Our approach to risk management is iterative, scalable, and includes the high level components outlined below. We employ the Information Security Management System (ISMS) from ISO 27001, which includes a risk management program based on the ISO 31000, “Risk Management Framework.”
Interface with internal parties, stakeholders and where needed external parties to assess risks and mitigate them.
Internal, external, and risk parameters to consider when managing risk, and setting the scope and risk criteria for the remaining process.
Identify the prioritization of the risks identified and the actions needed to mitigate to the level management can agree to so that the appropriate attention is given to the highest prioritized risks.
Selecting appropriate options to address identified risks and implement controls that address the impact and likelihood.
Validate the effectiveness of the risk program
Validate the effectiveness of risk controls implemented
Learn from events that occurred
Enhance program to include additional risk sources or actors
Our data classification policy provides essential requirements for classifying, labeling, and handling information assets that we own, manage, or handle. We use this policy to ensure information assets receive an appropriate level of protection based on their information classification which is based on sensitivity (confidentiality/privacy) and criticality (“Integrity” and “Availability”) .
Placer’s access control policy applies to all systems, equipment, facilities and information within our environment, following the principle of least privilege. Our policies include technical controls that restrict access to operating systems, applications and cloud environments to authorized users using authentication protocols, and logging of authentication attempts.
We use a comprehensive and defined plan to govern the process for identifying and reporting incidents as well as how we conduct investigations, risk classification, documentation and communication of incidents, responder procedures, and training.
Our plan is based on NIST SP 800-61r2 “Computer Security Incident Handling Guide” and has been tailored to Placer’s risk profile and business needs.