Risk Management Policy
Risk Management Policy
Policy Owner: Daniel Peixoto
Effective Date: Nov 8, 2024
Purpose
To define actions to address Straloo Tecnologia LTDA information security risks and opportunities.
To define a plan for the achievement of information security and privacy objectives.
Scope
All Straloo Tecnologia LTDA IT systems that process, store or transmit confidential, private, or business-critical data.
Risks that could affect the medium to long-term goals of Straloo Tecnologia LTDA should be considered as well as risks that will be encountered in the day-to-day delivery of services.
Straloo Tecnologia LTDA risk management systems and processes will be targeted to achieve maximum benefit without increasing the bureaucratic burden and ultimately affecting core service delivery to the organization.
Straloo Tecnologia LTDA will therefore consider the materiality of risk in developing systems and processes to manage risk.
This Policy applies to all employees of Straloo Tecnologia LTDA and to all external parties, including but not limited to Straloo Tecnologia LTDA consultants and contractors, business partners, vendors, suppliers, outsource service providers, and other third party entities with access to Straloo Tecnologia LTDA networks and system resources.
General requirements
Risk management statement
Inadequate IT risk management exposes Straloo Tecnologia LTDA to risks including compromise of Straloo Tecnologia LTDA or customer network systems, services and information, cyber-attacks, contractual, or legal issues.
Straloo Tecnologia LTDA will ensure that risk management plays an integral part in the governance and management of the organization at a strategic and operational level.
The purpose of a risk management policy is designed to ensure that it achieves its stated business plan aims and objectives.
Risk management strategy
Straloo Tecnologia LTDA has developed processes to identify those risks that will hinder the achievement of its strategic and operational objectives.
Straloo Tecnologia LTDA will therefore ensure that it has in place the means to identify, analyze, control and monitor the strategic and operational risks it faces using this risk management policy based on best practices.
Straloo Tecnologia LTDA will ensure the risk management strategy and policy are reviewed regularly and that internal audit functions are responsible for ensuring:
- The risk management policy is applied to all applicable areas of Straloo Tecnologia LTDA
- The risk management policy and its operational application are regularly reviewed
- Non-compliance is reported to appropriate company officers and authorities
Practical application of risk management
Straloo Tecnologia LTDA has adopted a standard format for use in the identification of risks, their classification, and evaluation.
The format is based on the following NIST and ISO standards and frameworks:
- ISO 27005
- NIST 800-30
- NIST 800-37
Risks are assessed and ranked according to their impact and their likelihood of occurrence. A formal Risk Assessment, and network penetration tests, will be performed at least annually and shall take into consideration the results of any technical vulnerability management activities performed in accordance with the Operations Security Policy.
Risk categories
Straloo Tecnologia LTDA will consider and assess risks across the organization. Risk categories that are considered for evaluation include:
- Access control
- Artificial intelligence
- Asset management
- Business continuity and disaster recovery
- Communications security
- Compliance
- Cryptography
- Environmental, social, and governance
- Fraud
- Incident response management
- Information security operations
- Information security policies
- Operations security
- People operations
- Physical and environmental security
- Privacy
- Software development and acquisition
- Trustworthiness
- Vendor relationships
Each risk will be assessed as to its Likelihood and Impact.
Likelihood can range from 1 ("Very unlikely") to 5 ("Very likely").
Impact can range from 1 ("Very low impact") to 5 ("Very high impact").
Risk criteria
The criteria for determining risk is the combined likelihood and impact of an event adversely affecting the confidentiality, availability, integrity, or privacy of organizational and customer information, personally identifiable information (PII), or business information systems.
For all risk inputs such as risk assessments, vulnerability scans, penetration test, bug bounty programs, etc., Straloo Tecnologia LTDA management shall reserve the right to modify risk rankings based on its assessment of the nature and criticality of the system processing, as well as the nature, criticality and exploitability (or other relevant factors and considerations) of the identified vulnerability.
Risk response, treatment, and tracking
Risk will be prioritized and maintained in a risk register where they will be prioritized and mapped using the approach contained in this policy.
The following responses to risk should be employed:
- Mitigate: Straloo Tecnologia LTDA may take actions or employ strategies to reduce the risk.
- Accept: Straloo Tecnologia LTDA may decide to accept and monitor the risk at the present time. This may be necessary for some risks that arise from external events.
- Transfer: Straloo Tecnologia LTDA may decide to pass the risk on to another party. For example contractual terms may be agreed to ensure that the risk is not borne by Straloo Tecnologia LTDA or insurance may be appropriate for protection against financial loss.
