CloudOPS Risk Register

Key
R-334
R-335
R-336
R-341
R-342
R-343
R-344
R-345
R-346
R-347
R-348
R-349
R-350
R-351
R-352
R-353
R-354
R-355
R-356
R-357
R-363
R-364
R-365
R-366
R-367
R-369
R-370
R-371
R-376
R-377
R-378
R-379
R-380
R-381
R-382
R-383
R-384
R-385
R-386
R-387
R-388
R-389
R-390
R-391
R-392
R-393
R-394
R-395
R-396
R-397
R-398
R-399
R-400
R-401
R-402
R-403
R-404
R-405
R-406
R-407
R-408
R-409
R-410
R-411
R-412
R-413
R-414
R-415
R-416
R-417
R-418
R-419
R-420
R-421
R-422
R-423
R-424
R-425
R-426
R-427
R-428
R-429
R-430
R-431
R-432
R-433
R-434
R-435
R-436
R-437
R-438
R-439
R-440
R-441
R-442
R-443
R-444
R-445
R-446
R-447
R-448
R-449
R-450
R-451
R-452
R-453
R-454
R-455
R-456
R-457
R-458
R-459
R-486
R-487
R-488
R-489
R-490
R-491
R-492
R-493
R-494
R-495
R-496
R-497
R-498
R-499
R-500
R-501
R-502
R-503
R-504
R-505
R-506
R-507
R-508
R-509
R-510
R-511
R-512
R-513
R-514
R-515
R-516
R-517
R-518
R-519
R-520
R-521
R-522
R-523
R-524
R-525
R-526
R-527
R-528
R-529
R-530
R-531
R-532
R-533
R-534
R-535
R-536
Name
(GOV-01) : Risk - Digital Security Governance Program
(AST-02) : Risk - Asset Inventories
(GOV-02) : Risk - Steering Committee

(GOV-07) : Risk - Contacts with Authorities
(GOV-08) : Risk - Contacts with Security Groups & Associations
(BCD-01) : Risk - Business Continuity Management System (BCMS)
(BCD-02) : Risk - Continuity Plan Testing & Exercises
(CAP-02) : Risk - Capacity Planning
(CHG-01) : Risk - Change Management Program
(CPL-01) : Risk - Statutory, Regulatory & Contractual Compliance
(CPL-02) : Risk - Non-Compliance Oversight
(CPL-03) : Risk - Security Controls Oversight
(CPL-04) : Risk - Internal Audit Function
(CPL-05) : Risk - Security Assessments
(CPL-06) : Risk - Independent Assessors
(CPL-07) : Risk - Functional Review of Security Controls
(CPL-08) : Risk - Audit Activities
(AST-01) : Risk - Asset Governance
(AST-03) : Risk - Software Licensing Restrictions
(AST-04) : Risk - Assigning Ownership Of Assets
(AST-09) : Risk - Removal of Assets

