PURPOSE

To establish a process to manage risks to Scoreplay that result from threats to the confidentiality, integrity and availability of data and Information Systems.

SCOPE:

This policy applies to all electronic data created, stored, processed or transmitted by Scoreplay, and the Information Systems used with that data.

POLICY:

1. All Information Systems must be assessed for risk by Scoreplay that results from threats to the integrity, availability and confidentiality of clubs data. Assessments should be completed prior to purchase of, or significant changes to, an Information System; and at least every 6 months for systems that store, process or transmit Restricted Data.
2. Risks identified by a risk assessment must be mitigated or accepted prior to the system being placed into operation.
3. Residual risks may only be accepted on behalf of Scoreplay by a person with the appropriate level of authority as determined by the Chief Technological Officer. Approval authority may be delegated if documented in writing, but ultimate responsibility for risk acceptance cannot be delegated.
4. Each Information System must have a system security plan, prepared using input from risk, security and vulnerability assessments.

RESPONSIBILITIES:

1. The Chief Technological Officer is responsible for ensuring that their unit conducts risk assessments on Information Systems, and uses Scoreplay approved process.
2. Chief Technological Officer is responsible for assessing and mitigating risks using the Scoreplay approved process.
3. Chief Technological Officer is responsible for ensuring that information systems under their control are assessed for risk and that identified risks are mitigated, transferred or accepted.
4. Chief Technological Officer is responsible for implementing systems and specifications to facilitate unit compliance with this policy.