IT Risk Assessment Policy

Updated annually


This document explains the Company’s Risk Assessment policies and procedures. This policy empowers the Information Security Officer (ISO) or Data Protection Office (DPO) to perform periodic information security risk assessments (RAs) for the purpose of determining areas of vulnerability, and to initiate appropriate remediation.


RAs may be conducted on any Entity within the Company or any outside Entity that has signed a Third Party Agreement with the Company.
RAs may be conducted on any information system to include: applications, servers, and networks, and any process or procedure by which these systems are administered and/or maintained.

Authority and Enforcement

The Company’s Information Security Officer (ISO) is responsible for the development and oversight of these policies and standards.
The ISO works in conjunction with management, the Information Technology (IT) department and others for development, monitoring and enforcement of these policies and standards.


The execution, development and implementation of remediation programs are the joint responsibility of the IT department and the department responsible for the systems area being assessed.
Employees are expected to cooperate fully with any RA being conducted on systems for which they are held accountable.
Employees are further expected to work with the IT Risk Assessment Team in the development of a remediation plan.


Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

Any employee aware of any violation of this policy is required to report it to their supervisor or other authorized representative.


Entity – Any business unit, department, group, or third party, internal or external to the Company, responsible for maintaining the Company assets.

Risk – Those factors that could affect confidentiality, availability, and integrity of the Company’s key information assets and systems. The IT department is responsible for ensuring the integrity, confidentiality, and availability of critical information and computing assets, while minimizing the impact of security procedures and policies upon business productivity.

This policy is subject to change or termination by the Company at any time. This policy SUPERSEDES all prior policies, procedures or advisories pertaining to the same subject.