Information Risk Management Approach
Our approach to risk management is iterative, scalable, and includes the high level components outlined below. We employ the Information Security Management System (ISMS) from ISO 27001, which includes a risk management program based on the ISO 31000, “Risk Management Framework.”
Interested Parties
Interface with internal parties, stakeholders and where needed external parties to assess risks and mitigate them.
Establishing the Context
Internal, external, and risk parameters to consider when managing risk, and setting the scope and risk criteria for the remaining process.
Risk Evaluation
Identify the prioritization of the risks identified and the actions needed to mitigate to the level management can agree to so that the appropriate attention is given to the highest prioritized risks.
Risk Treatment
Selecting appropriate options to address identified risks and implement controls that address the impact and likelihood.
Monitoring and Review
Encompasses all aspects of the risk management process in order to:
- Validate the effectiveness of the risk program
- Validate the effectiveness of risk controls implemented
- Learn from events that occurred
- Learn froEnhance program to include additional risk sources or actorsm events that occurred
Data Classification
Placer’s data classification policy sets the requirements for classifying, labeling, and handling information assets Placer owns, manages, or processes. Classification is based on sensitivity (confidentiality and privacy) and criticality (integrity and availability), so each asset receives an appropriate level of protection throughout its lifecycle.
Access Control
Placer's access control policy applies to all systems, equipment, facilities, and information within its environment, following the principle of least privilege. Controls restrict access to operating systems, applications, and cloud environments to authorized users through strong authentication (including SSO and MFA for sensitive systems), and authentication attempts are logged and monitored.
Incident Response
Placer maintains a comprehensive, documented plan to govern how it identifies and reports incidents, how it conducts investigations, and how it classifies, documents, and communicates about them. The plan also defines responder procedures and required training.
The plan is based on NIST SP 800-61r3, "Computer Security Incident Handling Guide," and is tailored to Placer's risk profile and business needs. Placer updates the plan based on lessons learned from exercises, simulations and real-world events.
The plan is based on NIST SP 800-61r3, "Computer Security Incident Handling Guide," and is tailored to Placer's risk profile and business needs. Placer updates the plan based on lessons learned from exercises, simulations and real-world events.