Risk Assessment Policy

1.0 OVERVIEW

NEO has an obligation to ensure appropriate security for all Information Technology data, equipment, and processes in its domain of ownership and control. This obligation is shared, to varying degrees, by every member of the organization.

AWS and its customers share control over the IT environment, both parties have responsibility for managing the IT environment. AWS’ part in this shared responsibility includes providing its services on a highly secure and controlled platform and providing a wide array of security features customers can use. The customers’ (NEO) responsibility includes configuring their IT environments in a secure and controlled manner for their purposes.

2.0 PURPOSE & BACKGROUND

The purpose of this document is to provide the framework for Risk Assessments of the organization’s data, network and systems, regardless of where the data resides. The Information Security team shall perform periodic Risk Assessments (RAs) for the purpose of identifying business and security threats, assessing the significance of the threats, prioritize efforts to focus on high risk threats, recommend resolution measures commensurate with the degree of perceived risk, and evaluate the status of mitigating control measures.

1. The purpose of this policy is to define the methodology for the assessment and treatment of information security risks within the organization, and to define the acceptable level of risk as set by the organization’s leadership.
2. Risk assessment and risk treatment are applied to the entire scope of the organization’s information security program, and to all assets which are used within the organization or which could have an impact on information security within it.
3. This policy applies to all employees of the organization who take part in risk assessment and risk treatment.
4. A key element of the organization’s information security program is a holistic and systematic approach to risk management. This policy defines the requirements and processes for the organization to identify information security risks. The process consists of four parts: identification of the organization’s assets, as well as the threats and vulnerabilities that apply; assessment of the likelihood and consequence (risk) of the threats and vulnerabilities being realized, identification of treatment for each unacceptable risk, and evaluation of the residual risk after treatment.

3.0 ELIGIBILITY

All officers, employees, contractors, consultants, external parties or any person doing work on behalf of the organization are subject to this and all Information Technology polices. All areas of electronic data, services, applications, hardware, and software are also subject to this and all Information Technology policies.

4.0 POLICY

Risk Assessments may be conducted on any business function or information system, to include applications, servers, and networks, and any process or procedure by which these systems are administered and/or maintained. The assessments seek to identify security issues in the following general areas:

• System Architecture
• Access Control
• Data Management
• Logging and Monitoring
• Audit, Legal, and Regulatory Compliance
• Third Party Involvement (includes customers, vendors, and service providers)

