Purpose
This document defines the risk management methodology followed at ALOIS to systematically identify, analyze, and evaluate information security risks.
Scope
This policy applies to all risk assessments conducted on business processes and assets.
Risk Assessment Methodology
Establishing Context: Define business and technical objectives, including internal and external risk factors.Risk Identification: Conduct workshops to identify threats and vulnerabilities affecting business objectives.Risk Analysis: Assess likelihood and impact of identified risks, categorizing them by severity.Risk Treatment: Implement measures to avoid, transfer, mitigate, or accept risks.Monitoring and Review: Regularly review risks to ensure continued alignment with business needs.Risk Categories
Technical Risks: Security vulnerabilities, unauthorized access, data breaches.Compliance Risks: Regulatory violations, non-compliance with legal standards.Operational Risks: Business continuity issues, system failures, process inefficiencies.Risk Reporting and Escalation
Risks are categorized into four levels: Zone 1 (Service Manager), Zone 2 (Business Owner), Zone 3 (Senior Leadership), and Zone 4 (CEO).
