Purpose

To establish a process for assessing Information Systems for risks to systems and data; documenting and communicating those risks to Scoreplay leadership to make decisions regarding the treatment or acceptance of those risks. The security and privacy of Restricted Data will be a primary focus of risk assessments.

Standard

1. Risk assessments will be conducted:
   • Prior to acquisition of Information Systems.
   • When an existing Information System undergoes a significant change in technology or use that would affect its risk posture. Examples include significant software upgrades, changes in hosting platforms or vendors, or changes in the data classification or volume of records stored, processed or transmitted by the system.
   • At least every six months for systems that store, process or transmit Restricted Data and one year for all other systems.
2. The approved risk assessment process will include the following:
   • The scope of the assessment.
   • An assessment of security control implementation.
   • Report documenting threats, vulnerabilities and risks associated with the Information System.
   • Recommendations to increase the security posture of the Information System.
3. The Chief Technological Officer will retain Risk Assessment records according to retention schedules and applicable laws.