Data Management Policy

Policy owner Effective date
@knolleary 2023-06-01

Purpose

To define actions to address information security risks and opportunities. To define a plan for the achievement of information security and privacy objectives.

Scope

All FlowFuse data, information and information systems.

Risks that could affect the medium to long-term goals should be considered as well as risks that will be encountered in the day-to-day delivery of services.

Risks will be targeted to achieve maximum benefit without increasing the bureaucratic burden and ultimately affecting core service delivery to the organization.

Risk Management Strategy

A thorough risk assessment must be conducted to evaluate potential threats and vulnerabilities to the confidentiality, integrity, and availability of sensitive, confidential, and proprietary electronic information FlowFuse stores, transmits, and/or processes.

Risk assessments must be performed with any major change to FlowFuse's business or technical operations and/or supporting infrastructure no less than once per year.

Strategies shall be developed to mitigate or accept the risks identified in the risk assessment process.

A risk register is maintained and monitored quarterly to assess compliance with the above policy, and document newly discovered or created risks.

Managing Risk

Risks are assessed and ranked according to their impact and their likelihood of occurrence. A formal Risk Assessment, and network penetration tests, will be performed at least annually and shall take into consideration the results of any technical vulnerability management activities performed in accordance with the Operations Security Policy.

Each risk will be assessed as to its likelihood and impact. Both impact and likelihood are assessed on a scale of 1-5. Impact can range from 1 ("Very low impact") to 5 ("Very high impact") and likelihood can range from 1 ("Very unlikely") to 5 ("Very likely").

The criteria for determining risk is the combined likelihood and impact of an event adversely affecting the confidentiality, availability, integrity, or privacy of organizational and customer information, personally identifiable information (PII), or business information systems.

For all risk inputs such as risk assessments, vulnerability scans, penetration test, bug bounty programs, etc., FlowFuse management shall reserve the right to modify risk rankings based on its assessment of the nature and criticality of the system processing, as well as the nature, criticality and exploitability (or other relevant factors and considerations) of the identified vulnerability.

Risk Response, Treatment, and Tracking

Risk will be prioritized and maintained in a risk register where they will be prioritized and mapped using the approach contained in this policy.

The following responses to risk should be employed:

  • Modify: take actions or employ strategies to reduce the risk.
  • Accept: accept and monitor the risk at the present time. This may be necessary for some risks that arise from external events.
  • Transfer: pass the risk on to another party. For example contractual terms may be agreed to ensure that the risk is not borne by FlowFuse or insurance may be appropriate for protection against financial loss.
  • Avoid: cease the activity or to change it in such a way as to end the risk.

Where FlowFuse chooses a risk response other than "Accept" or "Avoid" it shall develop a Risk Treatment Plan

Risk Management Procedures

The procedure for managing risk will meet the following criteria:

  • FlowFuse will maintain a Risk Register and Treatment Plan.
  • Risks are ranked by "likelihood" and "severity/impact" as critical, high, medium, low, and negligible.
  • Overall risk shall be determined through a combination of likelihood and impact.
  • Risks may be evaluated to estimate potential monetary loss where possible.

FlowFuse will respond to risks in a prioritized fashion. Remediation priority will consider the risk likelihood and impact, cost, work effort, and availability of resources. Multiple remediations may be undertaken simultaneously.

Regular reports will be made to the senior leadership of FlowFuse to ensure risks are being mitigated appropriately, and in accordance with business priorities and objectives.

Exceptions

Requests for an exception to this policy must be submitted to the CEO or CTO for approval.

Violations & Enforcement

Any known violations of this policy should be reported to the CEO or CTO. Violations of this policy can result in immediate withdrawal or suspension of system access and/or disciplinary action in accordance with company procedures up to and including termination of employment.


Policy derived from JupiterOne/security-policy-templates (CC BY-SA 4 license) and Vanta