Information Risk Assessment¶
Document ID: BD-ISMS-RISK-001 Version: 1.0 Effective Date: 2026-03-17 Classification: Confidential
Risk Assessment Methodology¶
Scale: Qualitative (Low / Medium / High / Critical) Frequency: Annual + ad-hoc on significant changes Owner: CISO + Risk Committee
Formula: Risk = Threat × Vulnerability × Impact
| Level | Likelihood | Impact | Risk Score | Response |
|---|---|---|---|---|
| Critical | High/Medium | Catastrophic | 15-20 | Immediate action, escalate |
| High | High | Major | 10-14 | Plan mitigation, assign owner |
| Medium | Medium | Moderate | 5-9 | Monitor, apply controls |
| Low | Low | Minor | 1-4 | Accept, document rationale |
Risk Register (Sample Risks)¶
RISK-001: Unauthorized Access to Client Data¶
Asset: Database (SQLite), audit logs containing personal data Threat: Compromised admin account, SQL injection, API abuse Current Vulnerability: JWT tokens with 1-hour TTL; no rate limiting on data export
Likelihood: Medium (JWT reduces brute force risk, but token compromise possible) Impact: Catastrophic (GDPR breach, $2M+ fines, reputation damage) Risk Score: 16 (Critical)
Current Controls: - ✅ MFA (TOTP) for all admins - ✅ Password policy (12 chars, complexity, 90d expiration) - ✅ Audit logging (IP, user-agent, timestamp) - ✅ JWT token blacklist on logout - ⚠️ Rate limiting on API (partial)
Mitigation Plan:
1. Implement rate limiting on /api/v1/privacy/export (50 req/hour/user)
2. Add IP-based anomaly detection (alert on sudden location changes)
3. Require re-authentication for sensitive operations (export, delete)
4. Quarterly key rotation for JWT signing key
Owner: Infrastructure Team Target Risk: High (score: 8-10) Timeline: Q2 2026
RISK-002: Supply Chain Compromise (Dependency Attack)¶
Asset: Python packages (FastAPI, SQLAlchemy), NPM packages (React), Docker images Threat: Malicious package upload, compromised GitHub Actions, typosquatting Current Vulnerability: Automated Dependabot updates without human review; many transitive dependencies
Likelihood: Medium (OWASP A03:2025 #1 CVE vector) Impact: Major (backdoor in production, data exfiltration) Risk Score: 12 (High)
Current Controls: - ✅ Dependabot automated updates - ✅ Trivy container scanning - ✅ CodeQL code analysis - ✅ GitHub Actions hardening (read-only secrets) - ⚠️ No manifest review before merge (automated)
Mitigation Plan: 1. Implement review requirement for all Dependabot PRs (by security team) 2. Pin transitive dependencies in requirements.txt (no auto-upgrade) 3. Deploy lockfile verification (pip freeze, package-lock.json) 4. Quarterly dependency audit (deprecated packages, security advisories)
Owner: Security Lead Target Risk: Medium (score: 6-8) Timeline: Q2 2026
RISK-003: Ransomware / Data Destruction¶
Asset: Database, report archives, audit logs Threat: Cryptolocker variant, malicious admin, supply chain attack, accidental deletion Current Vulnerability: Single point of failure (SQLite file); incremental backup only
Likelihood: Low (aws-managed infra, automated backups) Impact: Catastrophic (service unavailable, financial loss, client trust loss) Risk Score: 10 (High)
Current Controls: - ✅ Daily incremental + weekly full backups (S3, encrypted) - ✅ Backup immutability (versioning, retention policy) - ✅ Quarterly restore test (validation script) - ✅ RTO 4h, RPO 1h documented - ⚠️ No write-once replication (secondary region)
Mitigation Plan: 1. Implement cross-region backup replication (AWS S3 cross-region) 2. Enable S3 Object Lock (immutability enforcement) 3. Monthly restore drill (not just quarterly) 4. Implement database transaction logging (point-in-time recovery)
Owner: Ops Team Target Risk: Low (score: 4-6) Timeline: Q3 2026
RISK-004: Unpatched Vulnerability in Production¶
Asset: FastAPI, React, Flutter, Docker base images Threat: Known CVE (CVE-2024-xxxxx) exploited before patch Current Vulnerability: 60-day patch window; some dependencies not monitored
Likelihood: Medium (new CVEs discovered weekly) Impact: Major (RCE, data leak, service disruption) Risk Score: 11 (High)
Current Controls: - ✅ Automated dependency scanning (Trivy, pip-audit, npm audit) - ✅ Nightly CVE database update - ✅ GitHub Security tab integrations - ✅ CVSS-based prioritization - ⚠️ Manual 60-day SLA for critical patches
Mitigation Plan: 1. Reduce critical patch window to 30 days (Q2 2026) 2. Automate dependency update PR creation (Dependabot already does) 3. Implement canary deployment (10% traffic, 24h testing) 4. Pre-stage patches in staging environment (weekly)
Owner: Development Team Target Risk: Medium (score: 7-9) Timeline: Q2 2026
RISK-005: Insider Threat / Privilege Abuse¶
Asset: Database access, API credentials, admin panel, audit logs Threat: Disgruntled employee, credential theft, inadvertent misconfiguration Current Vulnerability: No continuous monitoring of privileged access; no DLP (data loss prevention)
Likelihood: Low (small team, background checks, NDA) Impact: Major (data breach, reputation damage, financial loss) Risk Score: 8 (Medium-High)
