Risk Assessment Policy
This page describes Data Migrators’ policy on risk assessment.
- Overview
- Purpose
- Scope
- Policy
- Policy Compliance
- Exceptions
- Non-compliance
- Related Documents
- Definitions and Terms
Overview
See Purpose.
Purpose
To empower Infosec to perform periodic information security risk assessments (RAs) for the purpose of determining areas of vulnerability, and to initiate appropriate remediation.
Scope
Risk assessments can be conducted on any entity within Data Migrators or any outside entity that has signed a Third Party Agreement with Data Migrators. RAs can be conducted on any information system, to include applications, servers, and networks, and any process or procedure by which these systems are administered and/or maintained.
Policy
The execution, development and implementation of remediation programs is the joint responsibility of Infosec and the department responsible for the system area being assessed. Employees are expected to cooperate fully with any RA being conducted on systems for which they are held accountable. Employees are further expected to work with the Infosec Risk Assessment Team in the development of a remediation plan.
For additional information, go to the Risk Assessment Process.
Policy Compliance
Compliance Measurement
The Infosec team will verify compliance to this policy through various methods, including but not limited to, business tool reports, internal and external audits, and feedback to the policy owner.
Exceptions
Any exception to the policy must be approved by the Infosec team in advance.
Non-Compliance
An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.
Related Documents
Risk Assessment Process
Third Party Agreement
Definitions and Terms
None.