Introduction:
This policy outlines the commitment to identify, analyze, evaluate, and treat business-related risks.
Risks fall into 4 main categories:
- Business continuity
- Data Security
- Personnel
- General
Policy Statement:
IRIS Connect is committed to identifying, minimising and addressing any identified risk. We are committed to maintaining and protecting our information assets, as well as the information entrusted to it by its clients, from all threats, whether internal or external, deliberate or accidental.
Roles and Responsibilities:
Board of Directors: Oversee the risk management process and ensure it is properly structured and resourced.
Risk Management Committee: Develop risk management practices and report to the board.
IT Department: Identify, analyze, and evaluate information security risks.
All Employees: Adhere to the risk management policy and procedures.
Risk Identification:
Risks will be identified through methods such as team meetings, system analysis, code reviews, security audits, and penetration testing.
The Risk Management Committee then meet annually, or whenever needed if new risks are identified or business circumstances change to complete the Risk Assessment.
Risk Analysis and Evaluation:
Risks will be assessed based on their potential impact and likelihood of occurrence, using tools such as risk assessment software and vulnerability scanning. Risks will then be categorized as low, medium, or high.
Risk Mitigation:
Depending on the severity, risks may be accepted, avoided, transferred, or mitigated.
For risk relating to data security, this includes practices such as regular system patching, use of secure coding practices, data encryption, and purchasing cyber insurance for high-risk areas.
For risk relating to staffing or health and safety we utilise staff training and external H&S audits.
Monitoring and Review:
As part of the Risk Assessment process, risks will be continuously monitored and reviewed to ensure that controls are effective and to identify any changes which may affect the risk profile.
Risk Assessment Framework
Purpose:
The purpose of the Risk Assessment Framework is to provide a structured process for identifying, assessing, and managing information security risks faced by IRIS Connect.
Risk Assessment Methodology:
Identification: Determine the risks that could affect the software or systems. This includes software vulnerabilities, configuration errors, insecure code, etc.
Analysis: Evaluate each risk based on its potential impact and the likelihood of its occurrence.
Prioritization: Classify risks as low, medium, or high priority based on their level of impact and likelihood.
Risk Treatment:
Mitigation: Implement controls to reduce the likelihood or impact of the risk.
Transfer: Some risks may be transferred through methods such as insurance.
Avoidance: For risks with catastrophic consequences and high likelihood, the activities causing these risks might need to be avoided altogether.
Acceptance: Some low-priority risks may be accepted if their mitigation is not cost-effective.
Monitoring and Review: Establish a schedule for regular review and updating of the risk assessment based on new threats, vulnerabilities, business changes, or the effectiveness of existing controls.
Roles and Responsibilities: Define who is responsible for each stage of the risk assessment process, from identification through to treatment and review.