...
The process used for risk assessment and treatment within Vertic Pty Ltd is set out in the document Risk Assessment and Treatment Process which is part of the Information Security Management System (ISMS). This risk treatment plan sets out:
Risks requiring treatment
Risk owner
Recommended treatment option
Actions/Controls to be implemented
Responsibility for the identified actions
Estimated cost of control implementation
Timescales for actions
Residual risk levels after the controls have been implemented
This plan must be signed off by top management and by the relevant risk owner(s) to show agreement to the actions identified and to the levels of residual risk remaining after the treatment actions have been completed. The following people were involved in defining the actions described in this plan:
NAME | ROLE IN ASSESSMENT |
Jan Tenenberg | Lead risk assessor |
Stephen Kent | Assistant risk assessor |
...
As part of the assessment of potential treatments, the following additional people were consulted:
NAME | TITLE | LOCATION |
Matt Romeo | Chief Operating Officer | Melbourne Office |
Alex Hughes | Principle Consultant | Melbourne Office |
...
For each risk identified in the risk assessment report as needing to be treated, an approach has been agreed to take one or more of the following treatment options to reduce its risk level:
Modify – take action to reduce either the likelihood or impact of the risk (or both)
Share – agree or contract with a third party to share the effect of the risk
Avoid – change the way we work or some other factor so that the risk no longer applies
The specific actions to be taken are then identified together with an action owner and a target timescale.
...
Actions to address the potentially insecure use of partner cloud services have also been identified and many of the controls listed in section A.15 of Annex A from the ISO/IEC 27001 standard are recommended to be implemented, together with additional measures as proposed by the ISO/IEC 27017 code of practice.
Completion of these actions will be monitored as part of the regular management review process.
...
REF
...
RISK
DESCRIPTION
...
RISK OWNER
...
RISK LEVEL
...
TREATMENT OPTION
...
ACTION
...
ACTION OWNER
...
TIME- SCALE
...
RESIDUAL RISK LEVEL
...
1
...
Password Breach
...
CEO
...
Modify
Two-Factor Authentication
Secure Password Management
...
Monitor Environment Setup
...
COO
...
Ongoing
...
Low
...
2
...
Transactional Data Breach
...
CEO
...
Modify
Use Salesforce Platform Features
Do not store Transactional Data on Vertic Infrastructure
Use Australian Salesforce Data Centres
Monitor Salesforce Trust Website
Internal Audit/Planning to ensure this
...
COO
...
Ongoing
...
Low
...
3
...
Employee Breach
...
COO
...
Share
Employment Contracts
Control Salesforce Access
Require Employment Contracts for each Employee
Use Salesforce Security Model to control user access
...
COO
...
Ongoing
...
4
...
Incorrect Development Standards
...
COO
...
Modify
...
Perform Regular Salesforce Health Checks
Monitor Salesforce Health Checks
Review Salesforce Optimiser
...
COO
...
Ongoing
...
5
...
Data Centre Failures
...
CEO
...
Share
Monitor Salesforce Trust Website
Use Salesforce’s Redundancy Controls
...
Inform Customers when this happens; data loss is extremely unlikely due to Salesforce’s platform redundancy controls
...
CFO
...
Ongoing
Table 3: Risk treatment planVertic’s Organisational Risk Register can be found here.