Finducation™

Finducation - EZBudget™

Security Risk Assessment Policy and Program

Annual risk assessment program for EZBudget and related production systems.

Document ID: EZB-SRA-001
Version: 1.0
Effective Date: July 8, 2026
Last Review Date: July 8, 2026
Assessment Cadence: At least annually
Owner: Deseo Developers LLC (Engineering/Security)

1. Policy Statement

EZBudget maintains a documented security risk assessment policy and operational program to identify, evaluate, prioritize, and remediate information security risks. Formal risk assessments are performed at least annually and additionally when significant system, architecture, or threat changes occur.

Documented Policy Operational Program Annual Minimum Cadence

2. Scope

  • EZBudget web and mobile application interfaces
  • Backend APIs and serverless function surface
  • Data handling, session/authentication, and integration boundaries
  • Build, deployment, and runtime operational controls
  • Third-party components and service dependencies that impact security posture

3. Roles and Responsibilities

Role Responsibility
Policy Owner Maintains policy, approves updates, confirms annual assessment completion.
Engineering Lead Coordinates assessments, triages findings, and tracks remediation actions.
Development Team Implements controls, provides evidence, and addresses assigned risk treatments.

4. Risk Assessment Methodology

4.1 Identification

  • Review architecture, code changes, integrations, and data flows for exposure points.
  • Evaluate known threat categories (injection, auth/session misuse, data leakage, misconfiguration).
  • Use control evidence from secure coding checks, code review, and operational logging.

4.2 Analysis

  • Rate each risk by likelihood and impact (business, customer, compliance, and operational dimensions).
  • Determine control strength and residual risk after existing safeguards.

4.3 Treatment

  • Apply one treatment per finding: mitigate, accept (with rationale), transfer, or avoid.
  • Assign owner and target date for mitigation actions.
  • Reassess residual risk after remediation implementation.

5. Assessment Cadence and Triggers

  • Scheduled: Full risk assessment performed at least once every 12 months.
  • Event-driven: Additional assessments are initiated for material changes such as:
  • New high-impact integrations (e.g., payment/financial data integrations)
  • Major architecture shifts, authentication changes, or deployment model changes
  • Confirmed incidents or high-severity security findings

6. Documentation and Evidence Retention

  • Assessment outputs are documented, including risk register entries, ratings, and treatment decisions.
  • Evidence includes policy records, secure coding control outputs, and remediation tracking artifacts.
  • Records are retained in internal documentation and source-controlled security artifacts.
Existing repository-aligned controls include documented SQL injection guardrails, backend input hardening, and security/code-protection standards.

7. Reporting and Governance Oversight

  • Assessment results are reviewed by policy owner and engineering leadership.
  • High and critical items receive prioritized remediation and follow-up verification.
  • Policy effectiveness and risk trends are reviewed during annual governance updates.

8. Continuous Improvement

  • Methodology and controls are updated based on incidents, assessment outcomes, and threat evolution.
  • Lessons learned are integrated into secure development workflow and architecture decisions.

9. Due Diligence Mapping

Questionnaire Assertion Policy Position
Documented risk assessment policy exists Yes - This document (EZB-SRA-001)
Operational risk assessment program exists Yes - Assessment workflow, treatment assignment, and remediation tracking
Risk assessments performed at least annually Yes - Minimum annual cadence with event-driven assessments as needed

10. Approval

This policy is approved for external partner due diligence responses, including Plaid security/governance questionnaires.

Approved By: Deseo Developers LLC - Authorized Representative

Date: July 8, 2026

Contact: contact@deseodevelopers.com