Risk management

Our primary tool, the SRR, assesses the risk exposure of every identified security threat across our environment and is the basis for most other risk management tools in play. We use the SRR to inform relevant groups (notably the Security team and the leadership/executive teams) regarding our knowledge of risk exposure.

We use procedural risk assessments—a standard process for analyzing the risk of various input—to make informed decisions around the associated risk exposure.

Each risk assessment leverages data tabulated in the SRR to articulate the impact of various risk scenarios and inform decision-making in relevant contexts.

We use ad hoc risk assessments to evaluate risk if a circumstance arises that falls outside our structured evaluations.

We use development risk assessments for new major products or product features to ensure that we thoroughly evaluate critical security and legal controls.

• An initial assessment gauges the overall risk of the design.
• If our Security team identifies a high level of risk, we ask for more details in the product design document.
• Our Security team might ask for clarification around sensitive topics and require design changes or mitigation strategies to address new risk exposure.
• Follow-up risk assessments might be necessary depending on the complexity of the project.

Risk treatment planning includes these steps:

• Enumerate existing controls per FAIR Controls Analytics Model (FAIR-CAM).
• Select risk treatment approach(es) and justification.
• Evaluate any additional proposed controls.
• Assign lead stakeholders and other owners.
• Set timeframe to achieve intended treatment.

Determining risk treatment options includes these factors:

• mitigation (via remediation and countermeasures)
• transfer (e.g., to third party)
• avoidance (eliminate vulnerable function or service)
• acceptance (based on understanding of exposure and weighted against appetite for risk)