Risk Catalogue
RISK CATALOG use case:
- What are the risks associated with a control deficiency? (e.g., if the control fails, what risk(s) is the organization exposed to?)
| Definition of Risk | |
|---|---|
| noun A situation where someone or something valued is exposed to danger, harm or loss. | Danger: state of possibly suffering harm or injury |
| verb To expose someone or something valued to danger, harm or loss. | Harm: material / physical damage |
| Loss: destruction, deprivation or inability to use |
Risk Grouping: Access Control
| Risk # | Risk | Description of Possible Risk Due To Control Deficiency | NIST CSF Function |
|---|---|---|---|
| R-AC-1 | Inability to maintain individual accountability | There is a failure to maintain asset ownership and it is not possible to have non-repudiation of actions or inactions. | Protect |
| R-AC-2 | Improper assignment of privileged functions | There is a failure to implement least privileges. | Protect |
| R-AC-3 | Privilege escalation | Access to privileged functions is inadequate or cannot be controlled. | Protect |
| R-AC-4 | Unauthorized access | Access is granted to unauthorized individuals, groups or services. | Protect |
Risk Grouping: Asset Management
| Risk # | Risk | Description of Possible Risk Due To Control Deficiency | NIST CSF Function |
|---|---|---|---|
| R-AM-1 | Lost, damaged or stolen asset(s) | Asset(s) is/are lost, damaged or stolen. | Protect |
| R-AM-2 | Loss of integrity through unauthorized changes | Unauthorized changes corrupt the integrity of the system / application / service. | Protect |
Risk Grouping: Business Continuity
| Risk # | Risk | Description of Possible Risk Due To Control Deficiency | NIST CSF Function |
|---|---|---|---|
| R-BC-1 | Business interruption | There is increased latency or a service outage that negatively impacts business operations. | Recover |
| R-BC-2 | Data loss / corruption | There is a failure to maintain the confidentiality of the data (compromise) or data is corrupted (loss). | Recover |
| R-BC-3 | Reduction in productivity | User productivity is negatively affected by the incident. | Protect |
| R-BC-4 | Information loss / corruption or system compromise due to technical attack | Malware, phishing, hacking or other technical attack compromise data, systems, applications or services. | Protect |
| R-BC-5 | Information loss / corruption or system compromise due to non‐technical attack | Social engineering, sabotage or other non-technical attack compromises data, systems, applications or services. | Protect |
Risk Grouping: Exposure
| Risk # | Risk | Description of Possible Risk Due To Control Deficiency | NIST CSF Function |
|---|---|---|---|
| R-EX-1 | Loss of revenue | A financial loss occurs from either a loss of clients or an inability to generate future revenue. | Recover |
| R-EX-2 | Cancelled contract | A contract is cancelled due to a violation of a contract clause. | Recover |
| R-EX-3 | Diminished competitive advantage | The competitive advantage of the organization is jeopardized. | Recover |
| R-EX-4 | Diminished reputation | Negative publicity tarnishes the organization's reputation. | Recover |
| R-EX-5 | Fines and judgements | Legal and/or financial damages result from statutory / regulatory / contractual non-compliance. | Recover |
| R-EX-6 | Unmitigated vulnerabilities | Umitigated technical vulnerabilities exist without compensating controls or other mitigation actions. | Protect |
| R-EX-7 | System compromise | System / application / service is compromised affects its confidentiality, integrity, availability and/or safety. | Protect |
Risk Grouping: Governance
| Risk # | Risk | Description of Possible Risk Due To Control Deficiency | NIST CSF Function |
|---|---|---|---|
| R-GV-1 | Inability to support business processes | Implemented security /privacy practices are insufficient to support the organization's secure technologies & processes requirements. | Protect |
| R-GV-2 | Incorrect controls scoping | There is incorrect or inadequate controls scoping, which leads to a potential gap or lapse in security / privacy controls coverage. | Identify |
| R-GV-3 | Lack of roles & responsibilities | Documented security / privacy roles & responsibilities do not exist or are inadequate. | Identify |
| R-GV-4 | Inadequate internal practices | Internal practices do not exist or are inadequate. Procedures fail to meet "reasonable practices" expected by industry standards. | Protect |
| R-GV-5 | Inadequate third-party practices | Third-party practices do not exist or are inadequate. Procedures fail to meet "reasonable practices" expected by industry standards. | Protect |
| R-GV-6 | Lack of oversight of internal controls | There is a lack of due diligence / due care in overseeing the organization's internal security / privacy controls. | Identify |
| R-GV-7 | Lack of oversight of third-party controls | There is a lack of due diligence / due care in overseeing security / privacy controls operated by third-party service providers. | Identify |
| R-GV-8 | Illegal content or abusive action | There is abusive content / harmful speech / threats of violence / illegal content that negatively affect business operations. | Identify |
Risk Grouping: Incident Response
| Risk # | Risk | Description of Possible Risk Due To Control Deficiency | NIST CSF Function |
|---|---|---|---|
| R-IR-1 | Inability to investigate / prosecute incidents | Response actions either corrupt evidence or impede the ability to prosecute incidents. | Respond |
| R-IR-2 | Improper response to incidents | Response actions fail to act appropriately in a timely manner to properly address the incident. | Respond |
| R-IR-3 | Ineffective remediation actions | There is no oversight to ensure remediation actions are correct and/or effective. | Protect |
| R-IR-4 | Expense associated with managing a loss event | There are financial repercussions from responding to an incident or loss. | Respond |
Risk Grouping: Situational Awareness
| Risk # | Risk | Description of Possible Risk Due To Control Deficiency | NIST CSF Function |
|---|---|---|---|
| R-SA-1 | Inability to maintain situational awareness | There is an inability to detect incidents. | Detect |
| R-SA-2 | Lack of a security-minded workforce | The workforce lacks user-level understanding about security & privacy principles. | Protect |
