Purpose and Scope

Agilelab determines the risks and opportunities that need to be addressed in order to:

a) Provide assurance that the management system can achieve the intended results;

b) Enhance the desired effects;

c) Prevent or reduce undesired effects;

d) Achieve improvement.

The concept of risk is understood as the uncertainty associated with the achievement of the management system objectives.

Additionally, agilelab identifies and clearly defines the risks related to the security of information for the loss of confidentiality, integrity, and availability of information included in the scope of the management system.

agilelab plans:

a) Actions to address identified risks and opportunities;

b) Methods to:

Integrate and implement the actions within the processes of its integrated management system;

Evaluate the effectiveness of these actions.

Activities Management System Risk Assessment

Risk is realized when:

ü The company's objectives are not achieved.

ü The company's assets are not protected from losses.

ü There is non-compliance with the organization's policies, procedures, or external legislation and regulations.

ü The company's resources are not used efficiently and effectively.

ü The confidentiality, integrity, and availability of information are not reliable.

Four major risk categories are identified:

• Organizational risk

• Risk of inadequate strategy.

• Compliance risk with norms and legal requirements.

• Operational risk related to the actions and procedures of the organization.

Risk Identification

The risk identification process consists of the following phases, in line with the requirements of ISO/IEC 27001 standard.

Activities

agilelab compiles and maintains a complete inventory of activities. The definition of assets is understood as "anything that has value to the organization" and therefore deserves protection. This includes tangible resources such as development programs, operational machinery, as well as information resources such as customer lists and application databases.

Threats

For each asset, threats that can reasonably be expected to apply to it will be identified. These vary depending on the type of asset and can be accidental events such as fires, floods, or vehicle impacts, or malicious attacks such as viruses, thefts, or sabotage.

Vulnerabilities

The circumstances that can be exploited by a specific threat will be described in detail. Examples of such vulnerabilities may include the lack of server patches (which could be exploited by the threat of hacking) or the existence of paper files in a data center (which could be exploited by the threat of fire).

Impacts

Finally, an estimate must be provided of the impact that the loss of confidentiality, integrity, or availability could have on the asset.

Information Security Risk Assessment

The risk assessment proceeds through the following steps:

a) Identify potential risks;

b) Understand (and make others understand) the likelihood and consequences of these risks;

c) Prioritize the treatment of risks;

d) Identify controls aimed at reducing risks below an acceptable level.

The risk analysis process allows for:

Identifying, classifying, and valuing assets to be protected;

Identifying and assessing hostile agents, threats, vulnerabilities, and risks;

Determining which threats need to be addressed and with which countermeasures (technical and non-technical);

Calculating the residual risk, assessing acceptable levels, and defining countermeasures to keep the risk within these levels.

Risk Analysis and Evaluation

Numerical Classification

To assess the risk for an activity and determine the appropriate treatment, agilelab examines threats, vulnerabilities, the probability of the threat occurring, and the impact that would result. To describe the likelihood of a risk occurring and the impact it uses a scale that identifies the following risk levels:

Risk Level

Low < 20

19 < Medium < 41

High > 40

Risks with a level below 20 are accepted, while others are analyzed in more detail.

The rationale for assigning probability and impact ratings will be provided so that they can be evaluated later to verify if they have changed substantially. This will also help ensure the consistency and repeatability of risk assessments.

The overall intention of risk assessment and proposed treatments is to reduce the risk classification to an acceptable level, such as from HIGH to MEDIUM or from MEDIUM to LOW.

The priorities of continuous improvement points are determined by the highest priority points addressed in the risk assessment. For example, if three points are addressed by a single action and one is MEDIUM and two are LOW, then the action's priority will be MEDIUM.

Risk Assessment Report

The result of the risk analysis and evaluation phase is the risk assessment report. This report shows the following information:

ü Activities

ü Treatments

ü Vulnerabilities

ü Controls

ü Risk (including the rationale)

ü Impact (including the rationale)

ü Score

ü Classification

ü Whether the risk is accepted or requires actions

This report contributes to the Risk Treatment phase of the process and must be approved by Management before proceeding.

The risk management process, as depicted in the following diagram, consists of a series of blocks.

Risk assessment is carried out through the MR 06.1.1 Information Risk Assessment.

The obtained risk level must be compared to the assessment criteria established by agilelab during the definition of the context. The results of the risk analysis are used to make decisions about future actions: whether a risk needs to be treated, the priority, and what actions need to be taken.

Continuity of Operations Risk Assessment

Description of the Analysis Method

The analytical method on which the risk analysis is based consists of:

1- Identifying the risks and opportunities present in the organization (depending on the context).

2- Analyzing and prioritizing the risks and opportunities in the organization (What is acceptable? What is not?).

3- Planning actions to address the risks (How can the risk be avoided or eliminated? How can it be mitigated?).

4- Implementing the plan (conducting the actions).

5- Monitoring the effectiveness of the actions ("Does it work?").

6- Learning from experience (continuous improvement).

Risk Assessment Report

The Risk Assessment Report represents the output of the risk analysis and contains a series of analytical indications.

A 4x4 model (Probability x Damage) is used.

Probability: It represents the likelihood of potential damages occurring. Probability will be defined according to the following scale:

PROBABILITY VALUE DEFINITION INTERPRETATION OF THE DEFINITION

1 Unlikely § Its occurrence would require the convergence of several events with low probabilities § No similar events have ever occurred § Its occurrence would be met with disbelief

2 Low Probability § Its occurrence would require uncommon and unlikely circumstances § Few similar events have occurred § Its occurrence would cause modest surprise

3 Probable § Other similar events have occurred § Its occurrence would cause modest surprise

4 Very Likely § Other similar events have occurred § Its occurrence is practically taken for granted

Damage: Possible effect caused by exposure to risk factors.

The extent of damage will be assessed according to the following scale:

DAMAGE VALUE DEFINITION INTERPRETATION OF THE DEFINITION

1 Ordinary § The incident does not cause significant service disruptions, and its impact on the company's operations is not relevant. The event can be resolved using ordinary means of intervention.

2 Significant § Degradation or interruption of a minority percentage (< 25%) of the service, which continues to be provided albeit at a slower pace.

3 Severe § Degradation or interruption of a percentage from medium to high (26% < x < 55%) of the service, causing serious disruptions.

4 Catastrophic § Incident causing the interruption of a percentage from high to complete (56% < x < 100%) of the service.

Risk: Probability that a potential level of damage will be reached under exposure to a hazard by the company.

The table below indicates the different combinations (PxD) between damage and the probabilities that it may occur (risk assessment).

P (Probability)

4 4 8 12 16

3 3 6 9 12

2 2 4 6 8

1 1 2 3 4

1 2 3 4 D (Damage)

The risk assessment is represented in Mod. 6.1.1.1 Management System Risk Assessment.

Criteria for Analyzing Results

For each identified risk type, based on the parameters indicated above, objective risk parameters are identified for evaluations.

Risk Assessment Action Required Timing

Up to 3 Accept or mitigate the risk Medium to Long Term

From 4 to 8 Mitigate or avoid the risk Short Term

From 9 to 16 Avoid or transfer the risk Short Term