Risk Assessment & Management Policy

WeSalute's Risk Assessment principles, policies, procedures and methodology describes what systems WeSalute has in place to identify new business and technical risks and how often those risks are mitigated.

Principles

WeSalute is proactive in its approach to risk management, balances the cost of managing risk with anticipated benets, and undertakes contingency planning in the event that critical risks are realized. WeSalute has the primary duty to ensure the Security, Availability, and Confidentiality of critical systems and customer data. A duty to ensure a secure, available infrastructure requires WeSalute to identify and manage risks. WeSalute believes that effective risk management involves:

1. A commitment to the Security, Availability, and Confidentiality of WeSalute infrastructure and services from senior management;

2. The involvement, cooperation and insight of all WeSalute Team Members;

3. A commitment to initiating risk assessments, starting with discovery and identification of risks;

4. A commitment to the thorough analysis of identified risks;

5. A commitment to a strategy for treatment of identified risks;

6. A commitment to communicate all identified risks to the company;

7. A commitment to encourage the reporting of risks and threat vectors from all WeSalute Team Members.

   WeSalute believes that the following events can trigger a risk assessment to occur:

• A significant and major change to existing infrastructure, product or business practices;

• A significant amount of time (e.g. a year) having passed since the last risk assessment.

Risk assessments can be as high level or detailed to a specific organizational or technical change as WeSalute stakeholders and technologists see fit.
Risk assessments can be conducted by unbiased and qualified parties such as security consultancies or qualified internal team members.

Scope

This Risk Assessment & Management program and policy applies to all systems and data on the WeSalute network, owned by WeSalute or its customers, or operated on behalf of the organization. Risk assessments should evaluate infrastructures such as computer infrastructure containing networks, instances, databases, systems, storage, and services. WeSalute risk assessments will also include an analysis of business practices, procedures, and physical office spaces as needed.

Risk assessments for vendors are covered under WeSalute's Vendor Management Program, which includes a thorough risk assessment targeted at a vendor's security, business practices, legal commitments, and insurance postures.

Definitions

Risk

Risk is the probability that a harmful consequence may result when exposed to a hazard. Risk is characterized and rated by considering two factors:

1. Probability or likelihood (L) of occurrence; and

2. Consequence (C) of occurrence.

   This is expressed as R (risk) = L (likelihood) x C (consequence).

Threat

A potential incident or activity which may be deliberate, accidental, or caused by nature which may cause physical harm to a person or financial harm to an organization.

Likelihood

The likelihood is a qualitative description of probability or frequency. The likelihood of occurrence is a weighted risk factor based on an analysis of the probability that a given threat is capable of exploiting a given vulnerability (or set of vulnerabilities). The likelihood risk factor combines an estimate of the likelihood that the threat event will be initiated with an estimate of the likelihood of impact (i.e., the likelihood that the threat event results in adverse impacts).

Consequence

The consequence is the outcome of an event and is a loss, disadvantage, or gain. There is a range of possible outcomes associated with an event. Consequence and impact are used interchangeably. The level of impact from a threat event is the magnitude of harm that can be expected to result from the consequences of unauthorized disclosure of information, unauthorized modification of information, unauthorized destruction of information, or loss of information or information system availability.

Risk Assessment

A risk assessment is a process of evaluating and comparing a level of risk against predetermined acceptable levels of risk. It is an examination of all possible risks along with implemented and non-implemented solutions to reduce, eliminate, or manage the risks.

Risk Management

Risk management is the application of a management program that addresses organizational and technical risk. This management program includes identification, analysis, treatment, and monitoring.

Risk Owner

A risk owner is a person responsible for managing an individual risk. The risk owner is typically the person directly responsible for the strategy, activity, or function that relates to that risk.

Risk Assessment & Management Policy

This risk assessment policy specifies how and when risk assessments will be done and who will be responsible for conducting risk assessments and implementing solutions to address any risk assessment findings.

It is the responsibility of all WeSalute Team Members to identify, analyze, evaluate, monitor, and communicate risks associated with any activity, technology, function, or process within their relevant scope of responsibility and authority. Team Members identifying potential risks or vulnerabilities are to report them to internal Team Members and/or external third parties contracted with WeSalute for the purpose of risk assessment.

Overall, the execution, development, and implementation of risk assessments and remediation programs is the joint responsibility of WeSalute's CTO and the department or individuals responsible for the surface area being assessed. All Team Members are expected to cooperate fully with any risk assessment being conducted on systems and procedures for which they are responsible. Team Members are further expected to work with the risk assessment project lead in the development of a remediation plan for each risk assessment performed.

• WeSalute performs at least one risk assessment, at a minimum, every one year using qualified internal Team Members and/or external third parties who have experience performing risk assessments.

• A risk assessment should be done or reviewed on critical systems and applications no less than every two years.

• Risk assessments may be used to assess all risks to the organization.

