Skip to main content
Polygon Labs uses a process-driven risk management framework to systematically assess, manage, and reduce security risk while aligning security controls to international compliance requirements. The program provides a view of Polygon Labs’ current security posture and informs the security roadmap as new controls are implemented and reassessed against a changing threat environment.

Risk assessment

Risk assessments enumerate threats, identify vulnerabilities, and determine the organizational impact and likelihood of each threat. This process informs decisions about implementing or improving security controls and measuring residual risk. Assessments provide a risk-based approach to identifying high-priority areas of focus.

Standardized controls

For cloud environments, Polygon Labs applies the CIS v8 control set as a baseline for security control implementation.

Residual risk

Every risk identified in an assessment requires a plan of action: reduce, avoid, transfer, or accept. Mitigation decisions are driven by a cost-benefit analysis using both the Factor Analysis of Information Risk (FAIR) methodology and qualitative approaches. FAIR is an internationally accepted standard that quantifies risk in financial terms.

Compliance

Polygon Labs maps security controls to compliance initiatives including ISO 27002. ISO 27002 controls provide broad mapping to other compliance requirements, supporting consistent alignment across frameworks.

Security roadmap

The risk management program continuously maps to the controls implementation framework, adjusting as new threats emerge and as the internal product suite evolves.

Monitoring

Polygon Labs works toward continuous monitoring for situational awareness and security posture management.

Benchmarks

Where possible, Polygon Labs applies benchmarks that provide specific and measurable metrics for control compliance. These benchmarks produce key performance indicators (KPIs) that guide implementation and feed into residual risk and continuous assessment activities. Metrics are automated where feasible, for example using scanning tools that directly measure control compliance against benchmarks. The risk management framework is supported by internal and external resources, including penetration testers and auditors, for independent verification and validation.