- Avoid: the risk may be such that Straloo Tecnologia LTDA could decide to cease the activity or to change it in such a way as to end the risk.
Where Straloo Tecnologia LTDA chooses a risk response other than "Accept" or "Avoid" it shall develop a Risk Treatment Plan.
Risk management procedures
The procedure for managing risk will meet the following criteria:
- Straloo Tecnologia LTDA will maintain a Risk Register and Treatment Plan.
- Risks are ranked by 'likelihood' and 'severity/impact' as critical, high, medium, low, and negligible.
- Overall risk shall be determined through a combination of likelihood and impact.
- Risks may be evaluated to estimate potential monetary loss where possible.
- Straloo Tecnologia LTDA will respond to risks in a prioritized fashion. Remediation priority will consider the risk likelihood and impact, cost, work effort, and availability of resources. Multiple remediations may be undertaken simultaneously.
- Regular reports will be made to the senior leadership of Straloo Tecnologia LTDA to ensure risks are being mitigated appropriately, and in accordance with business priorities and objectives.
Information security in project management
Straloo Tecnologia LTDA shall consider information security risk as a part of all projects that are technical in nature or which can pose a risk to the company, regardless of size, duration, or domain.
From the initial planning, through completion of a project, appropriate assessment and mitigation of information security risks is essential, involving: initial information security risk assessments, early identification and addressing of information security requirements, and ongoing assessment and management of risks, especially concerning internal and external project communications.
Roles and responsibilities
The following table outlines the specific risk management activities and responsibilities associated with each role.
| Role | Responsibility |
|---|---|
| President/CEO | Ultimately responsible for the acceptance and/or treatment of any risks to the organization. |
| Chief Technology Officer | Can approve the avoidance, remediation, transference, or acceptance of any risk cited in the Risk Register. |
Version history
| Version | Date | Description | Author | Approver |
|---|---|---|---|---|
| 1.0 | Nov 8, 2024 | Version 1.0 | Daniel Peixoto | Daniel Peixoto |
Appendix A — Risk assessment process
The following is a high-level overview of the process used by Straloo Tecnologia LTDA to assess and manage information security related risks.
The process discussed below is based on NIST 800-30 and provides guidance to Straloo Tecnologia LTDA on how to:
- Prepare and conduct an effective risk assessment.
- Communicate and share the assessment results and risk-related information.
- Manage and maintain risks on an ongoing basis.
The risk assessment process is comprised of the following steps:
- Prepare for the assessment
- Conduct the assessment
- Communicate the assessment
- Maintain the assessment
Step 1: Prepare for the Assessment
In this step, the objective is to establish context for the risk assessment. This can be accomplished by performing the following:
- Identify the purpose of the assessment — determine the information that the assessment is intended to produce and the decisions the assessment is intended to support.
- Identify the scope of the assessment — determine the organizational function or process that is applicable, the associated time frame and any applicable architectural or technological considerations.
- Identify any assumptions or constraints associated with the assessment — determine assumptions in key areas relevant to the risk assessment including: organizational priorities, business objectives, resource availability, skills and expertise of risk assessment team.
- Identify sources of information — architectural/technological diagrams and system configurations, legal and regulatory requirements, threat sources, threat events, vulnerabilities and influencing conditions, potential impacts, existing controls.
Step 2: Conduct the Assessment
In this step, the objective is to produce a list of information security related risks that can be prioritized by risk level and used to inform risk response decisions. This can be accomplished by performing the following:
- Identify Threat Sources — determine and characterize threat sources relevant to and of concern to Straloo Tecnologia LTDA, including but not limited to: human (intentional or unintentional/internal or external), environmental, natural, system or equipment.
- Identify Threat Events — determine what threat events could be produced by the identified threat sources that have potential to impact Straloo Tecnologia LTDA. Consider the relevance of the events and the sources that could initiate the events.
- Identify Vulnerabilities — determine the vulnerabilities associated to people, process and/or technologies that could be exploited by the identified threat sources and threat events. Consider any influencing conditions that could affect and aid in successful exploitation.
- Determine Likelihood — determine the likelihood that the identified threat sources would initiate the identified threat events and could successfully exploit any identified vulnerabilities.
- Determine Impact — determine the impact to Straloo Tecnologia LTDA's business objectives, operations, assets, individuals, customers, and/or other organizations.
