Risk Management Policy
Policy Owner: LuacsJarvis (Hai) Luong
Effective Date: 21.01.03.2025
Purpose
To define actions to address Tekai information security risks and opportunities. To define a plan for the achievement of information security and privacy objectives.
...
Role | Responsibility |
CEO | Ultimately responsible for the acceptance and/or treatment of any risks to the organization. |
PrincipalEngineer | Can approve the avoidance, remediation, transference, or acceptance of any risk cited in the Risk Register. |
ITManagerCIO | Shall be responsible for the identification and treatment plan development of all Information Security related risks. This person shall be responsible for communicating risks to top management and adopting risk treatments in accordance with executive direction. |
...
Version | Date | Description | Author | Approved by |
1.0 | 21.01.03.2025 | Initial Implementation | JarvisLucas |
APPENDIX A - Risk Assessment Process
...
- Monitor Risk Factors
- Conduct ongoing monitoring of the risk factors that contribute to changes in risk to Tekai 's business objectives, operations, assets, individuals, customers, and/or other organizations.
- Maintain and Update the Assessment
- Update existing risk assessments using the results from ongoing monitoring of risk factors and by conducting additional assessments, at minimum annually.
APPENDIX B - Risk Assessment Matrix and
...
RISK= LIKELIHOOD * IMPACT | LIKELIHOOD |
|
|
|
|
IMPACT | Very unlikely: 1 | Unlikely:2 | Somewhat likely: 3 | Likely:4 | Very likely: 5 |
Very high impact: 5 | 5 | 10 | 15 | 20 | 25 |
High impact: 4 | 4 | 8 | 12 | 16 | 20 |
Medium impact: 3 | 3 | 6 | 9 | 12 | 15 |
Low impact: 2 | 2 | 4 | 6 | 8 | 10 |
Very low impact: 1 | 1 | 2 | 3 | 4 | 5 |
RISK LEVEL | RISK DESCRIPTION |
Low (1- 4) | A threat event could be expected to have a limited adverse effect on organizational operations, mission capabilities, assets, individuals, customers, or other organizations. |
Medium (5-12) | A threat event could be expected to have a serious adverse effect on organizational operations, mission capabilities, assets, individuals, customers, or other organizations |
High (15-25) | A threat event could be expected to have a severe adverse effect on organizational operations, mission capabilities, assets, individuals, customers, or other organizations. |
LIKELIHOODLEVEL | LIKELIHOOD DESCRIPTION | RATING (NUMERICAL) |
Very unlikely (1) | A threat event is so unlikely that it can be assumed that its occurrence may not be experienced.A threat source is not motivated or has no capability, or controls are in place to prevent or significantly impede the vulnerability from being exploited.Probability of Occurrence: < 5% in a 5-10 year period | 1 |
Unlikely (2) | A threat event is unlikely, but there is a slight possibility that its occurrence may be experienced.A threat source lacks sufficient motivation or capability, or controls are in place to prevent or impede the vulnerability from being exploited.Probability of Occurrence: 6% to 20% in a 2-5 year period | 2 |
Somewhat likely (3) | A threat event is likely, and it can be assumed that its occurrence may be experienced.A threat source is motivated or poses the capability, but controls are in place that may significantly reduce or impeded the successful exploitation of the vulnerability.Probability of Occurrence: 21% to 50% in a 1-2 year period | 3 |
Likely (4) | A threat event is likely, and it can be assumed that its occurrence will be experienced.A threat source is highly motivated or poses sufficient capability and resources, but some controls are in place that may reduce or impede the successful exploitation of the vulnerability.Probability of Occurrence: 51% to 80% in a 1 year period | 4 |
Very likely (5) | A threat event is highly likely, and it can be assumed that its occurrence will be experienced.A threat source is highly motivated or poses sufficient capability or resources, but no controls are in place or controls that are in place are ineffective and do not prevent or impede the successful exploitation of the vulnerability.Probability of Occurrence: > 80% in a 1 year period or less | 5 |
IMPACTLEVEL | IMPACT DESCRIPTION | RATING (NUMERICAL) |
Very low impact (1) | A threat event could be expected to have almost no adverse effect on organizational operations, mission capabilities, assets, individuals, customers other or organizations | 1 |
Low impact (2) | A threat event could be expected to have a limited adverse effect, meaning: degradation of mission capability yet primary functions can still be performed; minor damage; minor financial loss; or range of effects is limited to some cyber resources but no critical resources. | 2 |
Medium impact (3) | A threat event could be expected to have a serious adverse effect, meaning: significant degradation of mission capability yet primary functions can still be performed at a reduced capacity; minor damage; minor financial loss; or range of effects is significant to some cyber resources and some critical resources. | 3 |
High impact (4) | A threat event could be expected to have a severe or catastrophic adverse effect, meaning: severe degradation or loss of mission capability and one or more primary functions cannot be performed; major damage; major financial loss; or range of effects is extensive to most cyber resources and most critical resources. | 4 |
Very high impact (5) | A threat event could be expected to have multiple severe or catastrophic adverse effects on organizational operations, assets, individuals, other organizations, or the Nation. Range of effects is sweeping, involving almost all cyber resources. | 5 |