2.1 Risk Assessment and Treatment Policy

Purpose and Scope

This Risk Assessment Policy guides Sord in performing risk assessments to account for threats, vulnerabilities, likelihood, and impact to Sord assets, team members, customers, vendors, suppliers, and partners based upon the Sord services considering security, availability, and confidentiality needs.

From time to time, Sord may update this policy and implement different levels of security controls for different information assets, based on risk and other considerations. This policy is guided by security requirements specific to Sord including applicable laws and regulations.

This policy applies to all Sord assets utilized by personnel acting on behalf of Sord or accessing its applications, infrastructure, systems, or data. All personnel are required to read, accept, and follow all Sord policies and plans.

Risk Assessment Framework

Sord conducts assessments of risk, which include the likelihood and impact of harm from the unauthorized access, use, disclosure, disruption, modification and/or destruction of Sord systems, applications, infrastructure, and the data processed, stored or transmitted by such.

The risk assessment process is coordinated by Jonathan Gautsch, identification of threats and vulnerabilities is performed by asset owners, and assessment of consequences and likelihood is performed by the risk owner.

A risk assessment may include a review of:

  • internal controls including policies, procedures, and implemented security safeguards

  • human resource practices related to hiring, termination, and discipline procedures

  • facility controls

  • exposure to theft

  • systems and applications used to collect, store, process or transmit confidential data​

Risk Assessment Process

The risk assessment process should align with the following steps:

(1) Scoping Assets

In order to begin the risk assessment process, the assessor should determine the scope of what needs to be covered in the assessment. An effective assessment should be limited in its scope to the applicable assets.

Such scope may include:

  • Review inventory of critical system assets (hardware, software, facilities, etc.)

  • Identification of data owners (electronic and non-electronic data)

  • Identification of workforce members with access to stored data by hardware/software

  • Mapping data flow through Sord and vendor systems

  • Conducting an inventory of data storage (including non-electronic data)

  • System characterization (e.g. essential, non-essential)

(2) Identifying Threats and Vulnerabilities

Vulnerabilities and threats, both internal and external, to Sord operations (including, but not limited to, its mission, functions, image, or reputation), assets, information, and individuals may be identified and documented as part of the Sord risk assessment.

Threat

A threat is any circumstance or event with the potential to adversely impact organizational operations and assets, individuals, or other organizations, through an information system via unauthorized access, destruction, disclosure, or modification of information, and/or denial of service. [SP 800-30 Rev.1]

Vulnerability

A vulnerability is a weakness in an information system, system security procedures, internal controls, or implementation that could be exploited by a threat source. [SP 800-30 Rev.1]

Such identification steps may include:

  • Security control analysis

  • Identification of relevant patterns, practices, or specific activities that indicate possible identity theft

(3) Analyze Risks

For each risk, a risk owner has to be identified – the person or organizational unit responsible for each risk. This person may or may not be the same as the asset owner. Once risk owners have been identified, it is necessary to assess consequences for each combination of threats and vulnerabilities for an individual asset if such a risk materializes:

Initial (or Inherent) Risk Likelihood Determination

How likely will an identified threat or vulnerability impact the organization given existing security controls?

The likelihood of occurrence is a weighted risk factor based on an analysis of the probability that a given threat is capable of exploiting a given vulnerability (or set of vulnerabilities).

Description
Likelihood Level
Likelihood Score

A threat that is highly likely to occur without adequate and effective security controls.

Very High

5

A threat that is likely to occur with little to no security controls and a high level of probability.

High

4

A threat that could occur but has been protected against with minimal security controls or the probability of risk is moderate without such controls.

Moderate

3

A threat that may occur but is unlikely given the low probability of the risk or security controls taken.

Low

2

A threat that is highly unlikely to occur given the very low probability of the risk or security controls taken.

Very Low

1

Initial (or Inherent) Risk Impact Analysis

What is the cost if an identified threat or vulnerability impacts the organization given existing security controls?

The level of impact from a threat event is the magnitude of harm that can be expected to result from the consequences of unauthorized disclosure of information, unauthorized modification of information, unauthorized destruction of information, or loss of information or information system availability.

Description
Impact Level
Impact Score

Any loss due to this threat will have an immediate and material effect on the organization's legal, regulatory or contractual obligations or its operations, cash flow or reputation.

