Purpose and Scope

The purpose of this policy is to define the methodology for the assessment and treatment of information security risks within the organization, and to define the acceptable level of risk as set by the organization’s leadership.

Risk assessment and risk treatment are applied to the entire scope of the organization’s information security program, and to all assets which are used within the organization or which could have an impact on information security within it. This policy applies to all employees of the organization who take part in risk assessment and risk treatment.

Background

A key element of the organization’s information security program is a holistic and systematic approach to risk management. This policy defines the requirements and processes for the organization to identify information security risks. The process consists of four parts:

  1. Identification of the organization’s assets, as well as the threats and vulnerabilities that apply.

  2. Assessment of the likelihood and consequence (risk) of the threats and vulnerabilities being realized.

  3. Identification of treatment for each unacceptable risk.

  4. Evaluation of the residual risk after treatment.

Policy

Risk Assessment

  • The risk assessment process includes the identification of threats and vulnerabilities having to do with company assets.

  • The first step in the risk assessment is to identify all assets within the scope of the information security program; in other words, all assets which may affect the confidentiality, integrity, and/or availability of information in the organization.

    • Assets may include documents in paper or electronic form, applications, databases, information technology equipment, infrastructure, and external/outsourced services and processes. For each asset, an owner must be identified.

  • The next step is to identify all threats and vulnerabilities associated with each asset. Threats and vulnerabilities must be listed in a risk assessment table. Each asset may be associated with multiple threats, and each threat may be associated with multiple vulnerabilities. For each risk, an owner must be identified.

  • Once risk owners are identified, they must assess:

    • Consequences for each combination of threats and vulnerabilities for an individual asset if such a risk materializes.

    • Likelihood of occurrence of such a risk (i.e. the probability that a threat will exploit the vulnerability of the respective asset).

    • Criteria for determining consequence and likelihood.

    • The risk level is calculated by adding the consequence score and the likelihood score.

Table of Consequence and Likelihood Levels and Criteria

Consequence/Likelihood
Level

Score

Consequence Description

Likelihood Description

Low

0

Loss of confidentiality, integrity, or availability
will not affect the organization’s cash flow,
legal, or contractual obligations, or reputation.

Either existing security controls are strong
and have so far provided an adequate level of
protection, or the probability of the risk being
realized is extremely low. No new incidents
are expected in the future.

Moderate

1

Loss of confidentiality, integrity, or availability
may incur financial cost and has low or
moderate impact on the organization’s legal or
contractual obligations and/or reputation.

Either existing security controls have most
provided an adequate level of protection or
the probability of the risk being realized is
moderate. Some minor incidents may have
occured. New incidents are possible, but not
highly likely.

High

2

Loss of confidentiality, integrity, or availability
will have immediate and or/considerable
impact on the organization’s cash flow,
operations, legal and contractual
obligations,and/ or reputation.

Either existing security controls are not in
place or ineffective; there is a high probability
of the risk being realized. Incidents have a
high likelihood of occuring in the future.

Risk Acceptance Criteria

  • Risk values 0 through 2 are considered to be acceptable risks.

  • Risk values 3 and 4 are considered to be unacceptable risks.

    • Unacceptable risks must be treated accordingly.

  • Risk Treatment

    • Treatment options for risks include the following options:

      • Selection or development of security control(s).

      • Transferring the risks to a third party; for example, by purchasing an insurance policy or signing a contract with suppliers or partners.

      • Avoiding the risk by discontinuing the business activity that causes such risk.

      • Accepting the risk; this option is permitted only if the selection of other risk treatment options would cost more than the potential impact of the risk being realized.

    • After selecting a treatment option, the risk owner should estimate the new consequence and likelihood values after the planned controls are implemented.

Regular Reviews of Risk Assessment and Risk Treatment

  • It is highly recommended that the Risk Assessment and Risk Treatment Table be updated when significant changes occur to the organization, technology, business objectives, or business environment.

Reporting

  • The results of risk assessment and risk treatment, and all subsequent reviews, shall be documented in a year-end annual review.

Standard Controls Satisfied

TSC CC9.1


Did this answer your question?