Vanta policy template instructions
This Vanta policy template represents a complete, compliance-ready policy with placeholders for company specific text. Each policy section represents a policy-specific topic that you should consider and/or modify to match your company’s practices.
For each policy section
Consider if this section and its corresponding risks apply to you. If it does not, remove it and/or replace it with your organization’s corresponding practices.
Replace any highlighted text in angled brackets < >1 with your own language
Rewrite the policy language such that it reflects the practices of your organization
Policy completion checklist
Use Find to make sure that all text in angled brackets is replaced
Proofread your policy for spelling and grammar mistakes
Confirm that the policy’s content reflects your organizations practices
Add any company-specific letterhead, branding, and formatting
Remove this instructions page
Export this document as PDF — File > Save As > Change “File Format” to PDF
Upload the PDF to Vanta at https://app.vanta.com/policies
More questions?
A good rule-of-thumb is to keep your language high enough level such that it stays representative for at least a year. If you have more questions about how to use this template, please reach out to support@vanta.com or your auditor for additional guidance.
...
Policy Type: Risk Management Policy
Policy Number: 6
...
Company Name:
...
<Company Name>
...
Policy Owners:
...
<Policy Owners Name and Job Title>
...
Phone:
...
Effective Date:
...
<Date>
...
Date Revised: <Date>
...
Last Review:
...
<Date>
...
Next Review: <Date>
...
To define actions to address <Company Name> Policy Owner: Managing Director
Effective Date: 2023-05-01
| Anchor | ||||
|---|---|---|---|---|
|
To define actions to address CloudCard information security risks and opportunities. To define a plan for the achievement of information security and privacy objectives.
| Anchor |
|---|
...
|
...
|
All <Company Name> CloudCard IT systems that process, store or transmit confidential, private, or business-critical data.
Risks that could affect All risks, whether risks to the medium to long-term goals of <Company Name> should be considered as well as CloudCard, or risks that will be encountered in the day-to-day delivery of services.
<Company Name> risk Risks that are material - Risk management systems and processes will be targeted to achieve maximum benefit without increasing the bureaucratic burden and ultimately affecting core service delivery to the organization.<Company Name> will therefore consider the materiality of risk in developing systems and processes to manage riskburden and ultimately affecting core service delivery to the organization.
This Policy applies to all employees of <Company Name> CloudCard and to all external parties, including but not limited to <Company Name> CloudCard consultants and contractors, business partners, vendors, suppliers, outsource service providers, and other third party entities with access to <Company Name> CloudCard networks and system resources.
| Anchor |
|---|
...
|
...
|
Inadequate IT risk management exposes <Company Name> CloudCard to risks including compromise of <Company Name> CloudCard or customer network systems, services and information, cyber-attacks, contractual, or legal issues. <Company Name> CloudCard will ensure that risk management plays an integral part in the governance and management of the organization at a strategic and operational level. The purpose of a risk management policy is designed to ensure that it achieves its stated business plan aims and objectivesmanagement of the organization at a strategic and operational level.
| Anchor |
|---|
...
|
...
|
<Company Name> CloudCard has developed processes to identify those risks that will hinder the achievement of its strategic and operational objectives. <Company Name> CloudCard will therefore ensure that it has in place the means to identify, analyze, control and monitor the strategic and operational risks it faces using this risk management policy based on best practices.
<Company Name> CloudCard will ensure the risk management strategy and policy are reviewed regularly and that internal audit functions are responsible for ensuring:
The risk management policy is applied to all applicable areas of <Company Name>CloudCard
The risk management policy and its operational application are regularly reviewed
Non-compliance is reported to appropriate company officers and authorities
| Anchor |
|---|
...
|
...
|
<Company Name> CloudCard has adopted a standard format for use in the identification of risks, their classification, and evaluation.
...
