Finducation - EZBudget™
Security Risk Assessment Policy and Program
Annual risk assessment program for EZBudget and related production systems.
1. Policy Statement
EZBudget maintains a documented security risk assessment policy and operational program to identify, evaluate, prioritize, and remediate information security risks. Formal risk assessments are performed at least annually and additionally when significant system, architecture, or threat changes occur.
Documented Policy Operational Program Annual Minimum Cadence
2. Scope
- EZBudget web and mobile application interfaces
- Backend APIs and serverless function surface
- Data handling, session/authentication, and integration boundaries
- Build, deployment, and runtime operational controls
- Third-party components and service dependencies that impact security posture
3. Roles and Responsibilities
| Role | Responsibility |
|---|---|
| Policy Owner | Maintains policy, approves updates, confirms annual assessment completion. |
| Engineering Lead | Coordinates assessments, triages findings, and tracks remediation actions. |
| Development Team | Implements controls, provides evidence, and addresses assigned risk treatments. |
4. Risk Assessment Methodology
4.1 Identification
- Review architecture, code changes, integrations, and data flows for exposure points.
- Evaluate known threat categories (injection, auth/session misuse, data leakage, misconfiguration).
- Use control evidence from secure coding checks, code review, and operational logging.
4.2 Analysis
- Rate each risk by likelihood and impact (business, customer, compliance, and operational dimensions).
- Determine control strength and residual risk after existing safeguards.
4.3 Treatment
- Apply one treatment per finding: mitigate, accept (with rationale), transfer, or avoid.
- Assign owner and target date for mitigation actions.
- Reassess residual risk after remediation implementation.
5. Assessment Cadence and Triggers
- Scheduled: Full risk assessment performed at least once every 12 months.
- Event-driven: Additional assessments are initiated for material changes such as:
- New high-impact integrations (e.g., payment/financial data integrations)
- Major architecture shifts, authentication changes, or deployment model changes
- Confirmed incidents or high-severity security findings
6. Documentation and Evidence Retention
- Assessment outputs are documented, including risk register entries, ratings, and treatment decisions.
- Evidence includes policy records, secure coding control outputs, and remediation tracking artifacts.
- Records are retained in internal documentation and source-controlled security artifacts.
7. Reporting and Governance Oversight
- Assessment results are reviewed by policy owner and engineering leadership.
- High and critical items receive prioritized remediation and follow-up verification.
- Policy effectiveness and risk trends are reviewed during annual governance updates.
8. Continuous Improvement
- Methodology and controls are updated based on incidents, assessment outcomes, and threat evolution.
- Lessons learned are integrated into secure development workflow and architecture decisions.
9. Due Diligence Mapping
| Questionnaire Assertion | Policy Position |
|---|---|
| Documented risk assessment policy exists | Yes - This document (EZB-SRA-001) |
| Operational risk assessment program exists | Yes - Assessment workflow, treatment assignment, and remediation tracking |
| Risk assessments performed at least annually | Yes - Minimum annual cadence with event-driven assessments as needed |
10. Approval
This policy is approved for external partner due diligence responses, including Plaid security/governance questionnaires.
Approved By: Deseo Developers LLC - Authorized Representative
Date: July 8, 2026
Contact: contact@deseodevelopers.com