The purpose of this policy is to define the methodology for the assessment and treatment of information security risks within Helpwise, and to define the acceptable level of risk as set by Helpwise’s leadership. Risk assessment and risk treatment are applied to the entire scope of Helpwise’s information security program, and to all assets which are used within Helpwise or which could have an impact on information security within it. This policy applies to all employees of Helpwise who take part in risk assessment and risk treatment.
A key element of Helpwise’s information security program is a holistic and systematic approach to risk management. This policy defines the requirements and processes for Helpwise to identify information security risks. The process consists of four parts: identification of Helpwise’s assets, as well as the threats and vulnerabilities that apply; assessment of the likelihood and consequence (risk) of the threats and vulnerabilities being realized, identification of treatment for each unacceptable risk, and evaluation of the residual risk after treatment.
The Risk Assessment Table and Risk Treatment Table must be updated when newly identified risks are identified. At a minimum, this update and review shall be conducted once per year. It is highly recommended that the Risk Assessment and Risk Treatment Table be updated when significant changes occur to Helpwise, technology, business objectives, or business environment.
The results of risk assessment and risk treatment, and all subsequent reviews, shall be documented in a Risk Assessment Report.
|Consequence Level||Consequence Score||Description|
|Low||0||Loss of confidentiality, integrity, or availability will not affect the organization’s cash flow, legal, or contractual obligations, or reputation.|
|Moderate||1||Loss of confidentiality, integrity, or availability may incur financial cost and has low or moderate impact on the organization’s legal or contractual obligations and/or reputation.|
|High||2||Loss of confidentiality, integrity, or availability will have immediate and or/considerable impact on the organization’s cash flow, operations, legal and contractual obligations,and/ or reputation.|
Table 1: Description of Consequence Levels and Criteria
|Likelihood Level||Likelihood Score||Description|
|Low||0||Either existing security controls are strong and have so far provided an adequate level of protection, or the probability of the risk being realized is extremely low. No new incidents are expected in the future.|
|Moderate||1||Either existing security controls have most provided an adequate level of protection or the probability of the risk being realized is moderate. Some minor incidents may have occurred. New incidents are possible, but not highly likely.|
|High||2||Either existing security controls are not in place or ineffective; there is a high probability of the risk being realized. Incidents have a high likelihood of occurring in the future.|
Table 2: Description of Likelihood Levels and Criteria
Last updated: 2nd November 2021