Risks are assessed and ranked according to their impact and their likelihood of occurrence. A formal Risk Assessment , and network penetration tests, will be performed at least annually and shall take into consideration the results of any technical vulnerability management activities and penetration tests performed in accordance with the Operations Security Policy.
| Anchor |
|---|
...
|
...
|
Some risks are within the control of <Company Name> CloudCard whilst others may be only to a lesser degree. <Company Name> CloudCard will therefore take an approach that will identify those risks and classify the risks according to the following categories:
...
Each risk will be assessed as to its likelihood and impact. Both impact and likelihood are assessed on a scale of 1-5. Impact can range from 1 (“Very low impact”) to 5 (“Very high impact”) and likelihood can range from 1 (“Very unlikely”) to 5 (“Very likely”).
| Anchor |
|---|
...
|
...
|
The criteria for determining risk is the combined likelihood and impact of an event adversely affecting the confidentiality, availability, integrity, or privacy of organizational and customer information, personally identifiable information (PII), or business information systems.
For all risk inputs such as risk assessments, vulnerability scans, penetration test, bug bounty programs, etc., <Company Name> CloudCard management shall reserve the right to modify risk rankings based on its assessment of the nature and criticality of the system processing, as well as the nature, criticality and exploitability (or other relevant factors and considerations) of the identified vulnerability.
| Anchor |
|---|
...
|
...
|
Risk will be prioritized and maintained in a risk register where they will be prioritized and mapped using the approach contained in this policy. The following responses to risk should be employed:
Modify: <Company Name> CloudCard may take actions or employ strategies to reduce the risk.
Accept: <Company Name> CloudCard may decide to accept and monitor the risk at the present time. This may be necessary for some risks that arise from external events.
Transfer: <Company Name> CloudCard may decide to pass the risk on to another party. For example contractual terms may be agreed to ensure that the risk is not borne by <Company Name> CloudCard or insurance may be appropriate for protection against financial loss.
Avoid: the risk may be such that <Company Name> CloudCard could decide to cease the activity or to change it in such a way as to end the risk.
Where <Company Name> CloudCard chooses a risk response other than “Accept” or “Avoid” it shall develop a Risk Treatment Plan
| Anchor |
|---|
...
|
...
|
The procedure for managing risk will meet the following criteria:
<Company Name> CloudCard will maintain a Risk Register and Treatment Plan.
Risks are ranked by ‘likelihood’ and ‘severity/impact’ as critical, high, medium, low, and negligible.
Overall risk shall be determined through a combination of likelihood and impact.
Risks may be valuated valued to estimate potential monetary loss where possible.
<Company Name> CloudCard will respond to risks in a prioritized fashion. Remediation priority will consider the risk likelihood and impact, cost, work effort, and availability of resources. Multiple remediations may be undertaken simultaneously
Regular reports will be made to the senior leadership of <Company Name> CloudCard to ensure risks are being mitigated appropriately, and in accordance with business priorities and objectives.
...
| Anchor |
|---|
...
|
...
Roles
Role | Responsibility |
CEO |
Oversight of the acceptance and/or treatment of any risks to the organization. |
CTO |
Chief Information Officer
Can approve the avoidance, remediation, transference, or acceptance of any risk cited in the Risk Register.
IT Manager / Systems Engineer
Shall be responsible for the identification and treatment plan development of all Information Security related risks. This person shall be responsible for communicating risks to top management and adopting risk treatments in accordance with executive direction.
...
Identify Information Technology and Information Security related Risks Develop treatment plans for risks identified above. Communicate risks to Managing Director. Adopt Risk Treatments in accordance with direction of the Managing Director. |
| Anchor | ||||
|---|---|---|---|---|
|
For current Risk Register, see https://app.vanta.com/risk-management/risk-register
...
ISO 27001 6.1; 6.2.com/risk-management/risk-register
...
Version | Date | Description | Author | Approved by |
1.0 |
Initial Implementation
M. Morrison (BSI)
2.0
M. Morrison (BSI)
...
