<    Back to The Trust Center

Information Risk and Compliance

Information Risk Management Approach

Our approach to risk management is iterative, scalable, and includes the high level components outlined below. We employ the Information Security Management System (ISMS) from ISO 27001, which includes a risk management program based on the ISO 31000, “Risk Management Framework.”

Interested Parties

Interface with internal parties, stakeholders and where needed external parties to assess risks and mitigate them.

Establishing the Context

Internal, external, and risk parameters to consider when managing risk, and setting the scope and risk criteria for the remaining process.

Risk Identification

A comprehensive list of assessments used to identify risks that might prevent, degrade, or delay the achievement of our business objectives.

Risk Analysis

Considering the causes and sources of risk, their impact, and the likelihood of the risk occurring, and the effectiveness of existing controls.

Risk Evaluation

Identify the prioritization of the risks identified and the actions needed to mitigate to the level management can agree to so that the appropriate attention is given to the highest prioritized risks.

Risk Treatment

Selecting appropriate options to address identified risks and implement controls that address the impact and likelihood.

Monitoring and Review

Encompasses all aspects of the risk management process in order to:

  • Validate the effectiveness of the risk program
  • Validate the effectiveness of risk controls implemented
  • Learn from events that occurred
  • Enhance program to include additional risk sources or actors

Data Classification

Our data classification policy provides essential requirements for classifying, labeling, and handling information assets that we own, manage, or handle. We use this policy to ensure information assets receive an appropriate level of protection based on their information classification which is based on sensitivity (confidentiality/privacy) and criticality (“Integrity” and “Availability”) .

Access Control

Placer’s access control policy applies to all systems, equipment, facilities and information within our environment, following the principle of least privilege. Our policies include technical controls that restrict access to operating systems, applications and cloud environments to authorized users using authentication protocols, and logging of authentication attempts.

Incident Response

We use a comprehensive and defined plan to govern the process for identifying and reporting incidents as well as how we conduct investigations, risk classification, documentation and communication of incidents, responder procedures, and training.

Our plan is based on NIST SP 800-61r2 “Computer Security Incident Handling Guide” and has been tailored to Placer’s risk profile and business needs.