Very High

5

Any loss due to this threat may have an immediate and significant effect on the organization's legal, regulatory or contractual obligations or its operations, cash flow or reputation.

High

4

Any loss due to this threat may have a moderate effect on the organization's legal, regulatory or contractual obligations or its operations, cash flow or reputation.

Moderate

3

Any loss due to this threat may have a non-material effect on the organization's legal, regulatory or contractual obligations or its operations, cash flow or reputation.

Low

2

Any loss due to this threat will not affect legal, regulatory or contractual obligations or its operations, cash flow or reputation.

Very Low

1

Initial (or Inherent) Risk Score

After the likelihood and impact analysis, a risk determination should be made. Risk is a function of the likelihood of a threat event’s occurrence and potential adverse impact should the event occur. In order to determine risk score, Sord multiplies impact * likelihood. The higher number equating to higher potential risk.

(4) Risk Treatment

For any critical or high threats and vulnerabilities identified during the risk assessment process, Sord will immediately determine the associated risks and develop action plans to mitigate those risks including, but not limited to patching of vulnerable systems and/or applying other control activities. Risk responses shall consider industry or organizational laws, regulations or standards, or other priorities, cultural fit, IT policy and strategies, risk strategies, cost-effectiveness, type of protection, threats covered, risk levels, existing alternatives and additional benefits derived from the treatment.

There are three possible responses to risk:

Risk Mitigation

Risk mitigation is the implementation of safeguards and countermeasures to reduce or eliminate vulnerabilities or threats.

Risk Transfer

Risk transfer is the placement of the cost of loss a risk represents onto another entity. This is accomplished by purchasing insurance and/or outsourcing.

Risk Acceptance

Acceptance of risk is the valuation by Sord that the cost/benefit analysis of a possible safeguard and the determination that the cost of the countermeasure greatly outweighs the possible cost of loss due to a risk. Values under 15 are acceptable risks, while values 15+ are unacceptable risks. Unacceptable risks must be treated. On behalf of the risk owners, Senior Management will accept all residual risks.

(5) Calculate Residual Risks

Based on risk treatment decisions, plans, and net new compensating controls to be implemented, recalculate new residual risks, reassessing risk likelihoods and impacts.

(6) Reporting

Jonathan Gautsch or a designee is responsible for creating the risk assessment and treatment report and delivering results to senior management and other applicable team members including risk responses and documentation of risks that will be accepted by the organization such as threats or vulnerabilities that will likely impact the organization and with a low impact cost. All risk assessment reports must be documented and retained for a minimum of three years.

Unacceptable risks should be appropriately remediated in accordance with the Change Management Policy and Vulnerability Management Policy.

Exceptions

Sord business needs, local situations, laws and regulations may occasionally call for an exception to this policy or any other Sord policy. If an exception is needed, Sord management will determine an acceptable alternative approach.

Enforcement

Any violation of this policy or any other Sord policy or procedure may result in disciplinary action, up to and including termination of employment. Sord reserves the right to notify the appropriate law enforcement authorities of any unlawful activity and to cooperate in any investigation of such activity. Sord does not consider conduct in violation of this policy to be within an employee’s or contractor’s course and scope of work.

Any personnel who is requested to undertake an activity that he or she believes is in violation of this policy must provide a written or verbal complaint to his or her manager or any other manager of Sord as soon as possible.

The disciplinary process should also be used as a deterrent to prevent employees and contractors in violating organizational security policies and procedures, and any other security breaches.

Responsibility, Review, and Audit

Jonathan Gautsch or a designee is responsible for overseeing the successful completion of the risk assessment. Such risk assessments must be conducted at least annually or whenever there are significant changes to Sord, its systems, or other conditions that may impact the security of Sord such as the failure of a mission critical vendor or a security breach.

Sord reviews and updates its security policies and plans to maintain organizational security objectives and meet regulatory requirements at least annually. The results are shared with appropriate parties internally and findings are tracked to resolution. Any changes are communicated across the organization.

This document is maintained by Jonathan Gautsch.

This document was last updated on 03/27/2024.

Previous1.3 Code of ConductNext2.2 Vendor Management Policy

Last updated