Risk Management and Assessment

1. Purpose

At Valstorm LLC, we take a proactive approach to security through a formal risk management program. The purpose of our risk assessment process is to systematically identify, analyze, and evaluate potential threats to our platform and our customers' data. This allows us to prioritize and implement appropriate security controls to mitigate risks to an acceptable level.

2. Risk Assessment Process

Our risk management lifecycle is a continuous process designed to adapt to new technologies and the evolving threat landscape. It includes the following key stages:

  • Risk Identification: We regularly identify potential security risks from a variety of sources. This includes conducting threat modeling, performing vulnerability scans, reviewing internal security audits, and analyzing security incidents.
  • Risk Analysis: Once a risk is identified, we analyze it to determine its potential likelihood and impact. This helps us understand the severity of each risk and its potential consequences for data confidentiality, integrity, and service availability.
  • Risk Evaluation & Treatment: Based on the analysis, we evaluate each risk against our predefined risk tolerance criteria. We then determine the most appropriate treatment strategy, which may include:
    • Mitigate: Applying security controls to reduce the likelihood or impact of the risk.
    • Transfer: Shifting the risk to a third party, such as through insurance or outsourcing.
    • Accept: Formally accepting the risk if it falls within our defined tolerance levels.
    • Avoid: Discontinuing the activity or process that gives rise to the risk.
  • Monitoring and Review: Risk management is an ongoing activity. We continuously monitor our security controls and conduct periodic reviews of our risk assessments to ensure their continued effectiveness and relevance. Assessments are performed at least annually or whenever there is a significant change to our environment, such as the introduction of new technology or a change in data processing activities.

Vendor and Third-Party Risk Management

1. Purpose

Valstorm LLC recognizes that our vendors, suppliers, and third-party partners are an extension of our operations. Our Vendor and Third-Party Risk Management policy ensures that these partners meet our security and compliance standards before they are entrusted with any company or customer data. The goal is to minimize the risks associated with sharing information and relying on external services.

2. Vendor Management Lifecycle

We manage third-party risk through a structured lifecycle approach:

  • Due Diligence and Onboarding: Before entering into any new agreement, we conduct a thorough security review of the potential vendor. This process includes evaluating their security policies, controls, and compliance certifications to ensure they align with our requirements.
  • Contractual Security Requirements: All contracts with third parties who handle our data include specific security obligations. These legally binding agreements mandate that vendors adhere to strict confidentiality, data protection, and incident notification requirements.
  • Ongoing Monitoring: Our responsibility doesn't end after a contract is signed. We perform periodic reviews of our critical vendors to ensure their security posture remains effective over time. This helps us verify their ongoing compliance with our standards.
  • Secure Offboarding: When a relationship with a vendor ends, we follow a formal offboarding process to ensure all access to Valstorm systems and data is revoked in a timely manner and that any retained data is securely returned or destroyed according to our policies.