Policy Template for Risk Assessment

Information security risk management is the process of identifying, evaluating, and treating risks around the organization’s valuable information. It addresses uncertainties around those assets to ensure the desired business outcomes are achieved. Thus, this policy establishes the requirements for information security risk management in order to perform periodic Risk Assessments (RAs) for the purpose of determining areas of vulnerability in corporate operations, products and services, and to initiate appropriate remediation.

This policy is applicable to all operations, products, services, information assets, information systems that are owned and operated by {{organization.name}}, including (but not limited to) applications, databases, servers, and networks, and any process or procedure by which these systems are administered and/or maintained. RAs can be conducted on any entity within {{organization.name}} or any outside entity that has signed a Third-Party Agreement with {{organization.name}}.

{{organization.name}} shall establish a risk management framework aligned with business objectives that establish rules governing how to identify risks, to whom will assign risk ownership, how the risks impact the confidentiality, integrity and availability of the information, and the method of treatment for identified risks. A formal risk assessment methodology shall be approved by management.

The risk management framework shall include guidelines on identifying and estimating the cost of protective measures that would eliminate or reduce the vulnerabilities to an acceptable level of risk.

All operations, products, services, information assets, information systems that are owned and operated by {{organization.name}} must be assessed for risks that result from threats to the integrity, availability and confidentiality of {{organization.name}}’s data.

The risk assessment shall be conducted/reviewed periodically. In addition, an assessment shall be performed under each of the following circumstances:

• purchase, acquisition or procurement

• part of system development/modification/upgrade process

• when changes are to be made to the infrastructure (e.g. remodel, additions, installations, etc.)

• for any changes in the regulatory, economic and physical environment as well as changes in vendor and business partner relationships

Assignment of responsibilities for risk assessment shall include the appropriate participation of executive, technical, and other management staff, as necessary.

Risks identified by a risk assessment shall be assigned a risk owner (person or entity with the accountability and authority to manage risk) and identified risks must be mitigated or accepted prior to the system being placed into operation. Residual risks shall only be accepted on approval from management.

{{organization.name}}’s management shall review the status of risk management activities and mitigation plans on a periodic basis.

The Risk Management program at a minimum shall focus on the following four types of activities (at a minimum):

Identification of Risks: A continuous effort to identify which risks are likely to affect security functions and business continuity of {{organization.name}} and documenting their characteristics.

Analysis of Risks: An estimation of the probability, impact, and timeframe of the risks, classification into sets of related risks, and prioritization of risks relative to each other.

Mitigation Planning: Decisions and actions that will reduce the impact of risks as well as limit the probability of their occurrence or improve the response to a risk occurrence.

Tracking and Controlling Risks: Collection and reporting of status information about risks and their mitigation plans, response to changes in risks over time, and management oversight of corrective measures taken in accordance with the mitigation plan.

System owners and department managers supervisors are responsible for conducting a risk assessment as well as prioritizing, implementing, and maintaining the appropriate risk-reducing measures defined from the risk assessment process.

Risk owners are the individuals who are ultimately accountable for ensuring the risk is managed appropriately. There may be multiple personnel who have direct responsibility for or oversight of activities to manage each identified risk, and who collaborate with the accountable risk owner in his/her risk management efforts.

Executive Management is responsible for the sponsorship and support of the risk management plan and processes, participating in the risk management meetings, the review and approval of risk assessments and risk mitigation plans.

Responsibilities for the continued development, implementation, and maintenance of the risk management program shall also be assigned internally.