- Determine Risk — determine the overall information security related risks to Straloo Tecnologia LTDA by combining the likelihood of the event occurring and the impact that would result from the event.
Step 3: Communicate and Share the Risk Assessment Results
In this step, the objective is to ensure that decision makers across Straloo Tecnologia LTDA and executive leadership have the appropriate risk-related information needed to inform and guide risk decisions.
Step 4: Maintain the Assessment
In this step, the objective is to keep current the specific knowledge related to the risks that Straloo Tecnologia LTDA incurs. The results of the assessments inform and drive risk based decisions and guide ongoing risk responses efforts.
Appendix B — Risk assessment matrix and description key
Each risk will be assessed as to its Likelihood and Impact.
Likelihood can range from 1 ("Very unlikely") to 5 ("Very likely").
Impact can range from 1 ("Very low impact") to 5 ("Very high impact").
Risk matrix:
| Impact \ Likelihood | Very unlikely: 1 | Unlikely: 2 | Somewhat likely: 3 | Likely: 4 | Very likely: 5 |
|---|---|---|---|---|---|
| Very high impact: 5 | 5 | 10 | 15 | 20 | 25 |
| High impact: 4 | 4 | 8 | 12 | 16 | 20 |
| Medium impact: 3 | 3 | 6 | 9 | 12 | 15 |
| Low impact: 2 | 2 | 4 | 6 | 8 | 10 |
| Very low impact: 1 | 1 | 2 | 3 | 4 | 5 |
Risk level descriptions:
| Risk level | Description |
|---|---|
| Low (1–4) | A threat event could be expected to have a limited adverse effect on organizational operations, mission capabilities, assets, individuals, customers, or other organizations. |
| Medium (5–14) | A threat event could be expected to have a serious adverse effect on organizational operations, mission capabilities, assets, individuals, customers, or other organizations. |
| High (15–25) | A threat event could be expected to have a severe adverse effect on organizational operations, mission capabilities, assets, individuals, customers, or other organizations. |
Impact descriptions:
| Impact | Description | Score |
|---|---|---|
| Very low impact (1) | A threat event could be expected to have almost no adverse effect on organizational operations, mission capabilities, assets, individuals, customers, or other organizations. | 1 |
| Low impact (2) | A threat event could be expected to have a limited adverse effect, meaning: degradation of mission capability yet primary functions can still be performed; minor damage; minor financial loss; or range of effects is limited to some cyber resources but no critical resources. | 2 |
| Medium impact (3) | A threat event could be expected to have a serious adverse effect, meaning: significant degradation of mission capability yet primary functions can still be performed at a reduced capacity; minor damage; minor financial loss; or range of effects is significant to some cyber resources and some critical resources. | 3 |
| High impact (4) | A threat event could be expected to have a severe or catastrophic adverse effect, meaning: severe degradation or loss of mission capability and one or more primary functions cannot be performed; major damage; major financial loss; or range of effects is extensive to most cyber resources and most critical resources. | 4 |
| Very high impact (5) | A threat event could be expected to have multiple severe or catastrophic adverse effects on organizational operations, assets, individuals, or other organizations. Range of effects is sweeping, involving almost all cyber resources. | 5 |
Likelihood descriptions:
| Likelihood | Description | Score |
|---|---|---|
| Very unlikely (1) | A threat event is so unlikely that it can be assumed that its occurrence may not be experienced. A threat source is not motivated or has no capability, or controls are in place to prevent or significantly impede the vulnerability from being exploited. | 1 |
| Unlikely (2) | A threat event is unlikely, but there is a slight possibility that its occurrence may be experienced. A threat source lacks sufficient motivation or capability, or controls are in place to prevent or impede the vulnerability from being exploited. | 2 |
| Somewhat likely (3) | A threat event is likely, and it can be assumed that its occurrence may be experienced. A threat source is motivated or poses the capability, but controls are in place that may significantly reduce or impede the successful exploitation of the vulnerability. | 3 |
| Likely (4) | A threat event is likely, and it can be assumed that its occurrence will be experienced. A threat source is highly motivated or poses sufficient capability and resources, but some controls are in place that may reduce or impede the successful exploitation of the vulnerability. | 4 |
| Very likely (5) | A threat event is highly likely, and it can be assumed that its occurrence will be experienced. A threat source is highly motivated or poses sufficient capability or resources, but no controls are in place or controls that are in place are ineffective and do not prevent or impede the successful exploitation of the vulnerability. | 5 |