(AST-10) : Risk - Tamper Protection
(CFG-01) : Risk - Configuration Management Program
(MON-02) : Risk - System Generated Alerts
(CRY-01) : Risk - Use of Cryptographic Controls
(CRY-08) : Risk - Control & Distribution of Cryptographic Keys
(DCH-01) : Risk - Data Protection
(DCH-02) : Risk - Data & Asset Classification
(DCH-09) : Risk - Information Sharing
(DCH-10) : Risk - Ad-Hoc Transfers
(END-01) : Risk - Endpoint Security
(END-03) : Risk - Access Restriction for Change
(HRS-01) : Risk - Roles & Responsibilities
(HRS-02) : Risk - Competency Requirements for Security-Related Positions
(HRS-03) : Risk - Personnel Screening
(HRS-04) : Risk - Terms of Employment
(HRS-05) : Risk - Rules of Behavior
(HRS-06) : Risk - Social Media & Social Networking Restrictions
(HRS-07) : Risk - Use of Communications Technology
(HRS-08) : Risk - Use of Mobile Devices
(HRS-09) : Risk - Access Agreements
(HRS-10) : Risk - Confidentiality Agreements
(HRS-11) : Risk - Personnel Sanctions
(HRS-13) : Risk - Personnel Termination
(HRS-14) : Risk - Incompatible Roles
(IAC-01) : Risk - Identity & Access Management
(IAC-04) : Risk - Termination of Employment
(IAC-14) : Risk - User Responsibilities for Account Management
(IAC-15) : Risk - Access Enforcement
(IAC-16) : Risk - Use of Privileged Utility Programs
(IAC-17) : Risk - Least Privilege
(IRO-01) : Risk - Incident Response Operations
(IRO-02) : Risk - Incident Handling
(IRO-03) : Risk - Integrated Incident Response Program (IIRP)
(IRO-04) : Risk - Integrated Security Incident Response Team
(IRO-05) : Risk - Chain of Custody & Forensics
(IRO-06) : Risk - Incident Stakeholder Reporting
(IRO-07) : Risk - Root Cause Analysis (RCA) & Lessons Learned
(MNT-01) : Risk - Maintenance Operations
(MDM-01) : Risk - Centralized Management of Mobile Devices
(MDM-02) : Risk - Access Control for Mobile Devices
(MDM-03) : Risk - Remote Purging
(NET-01) : Risk - Network Security Management
(NET-06) : Risk - Network Segmentation
(PES-01) : Risk - Physical & Environmental Protections
(PRI-01) : Risk - Privacy Program
(PRI-07) : Risk - Information Sharing with Third Parties
(PRI-08) : Risk - Privacy Requirements for Contractors & Service Providers
(PRI-09) : Risk - Testing, Training & Monitoring
(PRM-01) : Risk - Security Portfolio Management
(PRM-02) : Risk - Security & Privacy Resource Management
(PRM-03) : Risk - Allocation of Resources
(PRM-04) : Risk - Security & Privacy in Project Management
(PRM-05) : Risk - Security & Privacy Requirements Definition
(PRM-06) : Risk - Secure Development Lifecycle (SDL) Management
(RSK-01) : Risk - Risk Management Program
(RSK-02) : Risk - Risk Identification
(RSK-03) : Risk - Risk Assessment
(RSK-04) : Risk - Risk Register
(RSK-05) : Risk - Risk Ranking
(RSK-06) : Risk - Risk Remediation
(RSK-07) : Risk - Risk Response
(RSK-08) : Risk - Risk Assessment Update
(RSK-09) : Risk - Business Impact Analysis
(RSK-10) : Risk - Supply Chain Risk Assessment
(RSK-11) : Risk - Data Protection Impact Assessment
(SEA-01) : Risk - Secure Engineering Principles
(SEA-02) : Risk - Alignment with Enterprise Architecture
(OPS-01) : Risk - Operations Security
(OPS-02) : Risk - Standardize Operating Procedures (SOP)
(OPS-03) : Risk - Security Concept of Operations (CONOPS)
(SAT-01) : Risk - Security & Privacy-Minded Workforce
