Skip to Content
Nemu Inc.
Operational ResilienceπŸ“‰ Enterprise and Location Risk Assessments

πŸ“‰ Enterprise and Location Risk Assessments

1. Purpose

This document describes Nemu Inc.’s process for assessing risks to its operations, with a focus on services hosted with CSPs such as Supabase, Render, and Google Workspace.

2. Risk Assessment Process

Nemu Inc. conducts periodic risk assessments that:

  • Identify key assets (applications, data stores, vendor services).
  • Enumerate threats (e.g., data breaches, outages, misconfigurations).
  • Consider likelihood and impact.
  • Document existing controls and planned improvements.

Techniques used may include:

  • Workshops or reviews involving engineering and leadership.
  • Review of CSP security documentation and advisories.
  • Analysis of prior incidents and near misses.

3. Location Considerations

As a cloud-native and primarily remote organization, physical office risk is limited. Key location-related risks are associated with:

  • CSP data center regions (e.g., cloud region outages).
  • Employee working locations and their device security.

4. Review Frequency

  • Risk assessments are typically reviewed annually or following significant changes to architecture, CSPs, or regulatory expectations.

5. Audit Evidence

  • Risk assessment documents or tables.
  • Identified new risks
  • Action items or tickets derived from risk findings.
  • Meeting notes or summaries of risk review sessions.

6. Change Control for the Business Resilience Program

Nemu Inc. maintains full documentation for its Business Resilience Program, including policies, BCDR plans, business impact analyses, and enterprise risk assessments. All resilience-related documents are stored in a version-controlled repository, ensuring:

  • Complete version history of updates
  • Tracked changes through commits and pull requests
  • Review and approval before modifications are merged
  • Auditability of all historical updates
  • Centralized access to current and prior versions

7. Operational Risk Assessment Coverage

Nemu Inc.’s operational risk assessments explicitly include the identification and evaluation of risks related to the unavailability or loss of all critical assets and resources. This includes:

  • Application systems: Outage scenarios, deployment failures, dependency failures, and CSP service disruptions.
  • Data: Risks of data loss, corruption, unauthorized modification, and CSP region-level failures.
  • Equipment: Laptops, developer devices, and essential hardware used by team members.
  • Facilities: Although Nemu operates remotely, risks associated with CSP data center facilities and third-party hosting infrastructure are considered.
  • Personnel: Key personnel dependencies, temporary unavailability, and knowledge gaps.
  • Paper documents: Paper-based materials are minimal, but any sensitive documents are tracked and managed with secure storage and disposal practices.

These risks are analyzed for likelihood and impact and mapped to mitigation controls within the Business Resilience and BCDR processes.

8. Compliance Mapping

  • SOC 2: CC3.2, CC3.4
  • ISO 27001:2013: A.6.1.2, A.8.2.1

Contact: support@mynemu.com
Β© 2025 Nemu Inc.. All rights reserved.

Last updated on
🧭 Crisis Management and BCDR PlansPhysical and Environmental Security