Cyber Risk Management Policy
Cyber Risk Management Policy
| Field | Value |
|---|---|
| Document ID | POL-006 |
| Classification | Internal |
| Owner | CTO (interim CISO) |
| Effective Date | April 2026 |
| Review Cycle | Annual |
1. Overview
The Organization recognizes that cybersecurity risks can impact business operations, customer data, and organizational reputation. This policy establishes a structured approach to identify, assess, mitigate, and monitor cybersecurity risks across all business functions.
Effective cyber risk management helps protect organizational assets, maintain compliance, and support business continuity.
2. Purpose
This policy defines the framework for managing cybersecurity risks to ensure that:
- Cyber risks are identified and assessed
- Appropriate risk mitigation measures are implemented
- Residual risks are monitored
- Regulatory and business requirements are met
3. Scope
This policy applies to all employees, contractors, systems, applications, data, and business processes across the Organization. The scope includes:
- Information systems and infrastructure
- Applications and data repositories
- Third-party integrations and services
- Business processes involving digital systems
- Remote access and endpoint devices
4. Policy
4.1 Risk Identification
- Identify cybersecurity threats such as malware, phishing, unauthorized access, and insider risks.
- Perform periodic vulnerability assessments of systems and applications.
- Maintain an inventory of key systems, applications, and digital assets.
4.2 Risk Assessment
- Evaluate the likelihood and impact of identified risks.
- Classify risks as Critical, High, Medium, or Low based on severity.
- Review risks periodically and update assessments as required.
4.3 Risk Treatment
- Implement appropriate technical and operational controls to mitigate identified risks.
- Document accepted risks where mitigation is not feasible.
- Avoid or restrict high-risk activities when necessary.
4.4 Monitoring and Review
- Monitor systems and applications for potential security risks.
- Track key risk indicators such as incidents and vulnerabilities.
- Review risk status periodically and update mitigation actions.
5. Policy Compliance
5.1 Compliance Measurement
Compliance with this policy shall be monitored through:
- Periodic risk assessments
- Security reviews and audits
- Incident analysis and corrective actions
- Vulnerability tracking and remediation
5.2 Policy Review
This policy shall be reviewed periodically or when significant changes occur in technology, business operations, or regulatory requirements.
5.3 Exceptions
Any exception to this policy must be documented, approved by authorized personnel, and reviewed periodically with appropriate risk mitigation measures.
5.4 Non-Compliance
Failure to comply with this policy may result in corrective actions in accordance with organizational procedures.
6. Operational Methodology
For the operational implementation of this policy ā risk scoring formulas, category definitions, status lifecycle, review cadence, and the register’s evidence workflow ā see the Cyber Risk Management Standard (STD-005).
The Standard is maintained by the CISO and may be updated without Board approval when operational practice changes. This Policy is reviewed annually by the Board.
Interim role note: The CISO role is currently pending formal appointment. Until then, the CTO acts as interim CISO for sign-offs and approvals described in this Policy and the companion Standard.