SOC 2 Criteria: CC3.1, CC1.2, CC2.1, CC3.1, CC3.2, CC3.3, CC3.4, CC4.1, CC4.2, CC5.1, CC5.2, CC5.3
Keywords: Risk assessment, Threat impact, Threat likelihood, Risk score, Risk remediation
The purpose of this policy is to define the methodology for the assessment and treatment of information security risks within Userflow, and to define the acceptable level of risk as set by Userflow’s leadership.
Risk assessment and risk treatment are applied to the entire scope of Userflow’s information security program, and to all assets which are used within Userflow or which could have an impact on information security within it. This policy applies to all employees of Userflow who take part in risk assessment and risk treatment.
A key element of Userflow’s information security program is a holistic and systematic approach to risk management. This policy defines the requirements and processes for Userflow to identify information security risks. The process consists of four parts: identification of Userflow’s assets, as well as the threats and vulnerabilities that apply; assessment of the likelihood and consequence (risk) of the threats and vulnerabilities being realized, identification of treatment for each unacceptable risk, and evaluation of the residual risk after treatment.
Risk Assessment
Description of Impact Levels and Criteria:
Impact (Score) | Definition |
---|---|
Incidental (1.0) | Minimal financial loss • Local media attention quickly remedied • Not reportable to regulator • Isolated staff dissatisfaction |
Minor (2.0) | Minor financial loss • Local reputational damage • Reportable incident to regulator, no follow up • General staff morale problems and increase in turnover |
Moderate (3.0) | Moderate financial loss • National short-term negative media coverage • Report of breach to regulator with immediate correction to be implemented • Widespread staff morale problems and high turnover |
Major (4.0) | Significant financial loss • National long-term negative media coverage; significant loss of market share • Report to regulator requiring major project for corrective action • Some senior managers leave, high turnover of experienced staff, not perceived as employer of choice |
Extreme (5.0) | Massive financial loss • International long-term negative media coverage; game-changing loss of market share • Significant prosecution and fines, litigation including class actions, incarceration of leadership • Multiple senior leaders leave |
Description of Likelihood Levels and Criteria:
Likelihood (Weight Factor) | Definition |
---|---|
Rare (1.0) | Once in 100 years or less (<10% chance of occurrence over the life of the company) |
Unlikely (2.0) | Once in 50 to 100 years (10% to 35% chance of occurrence over the life of the company) |
Possible (3.0) | Once in 25 to 50 years (35% to 65% chance of occurrence over the life of the company) |
Likely (4.0) | Once in 2 to 25 years (65% to 90% chance of occurrence over the life of the company) |
Almost Certain (5.0) | Up to once in 2 years or more (90% or greater chance of occurrence over the life of the company) |
Risk Rating Criteria:
Risk Rating: |
---|
Low Risk: Less than or equal to 4.0 |
Medium Risk: Greater than 4.0 but less than or equal to 9.0 |
High Risk: Greater than 9.0 but less than or equal to 16.0 |
Critical Risk: Greater than 16.0 |
Risk Rating Matrix:
IMPACT | ||||||
INCIDENTAL (1.0) | MINOR (2.0) | MODERATE (3.0) | MAJOR (4.0) | EXTREME (5.0) | ||
LIKELIHOOD | RARE (1.0) | LOW 1.0 x 1.0 = 1.0 | LOW 1.0 x 2.0 = 2.0 | LOW 1.0 x 3.0 = 3.0 | MEDIUM 1.0 x 4.0 = 4.0 | MEDIUM 1.0 x 5.0 = 5.0 |
UNLIKELY (2.0) | LOW 2.0 x 1.0 = 2.0 | MEDIUM 2.0 x 2.0 = 4.0 | MEDIUM 2.0 x 3.0 = 6.0 | MEDIUM 2.0 x 4.0 = 8.0 | HIGH 2.0 x 5.0 = 10.0 | |
POSSIBLE (3.0) | LOW 3.0 x 1.0 = 3.0 | MEDIUM 3.0 x 2.0 = 6.0 | MEDIUM 3.0 x 3.0 = 9.0 | HIGH 3.0 x 4.0 = 12.0 | HIGH 3.0 x 5.0 = 15.0 | |
LIKELY (4.0) | MEDIUM 4.0 x 1.0 = 4.0 | MEDIUM 4.0 x 2.0 = 8.0 | HIGH 4.0 x 3.0 = 12.0 | HIGH 4.0 x 4.0 = 16.0 | CRITICAL 4.0 x 5.0 = 20.0 | |
CERTAIN (5.0) | MEDIUM 5.0 x 1.0 = 5.0 | HIGH 5.0 x 2.0 = 10.0 | HIGH 5.0 x 3.0 = 15.0 | CRITICAL 5.0 x 4.0 = 20.0 | CRITICAL 5.0 x 5.0 = 25.0 |
Risk Remediation
Regular Reviews of Risk Assessment and Risk Treatment
Reporting
Version | Date | Editor | Description of Changes |
---|---|---|---|
V1 | October 20th, 2021 | Userflow | Initial Creation |