Last Updated & Effective date: Apr 12, 2021
We take your privacy extremely seriously and would like to describe how we collect, use and protect your information when you access our website(s), products, services and applications (collectively, the “Services”).
Risk Management is an important part of evaluating and understanding the state of information and system security. Evaluating and classifying risks allows the company to maintain a secure environment and to manage change in a cost-effective way.
The Risk Management Policy applies to all users of the company computer systems, networks, applications and information, including full-time and part time employees, contractors, temporary staff, and other business partners and third parties. All information systems, data, business applications and networks used by the company are subject to this risk management policy.
This Risk Management Policy should be reviewed and approved by the company management.
Risk Management Policy and Procedures
The company shall conduct a review of the potential risks and vulnerabilities to the Confidentiality, Integrity and Availability of confidential data held by the company as well as the company management’s level of acceptable risk and current business posture. The reviews will be performed annually, at the minimum.
Risk Assessment & Classification
If the company’s business or regulatory environment significantly changes, the risk assessment will be re-reviewed and updates to the risk tracking made in a timely basis.
Risks will be classified as:
- High: meaning that this risk has a significant chance of disrupting the company’s business or causing serious reputational or business harm
- Medium: meaning that the risk would cause disruption or harm, but the risk is unlikely to occur, or disruption and harm to the company and the company’s customers would be contained or can be mitigated
- Low: meaning that the risk should be tracked, but it is unlikely to occur, or the impact would be minor
All identified risks must be remediated, mitigated, or accepted, based on the company management's level of acceptable risk and current strategy. Risk assessment results and risk treatment decisions at High levels will be documented and reviewed annually.
Vendors and Third-Party tools
Third party tools, libraries, vendors, and other partners will be evaluated before use by the company teams. The level of data access, and risk posed by the third-party tool or vendor will be evaluated, along with the business need for the vendor or tool.
Risk Tracking Procedures
- The company will maintain a risk register which documents the likelihood and impact of all tracked risk. A Google Sheets Risk Register will be used unless another tracking tool, such as Trello, is selected by the company’s management.
- For each risk, compensating controls or other mitigating factors will be documented. These mitigations may not fully mitigate a potential harm, in which case any remaining risk may be covered by other compensating controls, or the residual risk may be accepted by the business.
- Risks that are accepted will be documented in the risk register.
- Accepted risks include those taken on with no compensating controls, as well as any residual risk that remains when compensating controls or other risk treatments do not fully mitigate a particular risk.