Policy Owner: CISO
Effective Date: May 8, 2026
Reviewed: Annually
Next Review: May 8, 2027

Purpose

To define actions to address Neuroscale information-security risks and opportunities. To define a plan for the achievement of information-security and privacy objectives.

Scope

  • All Neuroscale IT systems that process, store, or transmit confidential, private, or business-critical data.
  • Risks affecting medium- to long-term goals as well as risks encountered in day-to-day delivery.
  • Risk-management systems and processes are targeted to achieve maximum benefit without excessive bureaucratic burden.
  • Materiality of risk is considered in developing systems and processes to manage risk.
  • Applies to all Neuroscale employees and external parties — consultants, contractors, business partners, vendors, suppliers, outsourced service providers — with access to Neuroscale networks and system resources.

Risk-management statement

Inadequate IT risk management exposes Neuroscale to compromise of company or customer systems, services, and information; cyber-attacks; and contractual or legal issues. Risk management is an integral part of Neuroscale’s governance and management at strategic and operational levels.

Risk-management strategy

Neuroscale identifies risks that hinder achievement of strategic and operational objectives and ensures it has the means to identify, analyze, control, and monitor those risks. The risk-management strategy and policy are reviewed regularly. The CISO, in coordination with the General Counsel and as part of the annual policy-review cycle (and supported by the external SOC 2 / ISO 27001 auditor’s fieldwork), ensures:
  • The policy is applied to all applicable areas of Neuroscale.
  • The policy and its operational application are regularly reviewed.
  • Non-compliance is reported to appropriate company officers and authorities.
Neuroscale does not currently maintain a separate internal-audit function; if and when an audit committee or internal-audit role is constituted, the responsibilities above transition to that function.

Practical application

Neuroscale uses a standard format for identification, classification, and evaluation of risks based on:
  • ISO 27005
  • NIST 800-30
  • NIST 800-37
Risks are assessed and ranked by impact and likelihood. A formal Risk Assessment, plus network penetration tests, are performed at least annually and consider the results of any technical vulnerability-management activities per Operations Security.

Risk categories

  • Reputational
  • Contractual
  • Regulatory / Compliance
  • Economic / Financial
  • Fraud
  • Privacy
  • Environmental & Sustainability
  • Impact on People
  • Use of Cloud Services
  • Operational Capacity
  • AI / Model Risk — bias, fairness, hallucination, data-leakage, model-driven harm; tiered per AI Acceptable Use and assessed against the NIST AI RMF and EU AI Act Art. 9 risk-management requirements
Each risk is assessed for likelihood and impact on a 1–5 scale.

Risk criteria

Risk is the combined likelihood and impact of an event adversely affecting confidentiality, availability, integrity, or privacy of organizational and customer information, PII, or business information systems. For risk inputs (assessments, vulnerability scans, penetration tests, bug bounty), management reserves the right to modify rankings based on the nature and criticality of the system processing as well as the nature, criticality, and exploitability of the identified vulnerability.

Risk response, treatment, and tracking

Risk is prioritized and maintained in a risk register. Possible responses:
  • Mitigate — take actions or strategies to reduce the risk.
  • Accept — accept and monitor the risk; common for some external-event risks.
  • Transfer — pass the risk to another party (contractual terms, insurance).
  • Avoid — cease or change the activity to end the risk.
Where the response is anything other than Accept or Avoid, a Risk Treatment Plan is developed. The current risk register lives in the Vanta risk register (Vanta tenant — internal access only; reviewers without a Neuroscale Vanta account see a login page).

Procedures

  • Maintain a Risk Register and Treatment Plan.
  • Risks are ranked critical, high, medium, low, negligible by likelihood × impact.
  • Risks may be valuated to estimate potential monetary loss where possible.
  • Respond to risks in a prioritized fashion considering likelihood, impact, cost, work effort, and resource availability.
  • Regular reports to senior leadership ensure risks are mitigated appropriately and aligned with business priorities.

Information security in project management

Information-security risk is considered as part of all projects that are technical in nature or which can pose a risk to the company, regardless of size, duration, or domain:
  • Initial information-security risk assessments.
  • Early identification and addressing of information-security requirements.
  • Ongoing assessment and management of risks, especially regarding internal and external project communications.

Roles and responsibilities

RoleResponsibility
CEOUltimately responsible for the acceptance and treatment of any risks to the organization.
CISOOwns the information-security risk-management program: approves avoidance, remediation, transference, or acceptance for each risk in the Risk Register; leads identification and treatment-plan development; communicates risks to executive leadership; adopts treatments per executive direction.
System OwnersIdentify risks within their systems; participate in treatment planning; report status to the CISO.
Function Leads (CTO, CFO, CHRO, etc.)Identify and report risks within their function; cooperate on treatment plans.
All personnelIdentify and report observed risks, weaknesses, and incidents per the Information Security Policy.

Risk-assessment process (NIST 800-30)

1. Prepare

  • Identify the purpose of the assessment.
  • Identify scope, assumptions, and constraints.
  • Identify sources of information — architectural diagrams, regulations, threat sources, threat events, vulnerabilities, potential impacts, existing controls.

2. Conduct

  • Identify threat sources (human, environmental, natural, system/equipment) — consider capability, motive, intent.
  • Identify threat events.
  • Identify vulnerabilities — consider influencing conditions.
  • Determine likelihood — consider threat-source characteristics, exposure, safeguards.
  • Determine impact — business/operational, financial, reputation, legal/regulatory.
  • Determine overall risk = likelihood × impact.

3. Communicate

  • Communicate results to decision-makers and executive leadership.
  • Share with appropriate personnel to support response efforts.

4. Maintain

  • Monitor risk factors that contribute to changes.
  • Update assessments at minimum annually.

Risk matrix

RISK = LIKELIHOOD × IMPACT
Impact ↓ \ Likelihood →Very unlikely (1)Unlikely (2)Somewhat likely (3)Likely (4)Very likely (5)
Very high (5)510152025
High (4)48121620
Medium (3)3691215
Low (2)246810
Very low (1)12345
Risk levelDescription
Low (1–4)A threat event could be expected to have a limited adverse effect on operations, assets, individuals, customers, or other organizations.
Medium (5–12)A threat event could be expected to have a serious adverse effect.
High (15–25)A threat event could be expected to have a severe adverse effect.

Exceptions

Requests for exceptions must be submitted to the CISO for approval.

Violations & enforcement

Non-compliance is addressed with management and CHRO and can result in disciplinary action up to and including termination.

Version history

VersionDateDescriptionAuthorApproved by
1.0May 8, 2026Initial versionCameron WolfeIshan Jadhwani