Current Controls: - ✅ RBAC (role-based access control) - ✅ Least privilege principle (minimize admin access) - ✅ Audit logging (all API calls, IP, user-agent, timestamp) - ✅ MFA for all admins - ⚠️ No behavioral analytics or alert on unusual access
Mitigation Plan: 1. Implement access anomaly detection (alert on after-hours access, bulk exports) 2. Quarterly privileged access review (confirm each admin still needs their role) 3. No-standing-privilege model: request temporary access via PAM (Q3 2026) 4. Mandatory offboarding checklist (key revocation, access removal, file audit)
Owner: CISO Target Risk: Low (score: 3-5) Timeline: Q2-Q3 2026
RISK-006: GDPR Non-Compliance / Regulatory Fines¶
Asset: Client personal data (emails, IP addresses, screenshots) Threat: Inadequate consent, missing DPA, delayed breach notification Current Vulnerability: No evidence that all B2B clients have signed DPA; consent tracking incomplete
Likelihood: Medium (common finding in audits) Impact: Catastrophic ($2M-20M GDPR fines, loss of EU clients) Risk Score: 16 (Critical)
Current Controls: - ✅ Privacy policy (Art. 13-14 compliant) - ✅ DPA template created (need: client signatures) - ✅ DPIA (Art. 35 assessment completed) - ✅ Data subject rights API (export, erase, access) - ✅ Breach notification procedures documented - ⚠️ No audit trail of DPA signatures; cookie consent optional
Mitigation Plan: 1. Implement DPA tracking system (signature capture, version control) 2. Require DPA before engaging any EU client (automated check) 3. Make cookie consent mandatory (not optional) via prompt at login 4. Quarterly GDPR audit (DPA coverage, consent records, breach notification SLA) 5. Document lawful basis for each data processing activity
Owner: Compliance Officer Target Risk: High (score: 9-11) Timeline: Q2-Q3 2026 (critical path)
RISK-007: DDoS / Service Unavailability¶
Asset: Dashboard, API, infrastructure availability Threat: Volumetric DDoS, application-layer attack, BGP hijacking Current Vulnerability: No DDoS mitigation (WAF, rate limiting basic)
Likelihood: Medium (common attack, opportunistic) Impact: Major (service down 2-4 hours, reputation, revenue loss) Risk Score: 10 (High)
Current Controls: - ✅ API rate limiting (basic: 100 req/min per user) - ✅ AWS auto-scaling (handles some load spikes) - ✅ Security headers (no X-Frame-Options mitigation) - ⚠️ No CloudFlare DDoS mitigation; no bot detection
Mitigation Plan: 1. Deploy CloudFlare for DDoS mitigation + WAF rules (Q2 2026) 2. Implement rate limiting per IP (not just user) — 1000 req/min global 3. Deploy CAPTCHA for suspicious request patterns 4. Establish DDoS response playbook (escalation, communication)
Owner: Infrastructure Team Target Risk: Medium (score: 6-8) Timeline: Q2 2026
RISK-008: Certificate Expiration / TLS Misconfiguration¶
Asset: TLS certificates for dashboard, API, desktop app pinning Threat: Expired certificate, weak cipher suite, pinning failure Current Vulnerability: Desktop app certificate pinning requires manual update; no pre-expiration alert
Likelihood: Low (30-day pre-expiration alerts available) Impact: Major (service unavailable, client trust loss, pinning bypass) Risk Score: 8 (Medium)
Current Controls: - ✅ Let's Encrypt TLS (automated renewal via ACME) - ✅ TLS 1.3 enforced - ✅ Certificate pinning on desktop app (SHA-256) - ⚠️ No monitoring of certificate expiration (relies on LE reminders) - ⚠️ Manual update required for pinned cert rotation
Mitigation Plan: 1. Implement certificate expiration monitoring (alert at 30, 14, 7 days) 2. Automate desktop app cert pinning updates (CI/CD pipeline check) 3. Implement cert transparency log auditing (detect unauthorized certs) 4. Pre-stage 2nd pin (backup cert) for seamless rotation
Owner: Infrastructure Team Target Risk: Low (score: 2-4) Timeline: Q2 2026
Risk Response Summary¶
| Risk ID | Title | Current Score | Target Score | Mitigation Status |
|---|---|---|---|---|
| RISK-001 | Unauthorized Access to Data | 16 (Critical) | 8 (High) | In Progress |
| RISK-002 | Supply Chain Compromise | 12 (High) | 7 (Medium) | Planned Q2 |
| RISK-003 | Ransomware / Destruction | 10 (High) | 4 (Low) | Planned Q3 |
| RISK-004 | Unpatched Vulnerability | 11 (High) | 7 (Medium) | Planned Q2 |
| RISK-005 | Insider Threat | 8 (Medium) | 3 (Low) | Planned Q2-Q3 |
| RISK-006 | GDPR Non-Compliance | 16 (Critical) | 9 (High) | Critical Path |
| RISK-007 | DDoS Attack | 10 (High) | 6 (Medium) | Planned Q2 |
| RISK-008 | Certificate Issues | 8 (Medium) | 2 (Low) | Planned Q2 |
Acceptance Criteria¶
- Risk scores <10 are acceptable (residual risk is managed via controls + monitoring)
- Risk scores ≥10 require mitigation plan with target <10
- Risk scores ≥15 (Critical) require immediate escalation + monthly tracking
- All mitigations tracked in Risk Register with owner, timeline, status
Review & Approval¶
| Role | Signature | Date |
|---|---|---|
| CISO / Security Lead | _____ | 2026-03-17 |
| Risk Committee | _____ | 2026-03-17 |
| CEO | _____ | 2026-03-17 |
Review Schedule: Quarterly (end of each quarter) Next Review: 2026-06-17
Document Control - Owner: CISO - Last Updated: 2026-03-17 - Next Review: 2026-06-17 - Status: Approved