Information Security Risk Management Standard

Standard for managing the Corporate Group’s Risks that result from threats to confidentiality, integrity, and availability of the Information Systems and Assets.

Scope

The Standard applies to all Information Systems and Assets and their users within the EClaims Group, including Third parties.

General information

Risk Management consists of two processes:

  • Risk Assessment

  • Risk Treatment

The Risk Assessment process includes identifying, analyzing, and evaluating the Risks. The output of the Risk Assessment process is a Risk Register with a list of prioritized risks including threats, vulnerabilities, likelihood, business impact, and risk owners.

Risk Treatment is the process of selecting the actions for modifying the Risks and planning their implementation.

The output of the Risk Treatment process is a Treatment Plan with a list of selected treatment methods, treatment and control actions and their implementation dates.

The scope for the Risk Management processes includes the Information Systems and Mission Critical Information Assets listed in Information Systems & Assets.

The acceptable Risk level is Low Risk.

Initiation

The Information Security Team initiates Risk Management:

  • Once per year

  • If there are significant changes in the EClaims Group activities or new Risk factors.

Before starting the Risk Management process, the Information Security Team reviews the Standard and, if needed, makes changes.

The Information Security Team informs the Information System & Asset Owners about the initiated Risk Management process.

Risk Assessment Process

The Risk Assessment Process consists of three steps:

  • Identification

  • Analysis

  • Evaluation

The Information Security Team perform the Risk Assessment steps together with the Information System & Asset Owners.

During the identification step:

  • For each Information System and all Mission Critical Information Assets, relevant threats are selected from the Threat List in the Information Risk Register and registered in the Risk Register sheet’s Threat field. If there are threats to an Information System or Asset that are not in the Threat List, they must be registered in the Risk Register and added to the Threat List.

  • For each new threat a Risk Id is created in the Risk Register. The Risk Id is constructed from a year, underscore, and a number (e.g., 2022_1, 2022_2, etc.)

  • For each threat, relevant vulnerabilities are selected from the Vulnerabilities List in the Information Risk Register and added to the Risk Register’s Vulnerability field.

  • Based on the threats and vulnerabilities added or renewed in the Risk Register, a Risk scenario is described in the Risk Name field.

  • For new or updated Risk scenarios, all existing mitigating control measures are identified and described in the Risk Register’s Implemented Control Measures field.

During the analysis step:

  • The likelihood of the Risk scenario occurrence is evaluated and rated from 1 to 5 based on the Probability Value (see table below). The result is marked in the Likelihood field of the Risk Register.

1

Rare

Occurs in exceptional circumstances

<5%

2

Unlikely

Could occur at some time

5% - 25%

3

Possible

Might occur at some time

26% - 49%

4

Likely

Will probably occur in most situations

50% - 79%

5

Very Likely

Expected to occur in most situations

>80%

  • The impact of the Risk scenario occurrence is evaluated and rated from 1 to 10 based on the Impact of occurrence (see table below). The result is marked in the Impact field of the Risk Register.

1

Insignificant

No cost

2

Minor

Minor cost

5

Moderate

Significant cost

8

Major

Extensive cost

10

Catastrophic

Huge cost

During the evaluation step:

  • The Risk level is calculated based on the formula Risk = Likelihood x Impact. Calculation is made automatically, and the result appears in the Risk Level field of the Risk Register.

  • Each Risk is scored from 1 to 50 based on the Likelihood and Impact of the Risk scenario (see table below).

Risk Levels could be:

  • Low Risk when the score is not greater than 19.

  • Moderate Risk when the score is from 20 to 39.

  • High Risk when the score is above 40.

The Risk scenarios are sorted in the descending order based on the Risk Level.

Risk Treatment Process

The Information Security Team and the Information System & Asset Owner perform the Risk Treatment process.

The Risk Treatment process is applicable for all Risk scenarios that have a Risk Level above the acceptable level. Those Risks are added to the Treatment Plan on the Information Risk Register.

For the Risks in the Treatment Plan, a Target Risk Level is then decided, and an appropriate Risk Treatment Method selected in the Treatment Method field of the Treatment Plan.

The Risk Treatment methods are:

  • Risk Avoidance - not performing an activity that could present Risk

  • Risk Acceptance - accepting the loss, or benefit of gain, from a Risk when the incident occurs

  • Risk Transfer - sharing the burden of loss or the benefit of gain from a Risk, and the measures to reduce the Risk with Third parties

  • Risk Reduction - reducing the severity of the loss or the likelihood of the loss from occurring.

Where the selected Treatment Method is Risk Reduction, appropriate Treatment and Control Actions are chosen and listed in the Treatment Plan.

Treatment and Control Actions are based on:

  • CIS Critical Security Controls

  • PCI DSS

  • ISO/IEC 27002

  • Other best practices and standards.

The implementation and maintenance costs of the Treatment and Control Actions must not exceed the possible loss incurred should the Risk scenario occur.

The Risk Owner determines the implementation date of the Treatment and Control Actions. The date is noted in the Implementation Date field of the Treatment Plan.

Four times per year, the Information Security Team reviews the Risk Treatment Plan and the progress of the Treatment and Control Actions.

Risk Treatment Plan Approval

Once per year, the Information Security Team presents the Risk Treatment Plan to the CEOs for approval. If needed, the Risk Treatment Plan can be adjusted during the quarterly reviews and presented to the CEOs for approval.

Roles and Responsibilities

CEO's:

  • Formally approves the results of the Risk Assessment and the Risk Treatment Plan

  • Ensures that adequate resources needed for Risk Management are made available.

Information Security Team:

  • Manages the Risk Management processes for the Corporate Group

  • Ensures that there is an accurate Information Asset Register of all Information Assets

  • Coordinates the Risk Management activities with the Information Asset Owners

  • Maintains an up-to-date Risk Register

  • Regularly reviews the Risk Treatment Plan

  • Directs the Risk appetite for the CEOs

Information System or Asset Owner:

  • Maintains accurate information in the Information System & Asset Register related to their Information System or Asset

  • Conducts Risk Assessments in cooperation with the Information Security Team

  • Together with the Information Security Team agrees on the appropriate Treatment and Control Actions related to their Information System or Asset

  • Takes an active role in identifying and reporting new Risks

Risk Owner:

  • Implements the approved Treatment and Control Actions

  • Informs the Information Security Team and the Information System or Asset Owner on the progress of the Treatment and Control Actions.

Review and Update

This Standard must be reviewed before initiating the Risk Management process and maintained in accordance with the Information Security Policy.

Revision History

Version
Author
Approved By
Revision date
Approval date

0.1

GK

2023-05-20

2023-05-23

0.2

DM

2023-11-02

2023-11-02

0.3

GK

DM

2024-09-10

2024-09-10

PreviousInformation Security Incident Management ProcessNextSecure Development Management Standard

Last updated