Risk Management

The purpose of this document is to define the methodology and scope for risk management at 2CLIX TECNOLOGIA EIRELI, as well as to serve as a base guide for the preparation of reports and audits on this topic.

Access to this documentation is Public; however, the reports generated from the processes defined here are classified as “Restricted”.

RISK MANAGEMENT

In addition to regulatory and legal factors, risk management must also take into account the organization’s internal factors, as well as its processes and financial situation. Risk management must prioritize risks that have more severe impacts and higher probabilities of occurrence, and seek to ensure that the identified risks are reduced to lower impact and probability categories.

To ensure incremental improvement, reports in the SEG2CX03 family will be updated every 6 months in accordance with the guidelines and methodologies defined in this document.

GENERAL SECURITY OBJECTIVES

  • The security of Customers’, Users’ and Employees’ data must be treated as a priority;
  • Security processes and controls must ensure the availability of services provided by 2CLIX TECNOLOGIA EIRELI;
  • Workstations of 2CLIX TECNOLOGIA EIRELI employees must remain functional and capable of producing the work required by their users;
  • Physical and digital documents and contracts must be kept in a secure location and accessed only by the Administration, Finance and Business teams;
  • Security measures must not negatively impact the timelines for implementing new services or improvements;
  • Compliance with the General Data Protection Law (LGPD) must be ensured through security controls;
  • It is essential that teams correctly follow all work processes;
  • Requests and projects must be developed in accordance with the Secure Development Policy and must be extensively tested to maintain service quality and security;
  • All teams must follow the Information Security Policy and the Secure Development Policy.

METHODOLOGY

Risk management at 2CLIX TECNOLOGIA EIRELI will be composed of three reports: [SEG2CX03.1] Risk Identification, [SEG2CX03.2] Risk Analysis, and [SEG2CX03.3] Risk Treatment. Each of them is responsible for expanding on one aspect of risk management and on each risk identified in the organization.

The Risk Identification process consists of several incremental phases to ensure correct filtering of what are merely minor issues versus situations that actually pose a real risk to the organization’s security.

  • The first phase consists of a review of the organization’s processes to identify issues (“offenders”);
  • The second phase is an analysis of previously reported events and incidents and any historical records that may be relevant to the current organizational culture;
  • The third phase consists of analyzing vulnerability reports and access logs provided by the SIEM, antivirus and the database monitoring routine;
  • The fourth phase is an analysis of external risks and includes reviewing suppliers’ contracts and risk documentation, as well as analyzing economic, environmental and political factors in the context in which the organization operates;
  • Finally, all “potential risks” are gathered and reviewed in a preliminary analysis to decide which items actually constitute risks and which are merely harmless issues. The result of this phase constitutes the Risk Identification report.

The Risk Analysis phase aims to identify the real danger that each risk poses to the organization’s information security. It consists of a more objective analysis of each risk, assessing its impact and probability of occurrence according to its influence on Integrity, Availability and Reliability of both the system and the organization as a whole. Each risk is analyzed from the following perspectives:

  • Nature of the Risk refers to the areas of the company to which the risk belongs;
  • Availability focuses on analyzing the probability and impact of the risk in this aspect, considering both the availability of services provided by 2CLIX TECNOLOGIA EIRELI and the availability of documents and equipment for the team to perform its duties;
  • Integrity focuses on analyzing the probability and impact of the risk in this aspect, considering both the integrity of services provided by 2CLIX TECNOLOGIA EIRELI and the integrity of documents and equipment used by the team to perform its duties;
  • Reliability focuses on analyzing the probability and impact of the risk in this aspect, considering both the reliability of services provided by 2CLIX TECNOLOGIA EIRELI and the reliability of documents provided by the team, both in contracting and for documenting personal occurrences;
  • Internal Factors aim to describe the internal impacts that the risk may have, both among teams and in the relationship between employees and 2CLIX TECNOLOGIA EIRELI;
  • External Factors aim to describe the external impacts of the risk on the organization, from legal impacts to impacts on the company’s image or presence in its market segment;
  • Company Criteria describe the extent to which this risk conflicts with the company’s internal information security guidelines;
  • Risk Owner is the person responsible for defining the risk treatment plan and, after management approval, for coordinating its implementation;
  • Treatment Type refers to the final objective to be achieved with the risk treatment: whether mitigation, prevention, acceptance or eradication;
  • Risk Matrix presents a graphical representation showing the relationship between each impact and its probability of occurrence for Integrity (I), Availability (A) and Reliability (R). The result of this matrix is the definition of the treatment priority level for the risk. The matrix has 4 priority levels, with level 1 being the most critical and level 4 the least severe;
  • The final priority of the Risk is defined based on the worst case observed among the three evaluations.

Finally, the last report is the Risk Treatment report, which will include the company’s official directives for each risk identified in the previous reports, as well as information for future audits of these treatments. Each risk will include the following information:

  • Treatments reviewed and approved by management;
  • Implementation guide and schedule;
  • Objectives and desired outcomes for the treatment;
  • Metrics for comparing the results obtained after treatment.

DOCUMENT MANAGEMENT

This document is valid from the date of its most recent approval and is the responsibility of the Projects team of 2CLIX TECNOLOGIA EIRELI. The update cycle for this document is semiannual and must always be carried out based on an assessment of the effectiveness and suitability of this document in relation to the company’s other policies and processes.

To ensure a concise and clear assessment, the following evaluation criteria will be used:

  • Number of incidents caused by unclear or uncertain definitions in the risk management methodology;
  • Time wasted by employees resolving harmless issues incorrectly defined as risks;
  • Security incidents involving risks not indicated by the process or considered harmless in the risk identification phase;
  • Redundant or conflicting processes caused by poor planning of risk treatments;
  • Inefficient treatments or metrics that are ineffective for a concise evaluation.

Records of incidents involving the content of this document and its “child” reports will be stored in a specific folder in the 2CLIX TECNOLOGIA EIRELI document directory.

 

Newsletter

Turn customer service into results.

Get exclusive tips and content on quality monitoring, CX management, and service efficiency.

By clicking "Sign up", you confirm that you agree to our Terms & Conditions.

Scroll to Top