Risk Catalogue

RISK CATALOG use case:

• What are the risks associated with a control deficiency? (e.g., if the control fails, what risk(s) is the organization exposed to?)

Definition of Risk

noun A situation where someone or something valued is exposed to danger, harm or loss. Danger: state of possibly suffering harm or injury

verb To expose someone or something valued to danger, harm or loss. Harm: material / physical damage

Loss: destruction, deprivation or inability to use

Risk Grouping: Access Control

Risk # Risk Description of Possible Risk Due To Control Deficiency NIST CSF Function

R-AC-1 Inability to maintain individual accountability There is a failure to maintain asset ownership and it is not possible to have non-repudiation of actions or inactions. Protect

R-AC-2 Improper assignment of privileged functions There is a failure to implement least privileges. Protect

R-AC-3 Privilege escalation Access to privileged functions is inadequate or cannot be controlled. Protect

R-AC-4 Unauthorized access Access is granted to unauthorized individuals, groups or services. Protect

Risk Grouping: Asset Management

Risk # Risk Description of Possible Risk Due To Control Deficiency NIST CSF Function

R-AM-1 Lost, damaged or stolen asset(s) Asset(s) is/are lost, damaged or stolen. Protect

R-AM-2 Loss of integrity through unauthorized changes Unauthorized changes corrupt the integrity of the system / application / service. Protect

Risk Grouping: Business Continuity

Risk # Risk Description of Possible Risk Due To Control Deficiency NIST CSF Function

R-BC-1 Business interruption There is increased latency or a service outage that negatively impacts business operations. Recover

R-BC-2 Data loss / corruption There is a failure to maintain the confidentiality of the data (compromise) or data is corrupted (loss). Recover

R-BC-3 Reduction in productivity User productivity is negatively affected by the incident. Protect

R-BC-4 Information loss / corruption or system compromise due to technical attack Malware, phishing, hacking or other technical attack compromise data, systems, applications or services. Protect

R-BC-5 Information loss / corruption or system compromise due to non‐technical attack Social engineering, sabotage or other non-technical attack compromises data, systems, applications or services. Protect

Risk Grouping: Exposure

Risk # Risk Description of Possible Risk Due To Control Deficiency NIST CSF Function

R-EX-1 Loss of revenue A financial loss occurs from either a loss of clients or an inability to generate future revenue. Recover

R-EX-2 Cancelled contract A contract is cancelled due to a violation of a contract clause. Recover

R-EX-3 Diminished competitive advantage The competitive advantage of the organization is jeopardized. Recover

R-EX-4 Diminished reputation Negative publicity tarnishes the organization’s reputation. Recover

R-EX-5 Fines and judgements Legal and/or financial damages result from statutory / regulatory / contractual non-compliance. Recover

R-EX-6 Unmitigated vulnerabilities Umitigated technical vulnerabilities exist without compensating controls or other mitigation actions. Protect

R-EX-7 System compromise System / application / service is compromised affects its confidentiality, integrity, availability and/or safety. Protect

Risk Grouping: Governance

Risk # Risk Description of Possible Risk Due To Control Deficiency NIST CSF Function

R-GV-1 Inability to support business processes Implemented security /privacy practices are insufficient to support the organization’s secure technologies & processes requirements. Protect

R-GV-2 Incorrect controls scoping There is incorrect or inadequate controls scoping, which leads to a potential gap or lapse in security / privacy controls coverage. Identify

R-GV-3 Lack of roles & responsibilities Documented security / privacy roles & responsibilities do not exist or are inadequate. Identify

R-GV-4 Inadequate internal practices Internal practices do not exist or are inadequate. Procedures fail to meet “reasonable practices” expected by industry standards. Protect

R-GV-5 Inadequate third-party practices Third-party practices do not exist or are inadequate. Procedures fail to meet “reasonable practices” expected by industry standards. Protect

R-GV-6 Lack of oversight of internal controls There is a lack of due diligence / due care in overseeing the organization’s internal security / privacy controls. Identify

R-GV-7 Lack of oversight of third-party controls There is a lack of due diligence / due care in overseeing security / privacy controls operated by third-party service providers. Identify

R-GV-8 Illegal content or abusive action There is abusive content / harmful speech / threats of violence / illegal content that negatively affect business operations. Identify

Risk Grouping: Incident Response

Risk # Risk Description of Possible Risk Due To Control Deficiency NIST CSF Function

R-IR-1 Inability to investigate / prosecute incidents Response actions either corrupt evidence or impede the ability to prosecute incidents. Respond

R-IR-2 Improper response to incidents Response actions fail to act appropriately in a timely manner to properly address the incident. Respond

R-IR-3 Ineffective remediation actions There is no oversight to ensure remediation actions are correct and/or effective. Protect

R-IR-4 Expense associated with managing a loss event There are financial repercussions from responding to an incident or loss. Respond

Risk Grouping: Situational Awareness

Risk # Risk Description of Possible Risk Due To Control Deficiency NIST CSF Function

R-SA-1 Inability to maintain situational awareness There is an inability to detect incidents. Detect

R-SA-2 Lack of a security-minded workforce The workforce lacks user-level understanding about security & privacy principles. Protect