Risk Assessment Policy
Breakout Learning Inc
Purpose
The purpose of this policy is to define the methodology for the assessment and treatment of information security risks within Breakout Learning Inc, and to define the acceptable level of risk as set by Breakout Learning Inc’s leadership.
Scope
Risk assessment and risk treatment are applied to the entire scope of Breakout Learning Inc’s information security program and to all assets that could impact information security. This policy applies to all employees of Breakout Learning Inc involved in risk assessment and treatment.
Background
Breakout Learning Inc adopts a holistic and systematic approach to risk management. This policy outlines the requirements for identifying and managing information security risks through asset identification, threat and vulnerability assessment, risk treatment, and residual risk evaluation.
Policy
Risk Assessment
The risk assessment process includes identifying threats and vulnerabilities for each asset. The following steps are essential:
- Asset Identification: Identify all assets that could impact the confidentiality, integrity, and availability of Breakout Learning Inc’s information.
- Threats & Vulnerabilities: Identify threats and vulnerabilities for each asset.
- Risk Evaluation: Evaluate the impact and likelihood of each risk by multiplying the impact score by the likelihood score.
- Risk Rating: Use the risk score matrix to classify risks as Low, Medium, High, or Critical.
Risk Rating Criteria
Impact Level |
Definition |
Incidental (1) |
Minimal loss/damage |
Minor (2) |
Minor financial loss |
Moderate (3) |
Moderate financial loss |
Major (4) |
Significant financial loss |
Extreme (5) |
Massive financial loss |
Likelihood |
Description |
Rare (1) |
<10% chance of occurrence |
Unlikely (2) |
10%-35% chance of occurrence |
Possible (3) |
35%-65% chance of occurrence |
Likely (4) |
65%-90% chance of occurrence |
Certain (5) |
>90% chance of occurrence |
Risk Score Matrix
Risk Score Matrix |
||||||
|
IMPACT |
|||||
INCIDENTAL (1) |
MINOR (2) |
MODERATE (3) |
MAJOR (4) |
|||
LIKELIHOOD |
CERTAIN (5) |
MEDIUM |
HIGH |
HIGH |
CRITICAL |
|
LIKELY (4) |
LOW |
MEDIUM |
HIGH |
HIGH |
||
POSSIBLE (3) |
LOW |
MEDIUM |
MEDIUM |
HIGH |
||
UNLIKELY (2) |
LOW |
LOW |
MEDIUM |
MEDIUM |
Risk Remediation and Treatment
Breakout Learning Inc will take one of the following actions for all identified risks:
- Implement security controls.
- Transfer the risk (e.g., through insurance).
- Avoid the risk (e.g., by discontinuing the risky activity).
- Accept the risk (only if the cost of mitigation exceeds the potential impact).
Risk Appetite
Breakout Learning Inc has defined its risk appetite for various risk categories. The organization will only accept residual risk when the risk treatment options do not outweigh the potential impact.
APPENDIX A: Threat Assessment Plan
Breakout Learning Inc collects and analyzes information about existing or potential threats to prevent harm to the organization through informed actions.
Threat Assessment Process
- Identify Threats: Breakout Learning Inc will identify potential internal and external threats that could impact the organization’s operations or information assets.
- Collect Information: Information on threats will be collected from various sources, including security audits, threat intelligence feeds, reports from employees, and industry resources.
- Process Information: Information will be analyzed to determine the likelihood of each threat and its potential impact on the organization.
- Risk Communication: The results of the threat assessment will be shared with relevant stakeholders within the company, including leadership and the security team, to inform decision-making.
- Action: Based on the threat assessment, mitigation strategies will be implemented to reduce the risks identified.
The threat assessment will be reviewed and updated annually or whenever significant changes occur in the risk landscape.
APPENDIX B: Plan of Action and Milestones (POA&M)
The Plan of Action and Milestones (POA&M) will serve as a structured plan to track remediation actions for identified deficiencies, vulnerabilities, or gaps within Breakout Learning Inc’s information security program.
POA&M Structure
- Milestones: Key steps to mitigate identified risks or vulnerabilities.
- Responsible Entities: Assign individuals or teams responsible for each action item.
- Resource Estimates: Calculate required resources (budget, personnel, tools) for each action.
- Creation Date: Log the date each milestone is created.
- Deficiency Details: Document the name, description, and source of the identified deficiency.
- Severity Level: Assign a severity level (Low, Moderate, High) based on the risk score.
- Completion Date: Establish and track the scheduled and actual completion dates for each milestone.
- Status: Monitor the status of each action (e.g., Ongoing or Complete).
POA&M Worksheet Example
ID |
Milestone |
Responsible Entity |
Resource Estimate |
Creation Date |
Deficiency |
Severity Level |
Scheduled Completion |
Actual Completion |
Status |
Regular Reviews
The Risk Assessment Report will be updated at least annually or when new risks are identified. All findings will be documented in a report and reviewed by Breakout Learning Inc leadership.
Revision History
Version |
Date |
Editor |
Approver |
Description of Changes |
1.1 |
2024/10/01 |
Nikita Rogatnev |
Joshua Oster-Morris |
Standardized role titles across all relevant policies, replacing previous variations |
1.0 |
2024/01/01 |
Joshua Oster-Morris |
Jake Shepherd |
Initial version |