Information Risk Management Policy


This Policy is to establish guidelines and procedures for managing information risks within our Company

PURPOSE

Information that is collected, analysed, stored, communicated and reported upon might be subject to theft, misuse, loss and/or corruption. However, the implementation of controls to protect information must be based on an assessment of the risk posed to the Company, and must balance the likelihood of negative business impact against the resources required to implement the mitigating controls, and any unintended negative implications of the controls. This Policy sets out the principles that the Company uses to identify, assess and manage information risk, in order to support the achievement of its planned objectives, and aligns with the overall Company risk management framework and approach. It aims to protect the confidentiality, integrity, and availability of Company's information assets and ensure compliance with relevant laws and regulations. This high-level Information Risk Management Policy sits alongside the Information Security Policy and Data Protection Policy to provide the high-level outline of and justification for the Company's risk-based information security controls.

OBJECTIVES

The Company's information risk management objectives are focused on:
  1. information risks being identified, managed and treated according to a fixed risk tolerance;
  2. the Information Asset Owner's consent for physical, procedural and technical controls;
  3. physical, procedural and technical controls are balanced with Employee/User experience and security;
  4. physical, procedural and technical controls are cost-effective and proportionate.

SCOPE

The Information Risk Management Policy and its supporting controls, processes and procedures apply to all information used at the Company, in all formats. This includes information processed by other organisations in their dealings with the Company. The Information Risk Management Policy and its supporting controls, processes and procedures apply to all individuals who have access to Company's information, technologies and apps, including external parties that provide information processing services to the Company.

ROLES & RESPONSIBILITIES

Clear roles and responsibilities are defined for managing information risks. This includes designating an Information Security Officer responsible for overseeing the implementation and enforcement of this Policy. The Information Security Officer:
  1. is responsible for managing the risk assessment process;
  2. maintains an up-to-date risk register;
  3. conducts risk assessments after which action for medium and low risks are recommended;
  4. is responsible for assessing and reviewing high risks;
  5. has visibility of the risk register; and
  6. must also take an active role in identifying and reporting new risks.

COMPLIANCE & REVIEW

This Policy is reviewed and updated to ensure compliance with applicable laws, regulations and industry standards by the Information Security Officer on an annual basis or more frequently if required.

POLICY STATEMENT

Information risk assessment is a formal and repeatable method for identifying the risks facing an information asset. It is used to determine their impact, and identify and apply controls that are appropriate and justified by the risks. It is the Company's policy to ensure that information is protected from a loss of:
  1. Confidentiality: information will be lawfully accessible only to authorised individuals.
  2. Integrity: the accuracy and completeness of information will be maintained.
  3. Availability: information will be accessible to authorised Employees/Users and processed only as required by law or lawful purpose.

INFORMATION CLASSIFICATION

All information assets are classified based on their sensitivity and criticality. This classification determines the level of protection required and the access controls to be implemented.

ACCESS CONTROL

Access to information assets is granted based on the principle of least privilege. Only authorised individuals are given access, and access rights is regularly reviewed and revoked when no longer required.

INCIDENT RESPONSE

An incident response plan is developed and maintained to address security incidents promptly and effectively. This plan includes procedures for reporting, investigating, and mitigating incidents, as well as communication and notification requirements.

TRAINING & AWARENESS

Regular training and awareness programs conducted to train Employees/Users on information risk management best practices, including the proper handling and protection of information assets.

RISK ASSESSMENT

Risk assessments must be completed with access to and an understanding of:
  1. the Company's business processes;
  2. the impact to the Company of risks to business assets;
  3. the technical systems in place supporting the business;
  4. the legislation to which the Company is subject;
  5. up-to-date threat and vulnerability assessments.
A risk assessment exercise should be completed:
  1. for every new information-processing system;
  2. following modification to systems or processes which could change the threats or vulnerabilities;
  3. following the introduction of a new information asset;
  4. following changes to the threat environment or detection of new vulnerabilities.

THREATS & VULNERABILITIES

The Company considers all potential threats and vulnerabilities applicable to a particular system, whether natural or human, accidental or malicious. Threat and vulnerability information are obtained from specialist security consultancies, local and national law enforcement agencies and security services, and contacts across the sector and region. It is the responsibility of the Information Security Officer to maintain channels of communication with appropriate specialist organisations.

RISK REGISTER

The calculations listed in the risk assessment process form the basis of a risk register. All risks are assigned an owner and a review date. The risk register is held in the Information Security document store, with access controlled by the Information Security Officer.

RISK TREATMENT

The risk register includes a risk treatment decision. The action must fall into at least one of the following categories:
  1. Pending: where a potential risk has been identified but needs initial investigation.
  2. Tolerate the risk: where the risk is already below the Company's risk appetite and further treatment is not proportionate.
  3. Treat the risk: where the risk is above the Company's risk appetite but treatment is proportionate; or where the treatment is so simple and cost effective that it is proportionate to treat the risk even though it falls below the Company's risk appetite.
  4. Transfer the risk: where the risk cannot be brought below the Company's risk appetite with proportionate treatment but a cost-effective option is available to transfer the risk to a third party.
  5. Terminate the risk: where the risk cannot be brought below the Company's risk appetite with proportionate effort/resource and no cost-effective transfer is available.
The Information Security Officer in collaboration with the Information Asset Owner reviews medium and low risks, and recommend suitable action.

RISK APPETITE & TOLERANCE

The Company has agreed a series of risk appetite statements. While not exhaustive, these give a good overview of the Company's desire to pursue or tolerate risk in pursuit of its business objectives. The risk appetite statements give the Information Security Officer a framework within which to conduct risk assessments and make recommendations for appropriate treatments.