INFORMATION RISK ASSESSMENT [DP300]
        Back to Table of Contents

       Scope: Enterprise
       Distribution: Executive Leadership Team; Director of Information Technology, Privacy and Data Security
       Purpose: To discover and mitigate information risks.
       External Regulation or Standard: Security Management Process, 45 CFR 164.308(a)(1)(ii)(A); 45 CFR 164.308(a)(1)(ii)(B), PCI DSS 12.1.2

         Who is Responsible    Statement     Policy, Standard, or Procedure Statement
                                Number
         Director of Information   DP300.1   Conduct on‐going, comprehensive and formal logical and physical information‐risk
         Technology, Privacy                 assessment identifying all known threats and vulnerabilities that includes identifying
         and Data Security with              and prioritizing risk mitigation activities. Results and recommendations will be
         IT Staff, and                       documented at least once a year.
         Consultants as
         approved by Chief
         Financial Officer

         IT Staff                DP300.2     Perform quarterly vulnerability assessments of operating systems and networks
                                             where credit cards are processed.
         IT Staff                DP300.3     Perform non‐intrusion network vulnerability assessments following significant changes
                                             in  the  credit‐card  processing  part  of  the  network  such  as  new system  component
                                             installations, changes in network topology,  firewall  rule modifications, and product
                                             upgrades.
         IT Staff and off‐ site   DP300.4    Each quarter, identify all wireless devices in use and remove unauthorized devices.
         Managers
         IT Staff                DP300.5     Perform network, and application penetration tests annually, and also perform
                                             network and application tests after upgrading an operating system, adding a sub
                                             network, or adding a web server.
         IT Staff                DP300.6     Each year, the organization will conduct perform password‐cracking tests and improve
                                             password strength based on the results.
         Infrastructure          DP300.7     The Infrastructure Engineer will approve and manage the use of threat and
         Engineer                            vulnerability assessment tools.
         IT Staff                DP300.8     Each quarter, the organization will review physical and digital access‐control lists and
                                             remove unauthorized users.
         Executive Leadership    DP300.9     Will be responsible for mitigating risks identified by the IT Staff in systems, facilities or
         Team, with IT Staff, IT             processes under their control.
         Project Manager and
         Director of Information
         Technology, Privacy
         and Data Security



















                                                                                                         30 | P a g e
        GES CONFIDENTIAL