurance to be utilized in combination with reduction and mitigation. Note: outsourcing a process does not transfer risk away from {Company name as you’d like it to appear in your policy:6}. It is still our data, and our commitment to protect it remains the same.
  • Accept: Ultimately, all risks must be accepted by {Company name as you’d like it to appear in your policy:6}. Risks which are below the risk tolerance may be accepted with no treatment, while risks above the tolerance must be adequately mitigated or transferred before they can be accepted. Senior management’s review and approval of the RAR constitutes acceptance of all risks identified in the report, as well as the identified action plans for any risks which require treatment.

Ongoing monitoring

Even though annual reassessments occur, {Company name as you’d like it to appear in your policy:6} remains diligent for both new risks as well as changes to the existing risk environment. Ongoing monitoring efforts should include routine activities such as vulnerability scans and penetration tests, as well as monitoring appropriate external channels such as vendor publications, Information Sharing and Analysis Centers (ISAC), and threat intelligence. Risks identified outside of the Risk Assessment process should be dealt with in the same manner, i.e. they should have a risk score and action plans identified.

Senior management may also choose to designate certain accepted risks for additional ongoing monitoring as needed. As an example, Distributed Denial of Service (DDoS) attacks have risen in both frequency and magnitude; existing controls/safeguards which mitigate DDoS attacks may be designated for additional oversight to ensure they continue to be adequate to the current risk presented by DDoS attacks.

Enforcement

Any exceptions to this policy must be approved by senior management in writing.

Any user found to have violated this policy will be subject to disciplinary actions, up to and including termination of employment.

You don't have credit card details available. You will be redirected to update payment method page. Click OK to continue.