Risk Management Policy

Policy Owner: Luacs

Effective Date: 01.03.2025

Purpose

To define actions to address Tekai information security risks and opportunities. To define a plan for the achievement of information security and privacy objectives.

Scope

• All Tekai IT systems that process, store or transmit confidential, private, or business-critical data.
• Risks that could affect the medium to long-term goals of Tekai should be considered as well as risks that will be encountered in the day-to-day delivery of services. Tekai risk management systems and processes will be targeted to achieve maximum benefit without increasing the bureaucratic burden and ultimately affecting core service delivery to the organization.
• Tekai will therefore consider the materiality of risk in developing systems and processes to manage risk.
• This Policy applies to all employees of Tekai and to all external parties, including but not limited to Tekai consultants and contractors, business partners, vendors, suppliers, outsource service providers, and other third party entities with access to Tekai networks and system resources.

Risk Management Statement

Inadequate IT risk management exposes Tekai to risks including compromise of Tekai or customer network systems, services and information, cyber-attacks, contractual, or legal issues. Tekai will ensure that risk management plays an integral part in the governance and management of the organization at a strategic and operational level. The purpose of a risk management policy is designed to ensure that it achieves its stated business plan aims and objectives.

Risk Management Strategy

Tekai has developed processes to identify those risks that will hinder the achievement of its strategic and operational objectives. Tekai will therefore ensure that it has in place the means to identify, analyze, control and monitor the strategic and operational risks it faces using this risk management policy based on best practices.

Tekai will ensure the risk management strategy and policy are reviewed regularly and that internal audit functions are responsible for ensuring:

• The risk management policy is applied to all applicable areas of Tekai The risk management policy and its operational application are regularly reviewed
• Non-compliance is reported to appropriate company officers and authorities

Practical Application of Risk Management

Tekai has adopted a standard format for use in the identification of risks, their classification, and evaluation.

The format is based on the following NIST and ISO standards and frameworks:

• ISO 27005
• NIST 800-30
• NIST 800-37

Risks are assessed and ranked according to their impact and their likelihood of occurrence. A formal Risk Assessment, and network penetration tests, will be performed at least annually and shall take into consideration the results of any technical vulnerability management activities performed in accordance with the Operations Security Policy.

Risk Categories

Some risks are within the control of Tekai whilst others may be only to a lesser degree. Tekai will therefore take an approach that will identify those risks and classify the risks according to the following categories:

• Reputational
• Contractual
• Regulatory/Compliance
• Economic/Financial
• Fraud
• Privacy
• Environmental & Sustainability
• Impact on People
• Operational Capacity

Each risk will be assessed as to its likelihood and impact. Both impact and likelihood are assessed on a scale of 1-5. Impact can range from 1 ("Very low impact") to 5 ("Very high impact") and likelihood can range from 1 ("Very unlikely") to 5 ("Very likely").

Risk Criteria

The criteria for determining risk is the combined likelihood and impact of an event adversely affecting the confidentiality, availability, integrity, or privacy of organizational and customer information, personally identifiable information (PII), or business information systems.

For all risk inputs such as risk assessments, vulnerability scans, penetration test, bug bounty programs, etc., Tekai management shall reserve the right to modify risk rankings based on its assessment of the nature and criticality of the system processing, as well as the nature, criticality and exploitability (or other relevant factors and considerations) of the identified vulnerability.

Risk Response, Treatment, and Tracking

Risk will be prioritized and maintained in a risk register where they will be prioritized and mapped using the approach contained in this policy. The following responses to risk should be employed:

• Modify: Tekai may take actions or employ strategies to reduce the risk.
• Accept: Tekai may decide to accept and monitor the risk at the present time. This may be necessary for some risks that arise from external events.
• Transfer: Tekai may decide to pass the risk on to another party. For example: contractual terms may be agreed to ensure that the risk is not borne by Tekai or insurance may be appropriate for protection against financial loss.
• Avoid: the risk may be such that Tekai could decide to cease the activity or to change it in such a way as to end the risk.

Where Tekai chooses a risk response other than "Accept" or "Avoid" it shall develop a Risk Treatment Plan

Risk Management Procedures

The procedure for managing risk will meet the following criteria:

1. Tekai will maintain a Risk Register and Treatment Plan.
2. Risks are ranked by ‘likelihood' and ‘severity/impact' as critical, high, medium, low, and negligible.
3. Overall risk shall be determined through a combination of likelihood and impact.
4. Risks may be valuated to estimate potential monetary loss where possible.
5. Tekai will respond to risks in a prioritized fashion. Remediation priority will
6. consider the risk likelihood and impact, cost, work effort, and availability of resources.
7. Multiple remediations may be undertaken simultaneously
8. Regular reports will be made to the senior leadership of Tekai to ensure risks are being mitigated appropriately, and in accordance with business priorities and objectives.

Roles and Responsibilities

The following table outlines the specific risk management activities and responsibilities associated with each role.