• All Team Members involved with a risk assessment must fully cooperate with the risk assessment project lead in conducting the assessment and developing a remediation strategy.

• Any Team Members or external consultants who perform any WeSalute risk assessments are required to be familiar with computer technology and computer security in particular. The risk assessment project leader should be the security officer or a Team Member designated by the security officer to conduct the risk assessment.

• Risk assessment deliverables include a risk assessment report with a risk reduction action plan to manage or mitigate any unacceptable risks. The action plan may be included with the risk assessment report, or separately. The action plan will be an plan for implementing additional controls and solutions to mitigate or manage the risk. The action plan may define participants and actions to be taken during the implementation of the action plan.

• The risk assessment process and methodology will be updated as required due to results of audits and incidents.

• All identified vulnerabilities will be assessed for impact and criticality. Vulnerabilities must be remediated as soon as possible as mandated by the WeSalute Vulnerability Management & Patch Program.

Risk Assessment Process

WeSalute risk assessment methodology is based on NIST Special Publication 800-30 Revision 1 - Guide for Conducting Risk Assessments

• Management defines the scope of risk assessment and creates the risk assessment team with a point person to guide the process (risk assessment project lead).

• If risk assessment procedures are not defined, the operations team should define them. The proper time and method of communicating the selected risk treatment options to the affected SystemsOps and business management should be included.

• Evaluate the system - Determine if the system is critical to the organization's business processes and determine the data classication and security needs of the data on the system according to the WeSalute Data Classification Policy, considering Security, Availability, and Confidentiality needs.

• List the threats - List possible threat sources such as an exploitation of a vulnerability.

• Identify vulnerabilities.

• Evaluate potential security controls already in place to assess if they adequately address the risk.

• Identify probability of exploitation. Additional security controls may need to be in place before the probability of exploitation is lowered.

• Quantify damage (impact) - Categorize the damage and possibly place a dollar amount on the damage where possible. This will help when looking at cost of controls to reduce the risk.

• Determine risk level - Use likelihood times impact to quantify the amount of risk.

• Evaluate and recommend controls to reduce or eliminate risk - Identify existing controls and those that may further reduce probabilities or mitigate specific vulnerabilities. List specific threats and vulnerabilities for the system to help identify mitigating controls.

• Create the risk assessment report.

• Communicate the selected risk treatment options to the affected SystemsOps and business management and Team Members.

• Take recommended risk mitigation actions. Record such actions as changes per the WeSalute Change Management Policy.

• Monitor the effectiveness of the risk mitigation actions and document the results.

Risk Mitigation Standards

Acceptable Risks

When the probability of threat materialization times maximum damage amount is less than $1000 annually, the risk is acceptable. For higher amounts, on a yearly basis, acceptance of the risk will depend on the cost of implementing measures to reduce the risk. If the risk cannot be reduced and the amount per year is greater than $50,000, the risk should be transferred by purchasing insurance.

Risk Mitigation

Options for mitigating risk shall include the following possibilities:

• Reducing the chance of an occurrence of an event

• Reducing the damage due to occurrence

• Avoiding the risk

• Transferring the risk by taking an action such as purchasing insurance

  Some guidelines and standards applicable to WeSalute:

• Costs of implementing each control are considered and compared to the benefits, pecuniary and non-pecuniary, of implementing each control.

• Cost and benefit analysis is done to evaluate proposed controls versus risks. When the controls are evaluated, the benets, costs, and cost savings of applying the controls both individually and in combination should be determined. Performance measures for determining the effectiveness of the new controls are created. - Risks shall be ranked, and controls are selected, and a plan created to implement the controls. Responsibilities for implementing the controls are determined and communicated. Budgeting and schedules are set and the expected outcomes from mitigating the risks with the controls are documented. Residual risk after full implementation is considered.

• Decisions regarding residual risk are made. Specifically, whether to accept the risk, transfer the risk, or take other action, including adding additional controls.

• Safeguard options for addressing high risk scenarios must be considered and utilized appropriately while the extent of risk reduction and benets are considered. Cost and benefit analysis is done to evaluate safeguard options.

• If the cost of safeguard options or recommended risk controls is greater than the available budget, the options and controls are prioritized to reduce as much risk as possible within the budget.

• When the risk assessment report is completed, results shall be communicated to the affected IT and business management and team members.

Policy Review, Disciplinary, & Responsibility

Disciplinary and Non-Compliance

Since risk assessments are an important part of protecting data and systems for WeSalute, employees that purposely violate this policy may be subject to disciplinary action up to and including denial of access, legal penalties, and/or dismissal. Any team member aware of any violation of this policy is required to report it to their supervisor or other authorized representative.

Responsibility

The CTO is responsible for communicating detected risks and remediation steps needed to the appropriate team members for resolution. Those team members are then responsible for resolving detected risks in a timely manner, guided by the severity of the detected risk.

warning

This Policy currently does not have the complete required policy footer content standard on WeSalute Policies. This may be intentional by the nature of the content.