(SAT-02) : Risk - Security & Privacy Awareness
(SAT-03) : Risk - Security & Privacy Training
(TDA-01) : Risk - Technology Development & Acquisition
(TDA-02) : Risk - Security Requirements
(TDA-03) : Risk - Development Methods, Techniques & Processes
(TDA-05) : Risk - Secure Development Environments
(TDA-07) : Risk - Security & Privacy Testing Throughout Development
(TDA-09) : Risk - Developer Configuration Management
(TPM-01) : Risk - Third-Party Management
(TPM-02) : Risk - Supply Chain Protection
(TPM-03) : Risk - Third-Party Services
(TPM-04) : Risk - Third-Party Contract Requirements
(TPM-05) : Risk - Review of Third-Party Services
(TPM-06) : Risk - Third-Party Deficiency Remediation
(TPM-07) : Risk - Managing Changes to Third-Party Services
(VPM-01) : Risk - Vulnerability & Patch Management Program
(VPM-02) : Risk - Vulnerability Remediation Process
(VPM-03) : Risk - Continuous Vulnerability Remediation Activities
(VPM-04) : Risk - Flaw Remediation with Personal Data (PD)
(VPM-05) : Risk - Software Patching
(BCD-03) : Risk - Alternate storage & processing site
(BCD-04) : Risk - Data backups
(BCD-05) : Risk - Testing for reliability & integrity
(BCD-06) : Risk - Cryptographic protection
(BCD-07) : Risk - Redundant secondary system
(CAP-01) : Risk - Capacity & performance management
(CHG-02) : Risk - Configuration change control
(CHG-03) : Risk - Test, validate & document changes
(CFG-02) : Risk - System hardening through baseline configurations
(CFG-03) : Risk - Least functionality
(CFG-04) : Risk - Periodic review
(MON-01) : Risk - Continuous monitoring
(MON-03) : Risk - Central review & analysis
(MON-04) : Risk - Content of audit records
(MON-05) : Risk - Privileged functions logging
(MON-06) : Risk - Protection of audit information
(CRY-03) : Risk - Transmission confidentiality
(CRY-04) : Transmission integrity
(CRY-05) : Encrypting data at rest
(CRY-06) : Cryptographic key management
(CRY-07) : Cryptographic key loss or change
(DCH-11) : Media & data retention
(END-02) : Prohibit installation without privileged status
(END-04) : Malicious code protection (Anti-malware)
(END-05) : Automatic updates
(IAC-02) : User provisioning & de-provisioning
(IAC-03) : Change of roles & duties
(IAC-05) : Role-based access control (RBAC)
(IAC-06) : User identity (ID) management
(IAC-07) : Authenticator Management
(IAC-08) : Password-based Authentication
(IAC-09) : Protection Of Authenticators
(IAC-10) : Account Management
(IAC-11) : Disable Inactive Accounts
(IAC-12) : Privileged Account Management (PAM)
(IAC-13) : Periodic Review Of User Privileges
(IAC-18) : Account Lockout
(MNT-02) : Controlled Maintenance
(NET-02) : Layered Defenses
(NET-03) : Boundary Protection
(NET-04) : Data Flow Enforcement – Access Control Lists (Acls)
(NET-05) : Deny Traffic By Default & Allow Traffic By Exception
(NET-07) : Dmz Networks
(NET-08) : Remote Access
(PES-02) : Physical Access Authorizations
(PES-03) : Physical Access Control
(PES-04) : Physical Access Logs
(PES-05) : Physical Security Of Offices, Rooms, Facilities & Secure Areas
(PES-06) : Visitor Control
(SEA-03) : Secure Log-on Procedures
(SEA-04) : Clock Synchronization
Occurrence Impact
Treatment
Likelihood (OL) Effect (IE)
Mitigate Risk Highly Unlikely Catastrophic
Mitigate Risk Possible Major
Mitigate Risk Possible Catastrophic

