Risk Assessment
Risk assessment and risk handling
Conexus has a risk-based approach to our operation. Procedures for risk assessment and risk handling are established.
Risks can be associated with all management systems in Conexus Quality Management System.
Risk assessments shall be carried out periodically for all critical processing. There is a need for additional risk assessment in case of major changes our operating environment.
All actions identified in the risk assessments must be followed up closely by the manager, product- or system owner. High risk items shall be reported to CISO.
Risk assessments are done pr product or System.
|
|
---|---|
Purpose | Information security and privacy is risk based and must be documented. Risk assessment is a very useful tool to structure and document what we think. Risk assessments, whether they pertain to information security or other types of risk, are a means of providing decision makers with information needed to understand factors that can negatively influence operations and outcomes and make informed judgments concerning the extent of actions needed to reduce risk. For most purposes, a risk assessment on a qualitative scale is adequate. Primarily Risk Assessment gives a priority for actions to be implemented. |
Responsibility | Product Owners, System Owners and Project leaders shall perform risk assessments at least yearly to improve security in product, system or development, and document the risks and decisions taken. Document also risk in the daily work. Product Owner is responsible for implementing risk handling activities (actions) through the appropriate channels. |
Documentation | We use our template for risk assessments. |
Security | Risk Assessment must be protected, as they may conceal critical control weaknesses. |