Skip to content
English
Sign in
Go to safetynetsolutions.co.uk
  • There are no suggestions because the search field is empty.

Risk Management Policy

To identify and manage risks relating to InfoSec

Purpose
To define actions to address safetynetsolutions.co.uk information security risks and opportunities. To define a plan for the achievement of information security and privacy objectives.

Scope
  • All safetynetsolutions.co.uk IT systems that process, store or transmit confidential, private, or business-critical data.
  • Risks that could affect the medium to long-term goals of safetynetsolutions.co.uk should be considered as well as risks that will be encountered in the day-to-day delivery of services.
  • safetynetsolutions.co.uk risk management systems and processes will be targeted to achieve maximum benefit without increasing the bureaucratic burden and ultimately affecting core service delivery to the organization.
  • safetynetsolutions.co.uk will therefore consider the materiality of risk in developing systems and processes to manage risk.
  • This Policy applies to all employees of safetynetsolutions.co.uk and to all external parties, including but not limited to safetynetsolutions.co.uk consultants and contractors, business partners, vendors, suppliers, outsource service providers, and other third party entities with access to safetynetsolutions.co.uk networks and system resources.



Risk management statement
Inadequate IT risk management exposes safetynetsolutions.co.uk to risks including compromise of safetynetsolutions.co.uk or customer network systems, services and information, cyber-attacks, contractual, or legal issues.
safetynetsolutions.co.uk will ensure that risk management plays an integral part in the governance and management of the organization at a strategic and operational level. The purpose of a risk management policy is designed to ensure that it achieves its stated business plan aims and objectives.

 

Risk management strategy
safetynetsolutions.co.uk has developed processes to identify those risks that will hinder the achievement of its strategic and operational objectives. safetynetsolutions.co.uk will therefore ensure that it has in place the means to identify, analyse, control and monitor the strategic and operational risks it faces using this risk management policy based on best practices. safetynetsolutions.co.uk will ensure the risk management strategy and policy are reviewed regularly and that internal audit functions are responsible for ensuring:

  • The risk management policy is applied to all applicable areas of safetynetsolutions.co.uk
  • The risk management policy and its operational application are regularly reviewed
  • Non-compliance is reported to appropriate company officers and authorities

Practical application of risk management
safetynetsolutions.co.uk has adopted a standard format for use in the identification of risks, their classification, and evaluation. The format is based on the following NIST and ISO standards and frameworks:

  • ISO 27005
  • NIST 800-30
  • NIST 800-37

Risks are assessed and ranked according to their impact and their likelihood of occurrence.

A formal Risk Assessment, and network penetration tests, will be performed at least annually and shall take into consideration the results of any technical vulnerability management activities performed in accordance with the Operations Security Policy.

Risk categories
safetynetsolutions.co.uk will consider and assess risks across the organisation.
Risk categories that are considered for evaluation include:

  • Access control
  • Artificial intelligence
  • Asset management
  • Business continuity and disaster recovery
  • Communications security Compliance
  • Cryptography
  • Environmental, social, and governance
  • Fraud
  • Incident response management
  • Information security operations
  • Information security policies
  • Operations security
  • People operations
  • Physical and environmental security
  • Privacy Software development and acquisition
  • Trustworthiness
  • Vendor relationships


Each risk will be assessed as to its Likelihood and Impact.

Likelihood can range from 1 ("Very unlikely") to 5 ("Very likely").

Impact can range from 1 ("Very low impact") to 5 ("Very high impact").

Risk criteria
The criteria for determining risk is the combined likelihood and impact of an event adversely affecting the confidentiality, availability, integrity, or privacy of organizational and customer information, personally identifiable information (PII), or business information systems.
For all risk inputs such as risk assessments, vulnerability scans, penetration test, bug bounty programs, etc., safetynetsolutions.co.uk management shall reserve the right to modify risk rankings based on its assessment of the nature and criticality of the system processing, as well as the nature, criticality and exploitability (or other relevant factors and considerations) of the identified vulnerability.

Risk response, treatment, and tracking
Risk will be prioritised and maintained in a risk register where they will be prioritised and mapped using the approach contained in this policy.
The following responses to risk should be employed:

  • Mitigate: safetynetsolutions.co.uk may take actions or employ strategies to reduce the risk.
  • Accept: safetynetsolutions.co.uk may decide to accept and monitor the risk at the present time. This may be necessary for some risks that arise from external events.
  • Transfer: safetynetsolutions.co.uk may decide to pass the risk on to another party.
    For example contractual terms may be agreed to ensure that the risk is not borne by safetynetsolutions.co.uk or insurance may be appropriate for protection against financial loss.
  • Avoid: the risk may be such that safetynetsolutions.co.uk could decide to cease the activity or to change it in such a way as to end the risk.
    Where safetynetsolutions.co.uk chooses a risk response other than "Accept" or "Avoid" it shall develop a Risk Treatment Plan.

Risk management procedures

The procedure for managing risk will meet the following criteria 

1. safetynetsolutions.co.uk will maintain a Risk Register and Treatment Plan.
2. Risks are ranked by ‘likelihood' and ‘severity/impact' as critical, high, medium, low, and negligible.
3. Overall risk shall be determined through a combination of likelihood and impact.
4. Risks may be evaluated to estimate potential monetary loss where possible.
5. safetynetsolutions.co.uk will respond to risks in a prioritized fashion. Remediation priority will consider the risk likelihood and impact, cost, work effort, and availability of resources. Multiple remediations may be undertaken simultaneously
6. Regular reports will be made to the senior leadership of safetynetsolutions.co.uk to ensure risks are being mitigated appropriately, and in accordance with business priorities and objectives.

Information security in project management
safetynetsolutions.co.uk shall consider information security risk as a part of all projects that are technical in nature or which can pose a risk to the company, regardless of size, duration, or domain.

From the initial planning, through completion of a project, appropriate assessment and mitigation of information security risks is essential, involving:
  • initial information security risk assessments,
  • early identification and addressing of information security requirements, and
  • ongoing assessment and management of risks, especially concerning internal and external project communications.