Information Security Risk Management Policy

Information Security Risk Management Policy

PREPARED BY

Information Security Team

uExcelerate

*Updated - 1st Sep 2024

Content

• Summary ● Overview

• Information Security Risk Management Framework

• Required Process Areas

• Risk Governance

• Risk Scope

• Risk Categories and Control Mappings

• Risk Impact

• Risk Likelihood

• Risk Rating

• Risk Identification Process

• Risk Analysis

• Risk Evaluation

• Risk Treatment

• Definitions

SUMMARY

This document deals with the risk management policy of uExcelerate. The objective of this policy is to clearly define the required processes and controls needed to effectively identify, analyze, report, and manage information risks related to assets and information of uExcelerate and the services offered by uExcelerate.

uExcelerate has approved the introduction and embedding of risk management into the key controls and approval processes of all major activities and functions of the organizations and the services it offers.

Risk is inherent in all organizational activities, and every member of the organization continuously manages risk. uExcelerate recognizes that the aim of risk management is not to eliminate risk totally but rather to provide the structural means to identify, prioritize, and manage the risks involved in all organizational activities. It requires a balance between the cost of managing and treating risks and the anticipated benefits that will be derived.

uExcelerate acknowledges that risk management is an essential element in the framework of an organization. When dealing with critical and confidential data in large scale uExcelerate believes in the risk that mitigates with the development stages right to the deployment and support. In all such stages, uExcelerate strives hard to keep the data of its client in the most secure manner possible. Though no organisation is exempted from risk, uExcelerate believes in regular monitoring and risk analysis to prevent any breaches at the root itself.

1. Overview

This standard covers all information resources including systems, data, and services. This standard is applicable to all uExcelerate employees, staff and affiliates.

2. Information Security Risk Management Framework

2.1 ​ Information Security Risk Management Framework of uExcelerate will utilize an information security risk management framework to define the method and logical interrelation of risk management activities.

uExcelerate Information Security Risk Management Framework is guided by the ISO 27005:2011 standard (Information Technology ​ Security Techniques ​ Information security 1 risk management).

3. Required Process Areas

The information risk management methods and processes are divided into five required process areas -

4. Risk Governance

All risks identified as relevant to uExcelerate information assets will be managed by the Risk Analysis team and the InfoSec will be added to the loop as per necessity.

To effectively manage these risks, the following roles and responsibilities have been established and agreed upon.

The CEO - The CEO has authority and responsibility for annually reviewing and approving the uExcelerate IT Risk Assessment and treatment plan related to those areas that present highest degree of risk.

The CTO’s Core Team - The CTO Core Team has authority and responsibility for overseeing processes needed to establish risk tolerance and selection of treatment options for extreme and serious risks that may be uncovered throughout the year.

InfoSec Team - The InfoSec team is the guardian of customer trust. Infosec collaborates with uExcelerate engineering to protect data at uExcelerate.

Project Lead - ​The Project Lead is required to analyse and follow the security risk management standards for each of the applications and products developed under his/her supervision.

Information Security Advisory Council - The uExcelerate Information Security Advisory Council is responsible for periodically reviewing and providing advisement and recommendations concerning university information security risks.

Information Security Incident Response Team - ​The Information Security Incident Response has the authority and responsibility to review incident information and threat intelligence to help evaluate risks pertaining to technical IT defences, data security and related processes.

5. Risk Scope

Information risks will be scoped according to their applicability and origin. The scoping of information risk utilizes three tiers to differentiate risks and identify risk treatment responsibilities

Client Service Information Risks - ​These risks are issued if there is any risk identified to the data or deployment stack of the clients or the services that are offered by uExcelerate to its clients.

Enterprise Information Risks - ​Enterprise risks are issues that are derived from a shared policy/compliance state, common organizational behaviour, or central control deficiency that impact a large number of uExcelerate units. These risks are often inherited due to their nature.

Unit Level Information Risks - Unit level risks are issues that are derived from a behaviour, business practice, or control deficiency that is relevant to a single unit.