Mitigate Risk Remote Moderate
Mitigate Risk Almost Certain Catastrophic
Mitigate Risk Almost Certain Moderate
Mitigate Risk Almost Certain Moderate
Mitigate Risk Likely Moderate
Mitigate Risk Possible Moderate
Mitigate Risk Highly Unlikely Minor

Mitigate Risk Highly Unlikely Catastrophic
Mitigate Risk Remote Insignificant
Mitigate Risk Remote Critical
Mitigate Risk Remote Minor
Mitigate Risk Highly Unlikely Moderate
Inherent Risk Control Maturity
Weighting Level
(OL*IE)
(CW) (ML)
High 6 0
High 10 2
Severe 10 1
Low 10 2
Low 10 5
Low 10 1
Low 10 4
Low 10 5
Extreme 10 1
High 10 1
Low 10 1
High 10 1
Low 10 1
High 10 1
Low 10 1
Low 10 1
High 10 1
Low 10 1
Low 10 1
Low 5 3
Low 10 1
Low 10 1
Low 10 1
Low 10 1
Low 10 1
Low 10 1
Low 10 1
Low 10 1
Low 10 1
Low 10 1
Low 10 1
Low 10 1
Low 10 1
Low 10 1
Low 10 1
Low 10 1
Low 10 1
Low 10 1
Low 10 1
Low 10 1
Low 10 1
Low 10 1
Low 10 1
Low 10 1
Low 10 1
Low 10 1
Low 10 1
Low 10 1
Low 10 1
Low 10 1
Low 10 1
Low 10 1
Low 10 1
Low 10 1
Low 10 1
Low 10 1
Low 10 1
Low 10 1
Low 10 1
Low 10 1
Low 10 1
Low 10 1
Low 10 1
Low 10 1
Low 10 1
Low 10 1
Low 10 1
Low 10 1
Low 10 1
Low 10 1
Low 10 1
Low 10 1
Low 10 1
Low 10 1
Low 10 1
Low 10 1
Low 10 1
Low 10 1
Low 10 1
Low 10 1
Low 10 1
Low 10 1
Low 10 1
Low 10 1
Low 10 1
Low 10 1
Low 10 1
Low 10 1
Low 10 1
Low 10 1
Low 10 1
Low 10 1
Low 10 1
Low 10 1
Low 10 1
Low 10 1
Low 10 1
Low 10 1
Low 10 1
Low 10 1
Low 10 1
Low 10 1
Low 10 1
Low 10 1
Low 10 1
Low 10 1
Low 10 1
Low 10 1
High 10 1
Low 10 1
Low 10 1
Low 10 1
Low 10 1
Low 10 1
Low 10 1
Low 10 1
Low 10 1
Low 10 1
Low 10 1
Low 10 1
Low 10 1
Low 10 1
Low 10 1
Low 10 1
Low 10 1
Low 10 1
Low 10 1
Low 10 1
Low 10 1
Low 10 1
Low 10 1
Low 10 1
Low 10 1
Low 10 1
Low 10 1
Low 10 1
Low 10 1
Low 10 1
Low 10 1
Low 10 1
Low 10 1
Low 10 1
Low 10 1
Low 10 1
Low 10 1
Low 10 1
Low 10 1
Low 10 1
Moderate 10 1
Low 10 1
Low 10 1
Low 10 1
Low 10 1
Low 10 1
Moderate 10 1
Low 10 1
Low 10 1
Low 10 1
Low 10 1
Low 10 1
Low 10 1
Low 10 1
Low 10 1
Mitigating Residual
Factor
Risk
(MF)
No Mitigating Factors Available 72
Minimal Risk Reduction 129.6

Moderate Risk Reduction 10.5
N/A - Not Required 0
Moderate Risk Reduction 105
Significant Risk Reduction 15

Control Maturity / CAP
▪ Accurately reflects the current system(s);

▪ Is available for review and audit by designated organizational officials.
Control Maturity can be achieved through the following :

▪Taggint the assets location as Internal/Extermal.
▪Adding the ownership details against each asset.
▪Adding the inventory updated and review dates.
▪Description on the assets with make/model details. (Unique parameter for each asset
The following risks from Syniti's RMP Risk Catalog are applicable:
R-AC-2: Improper assignment of privileged functions

R-AC-3: Privilege escalation
R-AC-4: Unauthorized access
R-AM-2: Loss of integrity through unauthorized changes
R-BC-1: Business interruption
R-BC-2: Data loss / corruption
R-BC-3: Reduction in productivity
R-BC-4: Information loss / corruption or system compromise due to technical attack
R-EX-6: Unmitigated vulnerabilities
R-GV-1: Inability to support business processes
R-GV-2: Incorrect controls scoping
R-GV-4: Inadequate internal practices
R-GV-5: Inadequate third-party practices
R-GV-6: Lack of oversight of internal controls
R-GV-7: Lack of oversight of third-party controls
R-IR-1: Inability to investigate / prosecute incidents
▪Adding the inventory updated and review dates.
▪Description on the assets with make/model details. (Unique parameter for each asset
The following risks from Syniti's RMP Risk Catalog are applicable:
R-AC-1 : Inability to maintain individual accountability

