Risk Assessment Policy
2025.1
Reviewed: 9/26/2024
Updated: 9/26/2024
Purpose and Scope:
- The purpose of this policy is to define the methodology for the assessment and treatment of information security risks within IMPLAN, and to define the acceptable level of risk as set by IMPLAN's leadership.
- Risk assessment and risk treatment are applied to the entire scope of IMPLAN's information security program, and to all assets which are used within IMPLAN or which could have an impact on information security within it.
- This policy applies to all employees of IMPLAN who take part in risk assessment and risk treatment.
Background:
- A key element of IMPLAN's information security program is a holistic and systematic approach to risk management. This policy defines the requirements and processes for IMPLAN to identify information security risks. The process consists of four parts: identification of IMPLAN's assets, as well as the threats and vulnerabilities that apply; assessment of the likelihood and consequence (risk) of the threats and vulnerabilities being realized, identification of treatment for each unacceptable risk, and evaluation of the residual risk after treatment.
Controls and Procedures
Risk Assessment Process
- Risk Assessment
a. The risk assessment process includes the identification of threats and vulnerabilities having to do with company assets.
b. The first step in the risk assessment is to identify all assets within the scope of the information security program; in other words, all assets which may affect the confidentiality, integrity, and/or availability of information in IMPLAN. Assets may include documents in paper or electronic form, applications, databases, information technology equipment, infrastructure, and external/outsourced services and processes. For each asset, an owner must be identified.
c. The next step is to identify all threats and vulnerabilities associated with each asset. Threats and vulnerabilities must be listed in a risk assessment table. Each asset may be associated with multiple threats, and each threat may be associated with multiple vulnerabilities. A sample risk assessment table is provided as part of the Risk Assessment Report Template (reference (a)).
d. For each risk, an owner must be identified. The risk owner and the asset owner may be the same individual.
e. Once risk owners are identified, they must assess:
f. The risk level is calculated by adding the consequence score and the likelihood score. - Risk Acceptance Criteria
a. Risk values 0 through 2 are considered to be acceptable risks.
b. Risk values 3 and 4 are considered to be unacceptable risks. Unacceptable risks must be treated. - Risk Treatment
a. Risk treatment is implemented through the Risk Treatment Table. All risks from the Risk Assessment Table must be copied to the Risk Treatment Table for disposition, along with treatment options and residual risk. A sample Risk Treatment Table is provided in reference (a).
b. As part of this risk treatment process, the CEO and/or IMPLAN leadership may determine objectives for mitigating or treating risks. All unacceptable risks must be treated. For continuous improvement purposes, leadership may also opt to treat other risks for company assets, even if their risk score is deemed to be acceptable.
c. Treatment options for risks include the following options:
d. After selecting a treatment option, the risk owner should estimate the new consequence and likelihood values after the planned controls are implemented. - Regular Reviews of Risk Assessment and Risk Treatment
a. The Risk Assessment Table and Risk Treatment Table must be updated when newly identified risks are identified. At a minimum, this update and review shall be conducted once per year. It is highly recommended that the Risk Assessment and Risk Treatment Table be updated when significant changes occur to IMPLAN, technology, business objectives, or business environment. - Reporting
a. The results of risk assessment and risk treatment, and all subsequent reviews, shall be documented in a Risk Assessment Report.
Description of Consequence Levels and Criteria
- Low (Consequence Score: 0) - Loss of confidentiality, integrity, or availability will not affect IMPLAN's legal or contractual obligations, or reputation. No impact on Clients.
- Medium (Consequence Score: 1) - Loss of confidentiality, integrity, or availability will have low or moderate impact on IMPLAN's legal or contractual obligations, or reputation. No impact on Clients.
- High (Consequence Score: 2) - Loss of confidentiality, integrity, or availability will have immediate and considerate impact on IMPLAN's legal or contractual obligations, or reputation, or any impact on Clients.
Description of Likelihood Levels and Criteria
- Low (Consequence Score: 0) - Either existing security controls are strong and have so far provided an adequate level of protection, or the probability of the risk being realized is extremely low. No new incidents expected in the future.
- Medium (Consequence Score: 1) - Either existing security controls are strong and have so far provided an adequate level of protection or the probability of the risk being realized is moderate. Some minor incidents may have occurred. New Incidents are possibly, but not highly likely
- High (Consequence Score: 2) - Either existing security controls are not in place or ineffective; there is a high probability of the risk being realized. Incidents have a high likelihood of occurring in the future.