Skip to content

Risk management

Polygon Labs’ approach to security risk management consists of a process driven approach using a risk management framework to systematically assess, manage, and mitigate risk; while aligning security controls to international compliance requirements. The program provides a real-time view of Polygon Labs’ current security posture while informing the security roadmap as new controls are continuously implemented and re-assessed to adjust for a dynamic threat environment. Some key initiatives and aspects of the Polygon Labs Infrastructure Information Risk Management Program include:

Risk assessment

The objective of a risk assessment is to enumerate threats, identify vulnerabilities, determine the organizational impact of a threat along with the likelihood of the threat occurring. This process informs other aspects of the risk management process, including assessing the implementation or enhancement of security controls and measuring organizational residual risk. A risk assessment provides a risk-based approach to systematically identifying high-risk areas of focus.

Standardized controls

While every situation is unique, we understand the benefit of best practices. For the cloud, we use the CIS v8 control set.

Residual risk

Any risk identified at risk assessment requires analysis and a plan of action (i.e. Reduce, Avoid, Transfer, Accept). The implementation of mitigating controls is driven by a cost-benefit analysis of the impact and mitigation using both the Factor Analysis of Information Risk (FAIR) and qualitative approaches. FAIR is an internationally accepted standard which quantifies risk in financial terms.


Polygon Labs maps security controls to various compliance initiatives such as ISO 27002. ISO 27002 controls provide near-universal mapping to other compliance requirements.

Security roadmap

The risk management program continuously maps to the controls implementation framework as we adjust to new threats and an evolving internal product suite.


We strive for continuous monitoring for situational awareness and security posture management.


Where possible, we apply benchmarks that provide specific and measurable metrics for compliance with control requirements and policies. This provides KPIs that guide implementation efforts which feed into our residual risk and any continuous risk assessment activities. We strive to automate metrics; for example using scanning tools that directly measure control compliance to benchmarks.

The risk management framework is supported by various internal and external resources including penetration testers and auditors for independent verification and validation.