The Risk Management policy empowers all employees involved in risk assessment and treatment to conduct risk assessments on any entity within Netspective Communications LLC, as well as outside entities that have signed a Third Party Agreement with Netspective Communications LLC. It encompasses information systems, processes, and procedures, and sets acceptable risk levels determined by organizational leadership. This policy applies to all employees participating in risk assessment and treatment. [FII-SCF-020-RSK-01]
Risk Assessment [FII-SCF-020-RSK-04]
a. Netspective Communications LLC assets must be identified for threats and vulnerabilities as part of the risk assessment process.
b. To begin the risk assessment, all assets that may affect the confidentiality, integrity, and/or availability of information in the organization must be identified. These assets include documents in paper or electronic form, applications, databases, information technology equipment, infrastructure, and external/outsourced services and processes. Each asset must have an owner identified.
c. The risk assessment table must list all threats and vulnerabilities associated with each asset. Each asset can be associated with multiple threats, and each threat can be associated with multiple vulnerabilities. The Risk Assessment Report Template includes a sample risk assessment table.
d. An owner must be identified for each risk, and the risk owner and asset owner can be the same individual.
e. Risk owners must assess the consequences and likelihood of each combination of threats and vulnerabilities for an individual asset if such a risk materializes. Consequence and likelihood criteria are defined in Tables 3 and 4.
f. The risk level is calculated by adding the consequence score and the likelihood score.
| Consequence Level | Consequence Score | Description |
|---|---|---|
| Low | 0 | Loss of confidentiality, integrity, or availability will not affect the organization's cash flow, legal, or contractual obligations, or reputation. |
| Moderate | 1 | Loss of confidentiality, integrity, or availability may incur a financial cost and has a low or moderate impact on the organization's legal or contractual obligations and/or reputation. |
| High | 2 | Loss of confidentiality, integrity, or availability will have an immediate and or/considerable impact on the organization's cash flow, operations, legal and contractual obligations, and/ or reputation. |
Table 3: Description of Consequence Levels and Criteria
| Likelihood Level | Likelihood Score | Description |
|---|---|---|
| Low | 0 | Either existing security controls are strong and have so far provided an adequate level of protection, or the probability of the risk being realized is extremely low. No new incidents are expected in the future. |
| Moderate | 1 | Either existing security controls have most provided an adequate level of protection or the probability of the risk being realized is moderate. Some minor incidents may have occurred. New incidents are possible, but not highly likely. |
| High | 2 | Either existing security controls are not in place or ineffective; there is a high probability of the risk being realized. Incidents have a high likelihood of occurring in the future. |
Risk Acceptance Criteria [FII-SCF-020-RSK-05]
a. The organization considers risk values 0 through 2 as acceptable risks.
b. The organization considers risk values 3 and 4 as unacceptable risks that require treatment.
Risk Treatment [FII-SCF-020-RSK-06]
a. To implement risk treatment, employees must copy all risks from the Risk Assessment Table to the Risk Treatment Table and identify treatment options and residual risks. Reference (a) provides a sample Risk Treatment Table.
b. The CEO and/or other company managers will determine objectives for mitigating or treating risks as part of the risk treatment process. All unacceptable risks must be treated. Additionally, managers may choose to treat other risks to improve company assets, even if their risk score is deemed acceptable.
c. The treatment options for risks are as follows:
i. Employees can select or develop security controls.
ii. Employees can transfer the risks to a third party, such as purchasing an insurance policy or signing a contract with suppliers or partners.
iii. Employees can avoid the risk by discontinuing the business activity that causes the risk.
iv. Employees can accept the risk, but only if other risk treatment options would cost more than the potential impact of the risk.
d. After selecting a treatment option, the risk owner should estimate the new consequence and likelihood values after implementing the planned controls.
Regular Reviews of Risk Assessment and Risk Treatment
The Netspective Communications LLC must update the Risk Assessment Table and Risk Treatment Table when they identify new risks. They should conduct a review and update at least once per year. It is highly recommended that they also update the tables when significant changes occur to the Netspective Communications LLC, technology, business objectives, or business environment.
Reporting [FII-SCF-020-RSK-04.1]
The Netspective Communications LLC must document the results of risk assessment, risk treatment, and all subsequent reviews in a Risk Assessment Report.