R-AC-2 : Improper assignment of privileged functions
R-AC-3 : Privilege escalation
R-AC-4 : Unauthorized access
R-AM-1 : Lost, damaged or stolen asset(s)
R-AM-2 : Loss of integrity through unauthorized changes
R-BC-1 : Business interruption
R-BC-2 : Data loss / corruption
R-BC-3 : Reduction in productivity
R-BC-4 : Information loss / corruption or system compromise due to technical attack
R-BC-5 : Information loss / corruption or system compromise due to non‐technical atta
R-EX-1 : Loss of revenue
R-EX-2 : Cancelled contract
R-EX-4 : Diminished reputation
R-EX-6 : Unmitigated vulnerabilities
R-EX-7 : System compromise
R-GV-1 : Inability to support business processes
R-GV-2 : Incorrect controls scoping
R-GV-3 : Lack of roles & responsibilities
R-GV-4 : Inadequate internal practices
R-GV-5 : Inadequate third-party practices
Task #
Occurrence Likelihood (OL) Score
Almost Certain 6
Likely 5
Possible 4
Unlikely 3
Highly Unlikely 2
Remote 1
Impact Effect (IE) Score

Catastrophic 6
Critical 5
Major 4
Moderate 3
Minor 2
Insignificant 1
Maturity Level (ML) Value

0 1
1 1
2 0.9
3 0.7
4 0.6
5 0.5
Maturity Factor (MF) Value

N/A - Not Required 0
Minimal Risk Reduction 0.9
Significant Risk Reduction 0.5
Inherent Risk Category Inherent Risk Range

Low Level High Level
0 4
5 11
12 19
20 29
30 36
Description
Virtual certainty the event will occur at some time, under normal business conditions, t
Likely to expect the event to occur at some time, under normal business conditions, tha
Reasonable to expect the event could occur at some time, under normal business cond
Unlikely to expect the event to occur at some time, under normal business conditions,
Highly-unlikely event that can be quantified as between a 1%-10% chance of occurrenc
Theoretically possible. The likelihood of occurring can be quantified as less than a 1% c
Description
Critical, long-term damage or service impact. Financial and reputational damage could
Critical, short-term damage or service impact. Financial and reputational damage could
Major damage or service impact. Extensive reputational and financial impact, but not e
Noticeable damage or service impact. Harmful reputational and financial impact, but n
Localized or minimal damage or service impact. Minor reputational and financial impac
Little to no damage or service impact. No reputational or financial impact.
Description
Not Performed
Performed Informally
Planned & Tracked
Well Defined
Quantitatively Controlled
Continuously Improving
Description
Not Performed
Performed Informally
Planned & Tracked
Well Defined
Quantitatively Controlled
Value
Low
Moderate
High
Severe
Extreme

CloudOPS Risk Register

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CloudOPS Risk Register

Uploaded by

Copyright:

Available Formats

Key

(GOV-01) : Risk - Digital Security Governance Program

(AST-02) : Risk - Asset Inventories

(GOV-02) : Risk - Steering Committee

(AST-04) : Risk - Assigning Ownership Of Assets

(AST-09) : Risk - Removal of Assets

Mitigate Risk Highly Unlikely Catastrophic

Mitigate Risk Possible Major

Mitigate Risk Possible Catastrophic

Mitigate Risk Highly Unlikely Minor

Mitigate Risk Remote Moderate

Minimal Risk Reduction 129.6

No Mitigating Factors Available 240

Moderate Risk Reduction 9.8

No Mitigating Factors Available 30

▪ Accurately reflects the current system(s);

Control Maturity can be achieved through the following :

R-AC-2: Improper assignment of privileged functions

R-AC-1 : Inability to maintain individual accountability

Impact Effect (IE) Score

Maturity Level (ML) Value

Maturity Factor (MF) Value

Inherent Risk Category Inherent Risk Range

You might also like