2023-03-27 | Initial Implementation | Ryan Heathcote | Luke Rettstatt | |
1.1 | 2024-07-26 | Annual Review | Ryan Heathcote | Luke Rettsatt |
| Anchor | ||||
|---|---|---|---|---|
|
The following is a high-level overview of the process used by <Company Name> to assess and manage information security related risks.
The process discussed below is based on NIST 800-30 and provides guidance to <Company Name> on how to:
...
Prepare and conduct an effective risk assessment.
...
Communicate and share the assessment results and risk-related information.
...
CloudCard to assess and manage information security related risks.
The risk assessment process (based on NIST 800-30) is comprised of the following steps:
...
Step 1: Prepare for the Assessment
In this step, the objective The objective of preparation is to establish context for the risk assessment. This can be accomplished by performing the following:
...
Step 2: Conduct the Assessment
In this step, the objective The objective of the assessment itself is to produce a list of information security related risks that can be prioritized by risk level and used to inform risk response decisions. This can be accomplished by performing the following:
Identify Threat Sources
Determine and characterize threat sources relevant to and of concern to <Company Name> CloudCard , including but not limited to:
Human (Intentional or Unintentional / Internal or External)
Environmental
Natural
System or Equipment
Consider the following when identifying threat sources:
Capability
Motive / Intent
Intentionally targeted people, processes, and/or technologies
Unintentionally targeted people, processes, and/or technologies
Identify Threat Events
Determine what threat events could be produce by the identified threat sources that have potential to impact <Company Name> .CloudCard
Consider the relevance of the events and the sources that could initiate the events.
Identify Vulnerabilities
Determine the vulnerabilities with the <Company Name> CloudCard such associated to people, process and/or technologies that could be exploited by the identified threat sources and threat events.
Consider any influencing conditions that could affect and aid in successful exploitation.
Determine Likelihood
Determine the likelihood that the identified threat sources would initiate the identified threat events and could successfully exploit any identified vulnerabilities.
Consider the following when determining the likelihood:
Characteristics of the threat sources that could initiate the events.
Capability
Motive/Intent
Opportunity
The vulnerabilities and/or influencing conditions identified
CloudCard ’s exposure based on any safeguards/countermeasures planned or implemented to prevent or mitigate such events.
Determine Impact
Determine the impact to <Company Name> CloudCard ’s business objectives, operations, assets, individuals, customers, and/or other organizations by considering the following:
Business / Operational Impacts
Financial Damage
Reputation Damage
Legal or Regulatory Issues
When determining impact, also take into consideration any safeguards/countermeasures planned or implemented by
...
CloudCard that would mitigate or lessen the impact.
Determine Risk
Determine the overall information security related risks to <Company Name> CloudCard by combining the following:
The likelihood of the event occurring.
The impact that would result from the event.
The risk to
CloudCard is proportional to the likelihood and impact of an event.
Higher Risk Event: Is more likely to occur and the resulting impact will be greater.
Lower Risk Event: Is less likely to occur and the resulting impact will be minimal if any.
Step 3: Communicate and Share the Risk Assessment Results
In this step, the objective is to ensure that decision makers across the <Company Name> CloudCard and executive leadership have the appropriate risk-related information needed to inform and guide risk decisions.
Communicate the Results
Communicate the risk assessment results to <Company Name> CloudCard decision maker makers and executive leadership to help drive risk based decisions and obtain the necessary support for the risk response.
Share the risk assessment and risk-related information with the appropriate personnel at
...
CloudCard to help support the risk response efforts.
Step 4: Maintain the Assessment
In this step, the objective is to keep current, the specific knowledge related to the risks that <Company Name> CloudCard incurs. The results of the assessments inform, and drive risk based decisions and guide ongoing risk responses efforts.
Monitor Risk Factors
Conduct ongoing monitoring of the risk factors that contribute to changes in risk to <Company Name> CloudCard ’s business objectives, operations, assets, individuals, customers, and/or other organizations.
Maintain and Update the Assessment
Update existing risk assessments using the results from ongoing monitoring of risk factors and by conducting additional assessments, at minimum annually.