6. Risk Categories and Control Mappings

​Risks will be categorized based on the eleven ISO 27005:2011 information security standard control categories to allow for correlation between risks and gaps analysis review and comparatives to varied IT security standards and risk frameworks (COBIT, NIST, PCI​DSS).

The risk categories will include :-

• Organizational / Management Risks

• Human Resource Risks

• Asset Management Risks

• Access Control Risks

• Cryptography Risks

• Physical and Environmental Risks

• Operational Risks

• Communications Risks

• System Acquisition, Development, and Maintenance Risks

• Supplier Relationship Risks

• Information Security Incident Management Risks

• Business Continuity Management Risks

7. Risk Impact

Risk impact levels are established based on both quantitative (financial) and qualitative risks as listed below:

8. Risk Likelihood

The risk likelihood represents the estimation of how likely a risk is to be identified within a given year. The following levels are utilized to differentiate varying degrees of probability.

9. Risk Rating

Risks ratings will be calculated using the impact and likelihood assessments in order to classify and prioritize risks that present the greatest dangers to the institution.

10. Risk Identification Process

Risk Identification processes will be followed to determine the existence of potential risks that may require further analysis.

The following processes will be conducted to support this process area:

uExcelerate Composite IT Risk Assessment ​ (Frequency: Annual; Scope: Enterprise Level) - ​ An overall risk assessment and treatment plan will be developed by the Information Security team in collaboration with the Information Security Advisory Board on an annual basis that includes a high level view of the most significant risks uncovered throughout the year from identification processes as well as recommended risk treatment strategies and plans. The risk assessment and treatment plan will be collaboratively reviewed by the Information Security Advisory Team and the CTO’s core team to ensure that identified risks align with broad organisation risk perceptions and that treatment recommendations are evaluated for effectiveness and cost. ​ This annual assessment is reported to the CEO and CTO’s core team. The CEO and the CTO’s core team must review and sign and approve this assessment on annual basis.

ISO 27005 GAP, Maturity, and Risk Assessment (Frequency: Bi​Annual; Scope: Enterprise Level) - The Information Security Team will bi​annually review ISO 270002 control areas to determine any areas that may be missing or underdeveloped. These controls areas will be analyzed and prioritized based on the maturity level of controls and related levels of risks associated with the control area. The top control areas with high risks and/or low maturity will be conveyed to the Information Security Advisory Counsel to ensure that risk area are reviewed and also reflect the broader view of risks held by representatives. This gap assessment will be used to determine risk review areas that may warrant more attention due to variance in control levels.

Threat Review ​(Frequency: Annual; Scope: System Level) - The UExcelerate Information Security Incident Response team will at least annually review emerging technical threats in relation to performance of existing IT defences against evolving attack threat trends/patterns and the tools, tactics and procedures (TTPs) of common threat actors.

Vulnerability Scanning ​(Frequency: At least once a Month; Scope: System Level) - The​ Information Security team has the authority and responsibility to conduct vulnerability scans of all networked information systems, architectures, threat models, response and requests calls, authenticated users and access lists, architectures of all the products and services,​ internet facing servers and systems that store, process, or transmit confidential information, Databases and data stores, at least once each month. Exemptions from these scans must be requested and reviewed. The Information Security Team Lead must approve exemption requests. Vulnerability scanning windows will be established to minimize potential conflicts with routine system operations or maintenance.

Confidential / Highly Confidential / Critical / Restricted Data Discovery and Loss

Prevention ​ (Frequency: Daily/Monthly; Scope: Unit + System Level) - ​The Information Security Team has the authority and responsibility to scan for the presence of all the data in order to identify risks related to this data on systems that may have potential for system compromise or accidental disclosure. The team also has the responsibility to identify and classify any new category of data that has not been classified. It also scans for the services and requests responses both internal and external facing to identify that all the calls are have been identified and certified and been approved by the InfoSec team if they are handling RED data.

System Security Testing ​(Frequency: As Needed; Scope: System Level) - The​ Information Security team has the sole authority and responsibility to conduct directed security tests to simulate attacks against uExcelerate systems to determine their resiliency. This authority to test represents an exemption to relevant organisation standard computer and network usage policies so long as the requirements below are met.

