Index
Introduction
Asset and Risk Identification
Asset Owners
Risk Assessment
Measurement of Risk
Impact Assessment
Likelihood Assessment
Risk Analysis
Risk Management Scale
Risk Treatment
Risk Treatment Plan
Ongoing Risk Management
Introduction
In addition to the risk management policy, which forms part of the internal control and corporate governance arrangements, COR Worldwide Inc company shall conduct ongoing assessments of threats and risks related to information assets, to determine the necessity of safeguards, countermeasures and controls.
The COR Worldwide Inc company shall continuously monitor for any change in the threat environment and make any adjustment necessary to maintain an acceptable level of risk.
The risk management process Includes:
- Identifying key information assets and subjecting them to IT specific risk assessments ● Identifying level of compliance to Industry best practice for risk management and Information Security
- Assessing exposure to a list of common threats and vulnerabilities
- Maintaining risk registers, which include information security and operational risks
- Implementing technical, policy, Business Continuity and Management initiatives to reduce or eliminate identified risks.
- Regular reviews of the performance and effectiveness of implemented controls
- Reporting significant risks to the COR Worldwide Inc company C-Level
The basic approach that has been adopted for assessing the risks is based on the following key activities:
- Asset and Risk Identification
- Business Impact Assessment
- Risk Assessment
- Identifying the threats and vulnerabilities related to these assets
- Calculating the resulting risk exposure and impact
- Agreeing controls, activities and processes to treat risks
- Implementing risk treatment initiatives and controls
Asset and Risk Identification
Information Assets and risks to operations will be identified with key business managers and process owners within COR Worldwide Inc company ( “The organization”). The Head of IT or his/her team documents the assets within an information asset list or risk register. Where possible / appropriate, information assets are grouped together to simplify the management of the risk and compliance.
The asset list shall contain as a minimum:
- A name and description of the asset / risk
- The physical and/or logical location of the asset. This may include an application or system
- The type of asset / risk
- The employee / interviewee that described the asset
- The Owner of the asset / asset group
Asset Owners
Owners of the assets / asset groups are identified and documented in the asset/risk register. The owner is defined as an individual with overall responsibility for ensuring appropriate security and control is applied to the assets.
The term ‘owner’ identifies an individual or entity that has approved management responsibility for controlling the production, development, maintenance, use and security of the assets. The term ’owner’ does not mean that the person actually has any property rights to the asset.
Risk Assessment
The current state of the organization is assessed against each risk / threat, based on information from the interviews and assessment, specific risk assessment meetings, and information obtained in the risk assessment process.
The Risk Assessment calculates the overall risk value to the asset / groups and details a risk rating to help the organization identify high risks and exposures. Appropriate management action must then be taken to assess the appropriate action to mitigate the risk, or to accept, transfer or avoid the risk.
Measurement of Risk
COR Worldwide Inc company uses a straightforward combination of impact and likelihood to judge the overall level of risk.
To enable the organization to prioritise the mitigations to threats to their interests, the Head of IT and Chief Operations Officer together with subject matter experts are empowered to rate the importance of the threat in accordance with the following table.
Impact Assessment
Likelihood Assessment
For each threat, the organizations’ current and literal exposure is assessed, based on the controls currently in place, information obtained from interviews, knowledge.
The Risk Assessment shall detail the organizations vulnerability value for each threat.
Risk Analysis
The risk measure is calculated by multiplying the impact value of the asset / asset group by the likelihood of the risk happening. To calculate the Risk Measure the following calculation is performed:
Likelihood x Impact = Risk Measure
The resulting number can be used to create a Risk Measure, which can then be rated as Very Low, Low, Medium, High and Very High Risk and treated accordingly.
Risk Management Scale
In order to identify the identify risk management options, risks management options will be defined as High, Medium, or Low according to the predefined table below:
Risk Treatment
All risks that result in a LOW or VERY LOW risk measure shall automatically be accepted and no further action shall be required.
All Risks that result in a MEDIUM, HIGH or VERY HIGH shall be reviewed for further management action. The Head of IT shall review all such risks with the Chief Operations Officer and the Asset Owners to decide an appropriate risk treatment action.
Risks measured as High will result in a business case being made to the organization investment governance board with the range of options to remove, reduce or mitigate the risk. Thus the decision on which risks are acceptable, or not, will ultimately be made by the management team.
Risk Treatment Plan
The Head of IT is responsible for establishing and maintaining the risk treatment plan in order to achieve the identified control objectives. The Risk Treatment Plan details the following:
- The source of the Risk, threat and vulnerability from the risk assessment ● The Asset(s) at risk if applicable
- The owner of the Risk
- The proposed management action (Reduce, Accept, Avoid, Transfer)
- The proposed controls and actions to be carried out to REDUCE risks
- The proposed timescale and deadlines for completion of the proposed actions
The risk treatment plan shall identify priorities based upon the perceived risk, and considers funding, responsibilities, actions and estimated date of completion.
The Head of IT is responsible for tracking and chasing the progress of risk treatments, and updating the Risk Treatment Plan with progress and updated actions.
The Head of IT and Chief Operations Officer will review the Risk Treatment Plan regularly and ensure that actions are being implemented and closed in a timely manner. If required, the Director of Operations will escalate unresolved actions to the appropriate management functions to ensure actions are dealt with.
Ongoing Risk Management
The ongoing management of risks is controlled by assessing data from incident reports, audit results, technical advisories and confirmed or potential technical or process vulnerabilities and if required creating subsequent risk assessments. New critical information assets, processing facilities and buildings are subjected to risk assessment as part of the project process.
The Head of IT is responsible for ensuring that changes to the organization, its technology, business objectives, processes, legal requirements and identified threats are incorporated into the Risk Assessment and Management process. Where appropriate the Head of IT will initiate a risk assessment process to ensure that security controls are relevant. The risk assessment shall follow the same assessment process detailed in this document.
The organization can if required reactively implement additional controls without undertaking a full risk assessment, if the threat or vulnerability could have a significant impact the organization, its partners or personnel.