Other Resources

04-ISMS Risk Assessment and Treatment Policy

For current Risk Register, see https://app.vanta.com/risk-management/risk-register

ISO 27001 / 27701 Coverage

ISO 27001 6.1; 6.2

APPENDIX A - Risk Assessment Process

The following is a high-level overview of the process used by Tekai to assess and manage information security related risks.

The process discussed below is based on NIST 800-30 and provides guidance to Tekai on how to:

• Prepare and conduct an effective risk assessment.
• Communicate and share the assessment results and risk-related information.
• Manage and maintain risks on an ongoing basis.

The risk assessment process is comprised of the following steps:

1. Prepare for the assessment
2. Conduct the assessment
3. Communicate the assessment
4. Maintain the assessment

Step 1: Prepare for the Assessment

In this step, the objective is to establish context for the risk assessment. This can be accomplished by performing the following:

• Identify the purpose of the assessment
  • Determine the information that the assessment is intended to produce and the decisions the assessment is intended to support.
• Identify the scope of the assessment
  • Determine the organizational function or process that is applicable, the associated time frame and any applicable architectural or technological considerations.
• Identify any assumptions or constraints associated with the assessment
  • Determine assumptions in key areas relevant to the risk assessment including:
    • Organizational priorities
    • Business objectives
    • Resource availability
    • Skills and expertise of risk assessment team
  • Identify sources of information
    • Architectural / technological diagrams and system configurations
    • Legal and regulatory requirements
    • Threat Sources Threat Events
    • Vulnerabilities and influencing conditions
    • Potential Impacts
    • Existing Controls

Step 2: Conduct the Assessment

In this step, the objective is to produce a list of information security related risks that can be prioritized by risk level and used to inform risk response decisions. This can be accomplished by performing the following:

• Identify Threat Sources
  • Determine and characterize threat sources relevant to and of concern to Tekai , including but not limited to:
    • Human (Intentional or Unintentional / Internal or External)
    • Environmental
    • Natural
    • System or Equipment
  • Consider the following when identifying threat sources:
    • Capability
    • Motive / Intent
    • Intentionally targeted people, processes, and/or technologies
    • Unintentionally targeted people, processes, and/or technologies
  • Identify Threat Events
    • Determine what threat events could be produced by the identified threat sources that have potential to impact Tekai .
    • Consider the relevance of the events and the sources that could initiate the events.
  • Identify Vulnerabilities
    • Determine the vulnerabilities with the Tekai such associated to people, process and/or technologies that could be exploited by the identified threat sources and threat events.
    • Consider any influencing conditions that could affect and aid in successful exploitation.
  • Determine Likelihood
    • Determine the likelihood that the identified threat sources would initiate the identified threat events and could successfully exploit any identified vulnerabilities.
    • Consider the following when determining the likelihood:
      • Characteristics of the threat sources that could initiate the events.
      • Capability
      • Motive/Intent
      • Opportunity
    • The vulnerabilities and/or influencing conditions identified
    • Tekai 's exposure based on any safeguards/countermeasures planned or implemented to prevent or mitigate such events.
  • Determine Impact
    • Determine the impact to Tekai 's business objectives, operations, assets, individuals, customers, and/or other organizations by considering the following:
      • Business / Operational Impacts
      • Financial Damage
      • Reputation Damage
      • Legal or Regulatory Issues
    • When determining impact, also take into consideration any safeguards/countermeasures planned or implemented by Tekai that would mitigate or lessen the impact.
  • Determine Risk
    • Determine the overall information security related risks to Tekai by combining the following:
      • The likelihood of the event occurring.
      • The impact that would result from the event.
    • The risk to Tekai is proportional to the likelihood and impact of an event.
      • Higher Risk Event: Is more likely to occur and the resulting impact will be greater.
      • Lower Risk Event: Is less likely to occur and the resulting impact will be minimal if any.

Step 3: Communicate and Share the Risk Assessment Results

In this step, the objective is to ensure that decision makers across the Tekai and executive leadership have the appropriate risk-related information needed to inform and guide risk decisions.

• Communicate the Results
  • Communicate the risk assessment results to Tekai decision maker and executive leadership to help drive risk based decisions and obtain the necessary support for the risk response.
  • Share the risk assessment and risk-related information with the appropriate personnel at Tekai to help support the risk response efforts.

Step 4: Maintain the Assessment

In this step, the objective is to keep current, the specific knowledge related to the risks that Tekai incurs. The results of the assessments inform, and drive risk based decisions and guide ongoing risk responses efforts.

• Monitor Risk Factors
  • Conduct ongoing monitoring of the risk factors that contribute to changes in risk to Tekai 's business objectives, operations, assets, individuals, customers, and/or other organizations.
• Maintain and Update the Assessment
  • Update existing risk assessments using the results from ongoing monitoring of risk factors and by conducting additional assessments, at minimum annually.

APPENDIX B - Risk Assessment Matrix and

Description Key