​Security tests must be approved or requested by system owners. These approvals will be documented in a security testing approval form.

Security tests must be coordinated with relevant system and application administrators to differentiate testing from actual attacks and to minimize potential conflicts with routine system operations.

Post​Incident Analysis ​ (​Frequency:- As Needed; Scope: All Scoping Levels) - As part of the organisations Information Security Incident Response plan, the Information Security team will conduct post​incident analysis of security issues to determine their root​cause and any associated risks that may need to be reviewed.

IT Procurement and Provider Review ​(Frequency: As Needed; Scope: All Scoping Levels) - The​ Information Security team has the authority and responsibility to review any IT related services or software that may reasonably have the potential to introduce significant information risks. New or proposed IT solutions and providers that manage store, transmit or process uExcelerate’s confidential data must always undergo a review.

If significant risks are uncovered during the review process than a risk mitigation/treatment review must be conducted by the appropriate risk owner prior to any decision.

11. Risk Analysis

The goal of risk analysis processes is to ensure that identified risks are consistently evaluated and scored in a common fashion. All identified risks must undergo the following steps:

Risk Scoping Analysis - Each risk must be assessed as either enterprise level risks (see 5.1), unit level risks (see 5.3), or system level risk (see 5.2) in order to determine if risks are inherited from a central issue, system, or concern or whether the risk is singular to a particular unit or team or system. ​

Risk Impact Analysis - Each risk will be assigned an impact level associated with the realization of a risk that must be calculated qualitatively and optionally may also be measured via quantitative estimation. Risk impact assignment must be done in concert with any key stakeholders or subject matter experts who have an understanding of business processes or adverse events associated with particular types of risks.

Risk Likelihood Analysis - ​ Each risk must be assigned a likelihood value associated with the estimated potential for a risk to be realized in the course of a year (annualized rate of occurrence). ​ Risk likelihood assignment must be done in concert with any relevant key stakeholders or subject matter experts who have in depth understanding of threats that may lead to realization of risks.

12. Risk Evaluation

The goal of the risk evaluation phase is to determine if legal, contractual, or policy requirements mandate certain treatment options related to identified risks. Legal and Compliance Review Identified risks will be reviewed by the Information Security team in consultation with the CTO’s core team to determine their relevancy to any existing organisational contractual or legal requirements. If these obligations exist, then the terms of this agreement will be conveyed to the risk owner for awareness.

13. Risk Treatment

Risk Treatment The objective of risk treatment processes is to ensure that all risks are managed by an appropriate individual or group in an informed manner and that risk treatment decisions are executed. ​ Risk Treatment Plans All Severity 1-5 must undergo review and have a plan established for how risk is to be treated. In some instances, risk treatment plans may include a combination of options. It is important to note that acceptance of risk is an acceptable plan when approved by the risk owners

In case of an identified risk is of Severity 1 or 2. The root cause investigation has to be carried out by the team whose unit where the risk was identified.

In case of identification, a COE (Correction of Error) might have to be submitted by the team lead in case the Information Security Team demands.

In case of Risk Treatment the following are the risk owners and the time-frame to report the same.

14. Definitions

Risk - In the content of Information Security, risk is the exposure to potential reduction of Confidentiality, Integrity, and Availability of information assets such as information systems, data, user credentials, and other computing resources.

Risk Owner - In the context of this standard, the risk owner is the group or role within the organisation who has the authority and accountability for selection of appropriate risk treatment

Risk Assessment - ​The overall process of risk identification, risk analysis and risk evaluation.

Risk Impacts - ​Adverse outcomes that result when risks are realized.

Risk Rating - The magnitude of a risk, expressed in terms of the combination of impact potential and their likelihood.

Risk Management - The coordination of activities to direct and control an organization with regard to risk

Correction of Error (COE) - ​The report to be submitted by the team lead where Severity 1 and 2 risk were identified.

RED Data - ​The data dealt in uExcelerate and all its services, which are critical and highly confidential, for further elaboration on the data classification in uExcelerate refer to the Data Classification Policy in the Information Security Policy Handbook.