Risk Management Policies
Last Updated: April 14, 2023
1. Incident Response Policy
1.1. Policy Statement
PRAI ("the Company") is committed to effectively responding to and mitigating security incidents that may impact its information assets. This Incident Response Policy outlines the guidelines and procedures for detecting, responding to, and recovering from security incidents in a timely and efficient manner.
This policy applies to all employees, contractors, and third-party service providers who have access to or manage the Company's information assets.
1.3. Incident Response Team
The Company will establish an incident response team comprising designated personnel responsible for managing and coordinating the response to security incidents. The team members will have defined roles, responsibilities, and authority during incident handling.
1.4. Incident Reporting
All employees, contractors, and third-party service providers are responsible for promptly reporting any suspected or actual security incidents to the designated incident response team. Incident reporting procedures and contact details will be communicated to relevant personnel.
1.5. Incident Response Procedures
The incident response team will follow documented incident response procedures, including steps for incident identification, containment, eradication, recovery, and post-incident analysis. The procedures will be regularly reviewed and updated to reflect emerging threats and lessons learned.
2. Risk Assessment and Management Policy
2.1. Policy Statement
The Company is committed to identifying, assessing, and managing risks to its information assets. This Risk Assessment and Management Policy outlines the procedures for identifying and evaluating risks, implementing risk mitigation measures, and continuously monitoring and reviewing the effectiveness of risk controls.
2.2. Risk Identification and Assessment
The Company will conduct regular risk assessments to identify and evaluate potential risks to its information assets. Risk assessments will consider various factors, including threats, vulnerabilities, impacts, and likelihood of occurrence.
2.3. Risk Mitigation
Based on the results of risk assessments, appropriate risk mitigation measures will be implemented to reduce identified risks to an acceptable level. Risk controls may include technical, administrative, and physical safeguards.
2.4. Risk Monitoring and Review
The effectiveness of risk controls will be monitored and periodically reviewed to ensure their ongoing effectiveness and alignment with evolving risks and business requirements. Risk assessments will be conducted regularly to identify new or changing risks.
3. Third-Party Vendor Management Policy
3.1. Policy Statement
The Company recognizes the importance of effectively managing risks associated with third-party vendors. This Third-Party Vendor Management Policy outlines the guidelines and procedures for assessing, selecting, and monitoring third-party vendors to ensure their compliance with security and privacy requirements.
3.2. Vendor Risk Assessment
Prior to engaging third-party vendors, the Company will conduct a risk assessment to evaluate their security posture, including their ability to protect the Company's information assets. Vendor assessments may include evaluating their security policies, procedures, controls, and track record.
3.3. Vendor Contractual Obligations
Contracts or service level agreements with third-party vendors will include provisions for security and privacy requirements, incident reporting, data protection, and access controls. These agreements will clearly define the responsibilities and expectations of the vendor regarding the protection of the Company's information assets.
3.4. Ongoing Vendor Monitoring
The Company will establish a process for ongoing monitoring and review of third-party vendors' security practices and compliance. This may include periodic audits, assessments, and performance evaluations to ensure vendors maintain adequate security controls.
4. Business Continuity and Disaster Recovery Plan
4.1. Policy Statement
The Company recognizes the importance of maintaining continuity of critical business operations in the event of a disruption or disaster. This Business Continuity and Disaster Recovery Plan outlines the guidelines and procedures for ensuring the timely resumption of critical business functions and the recovery of information assets.
4.2. Business Impact Analysis
The Company will conduct a business impact analysis to identify critical business functions, their dependencies, and the potential impacts of disruptions. This analysis will inform the development of business continuity and disaster recovery strategies.
4.3. Plan Development and Testing
A comprehensive business continuity and disaster recovery plan will be developed, documenting the procedures, roles, and responsibilities for response and recovery. The plan will be regularly tested and updated to ensure its effectiveness and alignment with changing business needs and emerging threats.
4.4. Backup and Data Recovery
The Company will implement regular backup procedures and secure offsite storage to ensure the availability and recoverability of critical information assets in the event of data loss or system failure. Data recovery procedures will be documented and periodically tested.
4.5. Plan Activation and Incident Response
In the event of a disruption or disaster, the business continuity and disaster recovery plan will be activated. The incident response team will follow predefined procedures to manage the incident, implement recovery measures, and communicate with relevant stakeholders.
These risk management policies will be reviewed and updated at least once a year or as required to ensure continued relevance and compliance with evolving risks, regulations, and industry best practices.
For any questions or concerns regarding these policies, please contact the Company's IT department at