Scope
This policy covers any risk that could affect confidentiality, availability, and integrity of Datum’s key information assets and systems. Risk assessments can be conducted on any information system, to include applications, servers, and networks, and any process or procedure by which these systems are administered and/or maintained.
Risk assessment
The Security Team is responsible for completing periodic information security risk assessments for the purpose of determining areas of vulnerability, and to identify and initiate appropriate remediations. A risk register should include:
- Identification of the risk
- What mitigations have been put in place
- Acceptance of the residual risk
The execution, development and implementation of remediation programs is the responsibility of the Security Team. Employees are expected to cooperate fully with any risk assessment being conducted on systems for which they are held accountable. Employees are further expected to work with the Security Team in the development and implementation of a remediation plan.
Schedule
Risks are evaluated on an annual basis.