This Policy is to establish guidelines and procedures for managing information risks within our Company
PURPOSE
Information that is collected, analysed, stored, communicated and reported upon might be subject to theft, misuse, loss and/or corruption.
However, the implementation of controls to protect information must be based on an assessment of the risk posed to the Company, and must balance the likelihood of negative business impact against the resources required to implement the mitigating controls, and any unintended negative implications of the controls.
This Policy sets out the principles that the Company uses to identify, assess and manage information risk, in order to support the achievement of its planned objectives, and aligns with the overall Company risk management framework and approach.
It aims to protect the confidentiality, integrity, and availability of Company’s information assets and ensure compliance with relevant laws and regulations.
This high-level Information Risk Management Policy sits alongside the Information Security Policy and Data Protection Policy to provide the high-level outline of and justification for the Company’s risk-based information security controls.
OBJECTIVES
The Company’s information risk management objectives are focused on:
SCOPE
The Information Risk Management Policy and its supporting controls, processes and procedures apply to all information used at the Company, in all formats. This includes information processed by other organisations in their dealings with the Company.
The Information Risk Management Policy and its supporting controls, processes and procedures apply to all individuals who have access to Company’s information, technologies and apps, including external parties that provide information processing services to the Company.
ROLES & RESPONSIBILITIES
Clear roles and responsibilities are defined for managing information risks. This includes designating an Information Security Officer responsible for overseeing the implementation and enforcement of this Policy.
The Information Security Officer:
COMPLIANCE & REVIEW
This Policy is reviewed and updated to ensure compliance with applicable laws, regulations and industry standards by the Information Security Officer on an annual basis or more frequently if required.
POLICY STATEMENT
Information risk assessment is a formal and repeatable method for identifying the risks facing an information asset. It is used to determine their impact, and identify and apply controls that are appropriate and justified by the risks.
It is the Company’s policy to ensure that information is protected from a loss of:
INFORMATION CLASSIFICATION
All information assets are classified based on their sensitivity and criticality. This classification determines the level of protection required and the access controls to be implemented.
ACCESS CONTROL
Access to information assets is granted based on the principle of least privilege. Only authorised individuals are given access, and access rights is regularly reviewed and revoked when no longer required.
INCIDENT RESPONSE
An incident response plan is developed and maintained to address security incidents promptly and effectively. This plan includes procedures for reporting, investigating, and mitigating incidents, as well as communication and notification requirements.
TRAINING & AWARENESS
Regular training and awareness programs conducted to train Employees/Users on information risk management best practices, including the proper handling and protection of information assets.
RISK ASSESSMENT
Risk assessments must be completed with access to and an understanding of:
A risk assessment exercise should be completed:
THREATS & VULNERABILITIES
The Company considers all potential threats and vulnerabilities applicable to a particular system, whether natural or human, accidental or malicious.
Threat and vulnerability information are obtained from specialist security consultancies, local and national law enforcement agencies and security services, and contacts across the sector and region.
It is the responsibility of the Information Security Officer to maintain channels of communication with appropriate specialist organisations.
RISK REGISTER
The calculations listed in the risk assessment process form the basis of a risk register.
All risks are assigned an owner and a review date.
The risk register is held in the Information Security document store, with access controlled by the Information Security Officer.
RISK TREATMENT
The risk register includes a risk treatment decision. The action must fall into at least one of the following categories:
The Information Security Officer in collaboration with the Information Asset Owner reviews medium and low risks, and recommend suitable action.
RISK APPETITE & TOLERANCE
The Company has agreed a series of risk appetite statements.
While not exhaustive, these give a good overview of the Company’s desire to pursue or tolerate risk in pursuit of its business objectives.
The risk appetite statements give the Information Security Officer a framework within which to conduct risk assessments and make recommendations for appropriate treatments.