Skip to content

Risk Assessment Policy

Breakout Learning Inc


Purpose

The purpose of this policy is to define the methodology for the assessment and treatment of information security risks within Breakout Learning Inc, and to define the acceptable level of risk as set by Breakout Learning Inc’s leadership.


Scope

Risk assessment and risk treatment are applied to the entire scope of Breakout Learning Inc’s information security program and to all assets that could impact information security. This policy applies to all employees of Breakout Learning Inc involved in risk assessment and treatment.


Background

Breakout Learning Inc adopts a holistic and systematic approach to risk management. This policy outlines the requirements for identifying and managing information security risks through asset identification, threat and vulnerability assessment, risk treatment, and residual risk evaluation.


Policy

Risk Assessment

The risk assessment process includes identifying threats and vulnerabilities for each asset. The following steps are essential:

  1. Asset Identification: Identify all assets that could impact the confidentiality, integrity, and availability of Breakout Learning Inc’s information.
  2. Threats & Vulnerabilities: Identify threats and vulnerabilities for each asset.
  3. Risk Evaluation: Evaluate the impact and likelihood of each risk by multiplying the impact score by the likelihood score.
  4. Risk Rating: Use the risk score matrix to classify risks as Low, Medium, High, or Critical.

Risk Rating Criteria

Impact Level

Definition

Incidental (1)

Minimal loss/damage

Minor (2)

Minor financial loss

Moderate (3)

Moderate financial loss

Major (4)

Significant financial loss

Extreme (5)

Massive financial loss

 

Likelihood

Description

Rare (1)

<10% chance of occurrence

Unlikely (2)

10%-35% chance of occurrence

Possible (3)

35%-65% chance of occurrence

Likely (4)

65%-90% chance of occurrence

Certain (5)

>90% chance of occurrence

Risk Score Matrix

Risk Score Matrix

 

IMPACT

INCIDENTAL (1)

MINOR (2)

MODERATE (3)

MAJOR (4)

LIKELIHOOD

CERTAIN (5)

MEDIUM

HIGH

HIGH

CRITICAL

LIKELY (4)

LOW

MEDIUM

HIGH

HIGH

POSSIBLE (3)

LOW

MEDIUM

MEDIUM

HIGH

UNLIKELY (2)

LOW

LOW

MEDIUM

MEDIUM

 


Risk Remediation and Treatment

Breakout Learning Inc will take one of the following actions for all identified risks:

  • Implement security controls.
  • Transfer the risk (e.g., through insurance).
  • Avoid the risk (e.g., by discontinuing the risky activity).
  • Accept the risk (only if the cost of mitigation exceeds the potential impact).

Risk Appetite

Breakout Learning Inc has defined its risk appetite for various risk categories. The organization will only accept residual risk when the risk treatment options do not outweigh the potential impact.


APPENDIX A: Threat Assessment Plan

Breakout Learning Inc collects and analyzes information about existing or potential threats to prevent harm to the organization through informed actions.

Threat Assessment Process

  1. Identify Threats: Breakout Learning Inc will identify potential internal and external threats that could impact the organization’s operations or information assets.
  2. Collect Information: Information on threats will be collected from various sources, including security audits, threat intelligence feeds, reports from employees, and industry resources.
  3. Process Information: Information will be analyzed to determine the likelihood of each threat and its potential impact on the organization.
  4. Risk Communication: The results of the threat assessment will be shared with relevant stakeholders within the company, including leadership and the security team, to inform decision-making.
  5. Action: Based on the threat assessment, mitigation strategies will be implemented to reduce the risks identified.

The threat assessment will be reviewed and updated annually or whenever significant changes occur in the risk landscape.


APPENDIX B: Plan of Action and Milestones (POA&M)

The Plan of Action and Milestones (POA&M) will serve as a structured plan to track remediation actions for identified deficiencies, vulnerabilities, or gaps within Breakout Learning Inc’s information security program.

POA&M Structure

  1. Milestones: Key steps to mitigate identified risks or vulnerabilities.
  2. Responsible Entities: Assign individuals or teams responsible for each action item.
  3. Resource Estimates: Calculate required resources (budget, personnel, tools) for each action.
  4. Creation Date: Log the date each milestone is created.
  5. Deficiency Details: Document the name, description, and source of the identified deficiency.
  6. Severity Level: Assign a severity level (Low, Moderate, High) based on the risk score.
  7. Completion Date: Establish and track the scheduled and actual completion dates for each milestone.
  8. Status: Monitor the status of each action (e.g., Ongoing or Complete).

POA&M Worksheet Example

ID

Milestone

Responsible Entity

Resource Estimate

Creation Date

Deficiency

Severity Level

Scheduled Completion

Actual Completion

Status

                   

 


Regular Reviews

The Risk Assessment Report will be updated at least annually or when new risks are identified. All findings will be documented in a report and reviewed by Breakout Learning Inc leadership.


Revision History

Version

Date

Editor

Approver

Description of Changes

1.1

2024/10/01

Nikita Rogatnev

Joshua Oster-Morris

Standardized role titles across all relevant policies, replacing previous variations

1.0

2024/01/01

Joshua Oster-Morris

Jake Shepherd

Initial version