...
| Anchor |
|---|
...
|
RISK= LIKELIHOOD * IMPACT | LIKELIHOOD | ||||
IMPACT | Very Low: 1 (Very Unlikely) | Low: 2 (Unlikely) | Moderate: 3 (Possible) | High: 4 (Likely) | Very High: 5 (Frequent) |
Critical: 5 | 5 | 10 | 15 | 20 | 25 |
High: 4 | 4 | 8 | 12 | 16 | 20 |
Moderate: 3 | 3 | 6 | 9 | 12 | 15 |
Low: 2 | 2 | 4 | 6 | 8 | 10 |
Negligible: 1 | 1 | 2 | 3 | 4 | 5 |
RISK LEVEL | RISK DESCRIPTION |
Low (1-4) | A threat event could be expected to have a limited adverse effect on organizational operations, mission capabilities, assets, individuals, customers, or other organizations. |
Medium (5-12) | A threat event could be expected to have a serious adverse effect on organizational operations, mission capabilities, assets, individuals, customers, or other organizations |
High (15-25) | A threat event could be expected to have a severe adverse effect on organizational operations, mission capabilities, assets, individuals, customers, or other organizations. |
LIKELIHOOD LEVEL | LIKELIHOOD DESCRIPTION | RATING (NUMERICAL) |
Very Unlikely (1) | A threat event is so unlikely that it can be assumed that its occurrence may not be experienced. A threat source is not motivated or has no capability, or controls are in place to prevent or significantly impede the vulnerability from being exploited. Probability of Occurrence: < 5% in a 5-10 year period | 1 |
Unlikely (2) | A threat event is unlikely, but there is a slight possibility that its occurrence may be experienced. A threat source lacks sufficient motivation or capability, or controls are in place to prevent or impede the vulnerability from being exploited. Probability of Occurrence: 6% to 20% in a 2-5 year period | 2 |
Somewhat likely (3) | A threat event is likely, and it can be assumed that its occurrence may be experienced. A threat source is motivated or poses the capability, but controls are in place that may significantly reduce or impeded the successful exploitation of the vulnerability. Probability of Occurrence: 21% to 50% in a 1-2 year period | 3 |
Likely (4) | A threat event is likely, and it can be assumed that its occurrence will be experienced. A threat source is highly motivated or poses sufficient capability and resources, but some controls are in place that may reduce or impede the successful exploitation of the vulnerability. Probability of Occurrence: 51% to 80% in a 1 year period | 4 |
Very Likely (5) | A threat event is highly likely, and it can be assumed that its occurrence will be experienced. A threat source is highly motivated or poses sufficient capability or resources, but no controls are in place or controls that are in place are ineffective and do not prevent or impede the successful exploitation of the vulnerability. Probability of Occurrence: > 80% in a 1 year period or less | 5 |
IMPACT LEVEL | IMPACT DESCRIPTION | RATING (NUMERICAL) |
Very low impact (1) | A threat event could be expected to have almost no adverse effect on organizational operations, mission capabilities, assets, individuals, customers other or organizations | 1 |
Low impact (2) | A threat event could be expected to have a limited adverse effect, meaning: degradation of mission capability yet primary functions can still be performed; minor damage; minor financial loss; or range of effects is limited to some cyber resources but no critical resources. | 2 |
Medium impact (3) | A threat event could be expected to have a serious adverse effect, meaning: significant degradation of mission capability yet primary functions can still be performed at a reduced capacity; minor damage; minor financial loss; or range of effects is significant to some cyber resources and some critical resources. | 3 |
High impact (4) | A threat event could be expected to have a severe or catastrophic adverse effect, meaning: severe degradation or loss of mission capability and one or more primary functions cannot be performed; major damage; major financial loss; or range of effects is extensive to most cyber resources and most critical resources. | 4 |
Very high impact (5) | A threat event could be expected to have multiple severe or catastrophic adverse effects on organizational operations, assets, individuals, other organizations, or the Nation. Range of effects is sweeping, involving almost all cyber resources. | 5 |
...