1. Risk Assessment
   1. The risk assessment process includes the identification of threats and vulnerabilities having to do with company assets.
   2. The first step in the risk assessment is to identify all assets within the scope of the information security program; in other words, all assets which may affect the confidentiality, integrity, and/or availability of information in the organization. Assets may include documents in paper or electronic form, applications, databases, information technology equipment, infrastructure, and external/outsourced services and processes. For each asset, an owner must be identified.
   3. The next step is to identify all threats and vulnerabilities associated with each asset. Threats and vulnerabilities must be listed in a risk assessment table. Each asset may be associated with multiple threats, and each threat may be associated with multiple vulnerabilities. A sample risk assessment table is provided as part of the Risk Assessment Report Template (reference (a)).
   4. For each risk, an owner must be identified. The risk owner and the asset owner may be the same individual.
   5. Once risk owners are identified, they must assess:
      1. Impact for each combination of threats and vulnerabilities for an individual asset if such a risk materializes.High
         Exercise of the vulnerability (1) may result in the highly costly loss of major tangible assets or resources; (2) may significantly violate, harm, or impede an organization’s mission, reputation, or interest; or (3) may result in human death or serious injury. It means that money value of this happening is 100k USD+. Numerical value is 100
         Medium
         Exercise of the vulnerability (1) may result in the costly loss of tangible assets or resources; (2) may violate, harm, or impede an organization’s mission, reputation, or interest; or (3) may result in human injury. Money value is between 10-100k USD. Numerical value is 50
         Low
         Exercise of the vulnerability (1) may result in the loss of some tangible assets or resources or (2) may noticeably affect an organization’s mission, reputation, or interest. Value money is 1-10k USD. Numerical value is 10
      2. Likelihood of occurrence of such a risk (i.e. the probability that a threat will exploit the vulnerability of the respective asset).High
         The threat-source is highly motivated and sufficiently capable, and controls to prevent the vulnerability from being exercised are ineffective. Numerical value is 1
         Medium
         The threat-source is motivated and capable, but controls are in place that may impede successful exercise of the vulnerability.Numerical value is 0.5
         Low
         The threat-source lacks motivation or capability, or controls are in place to prevent, or at least significantly impede, the vulnerability from being exercised.Numerical value is 0.1
   6. The risk score is calculated according to this formula:
      • numerical value of likelihood * numerical value of impact.
      All possible value are in the table below:Likelihood/Impact01050100000000.1015100.5052550101050100
2. Risk Acceptance Criteriai. Risk score 0 through 5 are considered to be acceptable risks.ii. Risk values 5+ considered to be unacceptable risks. Unacceptable risks must be treated.Each Risk is also classified by to identify risks associated with the loss of confidentiality, integrity and availability for information within the scope of the information security management system. (CIA)
3. Risk Treatment
   1. Risk treatment is implemented through the Risk Treatment Table. All risks from the Risk Assessment Table must be copied to the Risk Treatment Table for disposition, along with treatment options and residual risk. A sample Risk Treatment Table is provided in reference (a).
   2. As part of this risk treatment process, the CEO and/or other company managers shall determine objectives for mitigating or treating risks. All unacceptable risks must be treated. For continuous improvement purposes, company managers may also opt to treat other risks for company assets, even if their risk score is deemed to be acceptable.
   3. Treatment options for risks include the following options:
      1. Selection or development of security control(s).
      2. Transferring the risks to a third party; for example, by purchasing an insurance policy or signing a contract with suppliers or partners.
      3. Avoiding the risk by discontinuing the business activity that causes such risk.
      4. Accepting the risk; this option is permitted only if the selection of other risk treatment options would cost more than the potential impact of the risk being realized.
   After selecting a treatment option, the risk owner should estimate the new consequence and likelihood values after the planned controls are implemented.
4. Regular Reviews of Risk Assessment and Risk Treatment
   1. The Risk Assessment Table and Risk Treatment Table must be updated when newly identified risks are identified. At a minimum, this update and review shall be conducted at least annually. It is highly recommended that the Risk Assessment and Risk Treatment Table be updated when significant changes occur to the organization, technology, business objectives, or business environment.
   2. All risks which score above the acceptance threshold after the applying the treatment option are discussed at the quarterly Risk Assessment Review meeting. This meeting will include discussions on the progress of mitigating high-risk issues, exploring further risk treatment options, and making decisions on risk acceptance.
      1. These meetings ensure that risks are managed proactively and that all high-level risks are given adequate attention and resources by senior management.
      2. The minutes of these meetings should be recorded and include decisions on risk treatment and any updates to risk management strategies.
5. ReportingThe results of risk assessment and risk treatment, and all subsequent reviews shall be documented in a Risk Assessment Report.

Assessment Tools
The tools used to perform a risk assessment can include, but are not limited to, the following:

• Risk Assessment Questionnaire
• Third-party vendor security questionnaire
• Third-party cloud computing questionnaire
• Static Application scans
• Cloud Vendor Compliance Assessment
• Independent third party reviews/audits
• Meetings/interviews. On-site inspections
• Technical vulnerability scans
• Service Organization Control (SOC) review

5.0 ROLES & RESPONSIBILITIES

Shortlist Internal team is responsible for executing and reporting risk.

1. Martin Konrad – CEO
2. Szymon Fraszczak – VP of Engineering

6.0 COMPLIANCE

Any employee, contractor, consultant, external party or any person doing work on behalf of the organization found to have violated any policy, standard or procedure may be subject to disciplinary action, up to and including termination of employment or contract. Violators of local, state, Federal, and/or international law may be reported to the appropriate law enforcement agency for civil and/or criminal prosecution.