Risk Register¶
Document ID: REG-002 Document owner: Jan Marc Castlunger (ISO) Classification: Confidential Version: 1.0 Last updated: March 2026 Next review: March 2027 Frameworks: ISO 27001 (6.1.2, 6.1.3, 8.2, 8.3) | SOC 2 (CC3.1, CC3.2, CC3.3, CC3.4)
Risk Methodology¶
Risk is assessed using a 3x3 matrix:
- Likelihood: 1 = Low, 2 = Medium, 3 = High
- Impact: 1 = Low, 2 = Medium, 3 = High
- Risk Rating = Likelihood x Impact
| Score | Rating |
|---|---|
| 6-9 | 🔴 High |
| 3-4 | 🟡 Medium |
| 1-2 | 🟢 Low |
Acceptance threshold: Risks rated Medium or above require documented treatment. Residual risk must be accepted and signed off by the ISO.
Risk Register¶
| ID | Asset | Threat / Scenario | L | I | Rating | Controls | Residual |
|---|---|---|---|---|---|---|---|
| R01 | API keys (A03) | Unauthorised access via leaked credentials | 2 | 3 | 🔴 High | Azure Key Vault, RBAC, MFA (TOTP), customer-managed key rotation | 🟢 Low |
| R02 | ID scan images (A01) | Data breach — exposure of government IDs | 2 | 3 | 🔴 High | No persistent storage, TLS 1.3, encryption at rest, pentest | 🟢 Low |
| R03 | Azure infrastructure (A06) | Cloud misconfiguration / privilege escalation | 2 | 3 | 🔴 High | RBAC (standard; Azure PIM planned Q3 2026), Azure Security Center, vuln scanning, Terraform IaC review | 🟡 Medium |
| R04 | Source code (A05) | IP theft via GitHub breach | 2 | 3 | 🔴 High | Private repos, MFA on GitHub, branch protection, SAST | 🟢 Low |
| R05 | OCR data (A02) | Interception in transit | 1 | 3 | 🟡 Medium | TLS 1.3 enforced, certificate pinning, HSTS | 🟢 Low |
| R06 | All assets | Ransomware / destructive attack | 2 | 2 | 🟡 Medium | Encrypted Azure backups, tested restore, incident plan | 🟢 Low |
| R07 | Employee data (A04) | Phishing / social engineering | 3 | 2 | 🔴 High | Annual security training, MFA on Google Workspace, email filtering | 🟡 Medium |
| R08 | Azure infrastructure | Insider threat | 1 | 3 | 🟡 Medium | RBAC least-privilege, access log review, offboarding checklist | 🟢 Low |
| R09 | SSL certs / keys (A12) | Certificate expiry or key compromise | 2 | 3 | 🔴 High | Azure Key Vault auto-rotation, certificate monitoring alerts | 🟢 Low |
| R10 | All operations | Key person dependency (1-10 staff) | 3 | 3 | 🔴 High | Documented runbooks, cross-training, supplier SLAs, succession plan | 🟡 Medium |
| R11 | Customer contracts (A09) | Legal / contractual breach | 1 | 3 | 🟡 Medium | DPAs in place with all suppliers, legal review of customer contracts | 🟢 Low |
| R12 | Logging data (A11) | Loss of audit trail / tampered logs | 2 | 2 | 🟡 Medium | AKS + Caddy ingress rolling logs (30-day retention); Azure File Blob for log archives | 🟡 Medium |
| R13 | Error images via email (A13) | Exposure of customer ID images stored in Google Workspace (received for error handling, max 7-day retention, requires customer consent) | 2 | 3 | 🔴 High | 7-day auto-deletion policy, customer consent required, Google Workspace DPA, MFA on email, staff training | 🟡 Medium |
| R14 | All staff | Confidentiality breach due to missing formal NDAs | 2 | 2 | 🟡 Medium | Employment contracts exist; formal NDA process being implemented Q2 2026 | 🟡 Medium |
Open Risks Requiring Action¶
R03 — Azure Misconfiguration (Residual: Medium)
Action: Formalise Infrastructure-as-Code (Terraform) config baseline by May 2026. Owner: Sebastian Windeck (CTO)
R07 — Phishing (Residual: Medium)
Action: Implement simulated phishing tests annually starting Q2 2026. Owner: Jan Marc Castlunger (ISO)
R10 — Key Person Dependency (Residual: Medium)
Action: Complete runbook documentation for all critical processes by June 2026. Owner: Jan Marc Castlunger (ISO)
R12 — Insufficient Log Retention (Residual: Medium)
Action: Extend log retention from 30 days to minimum 90 days (target: 12 months) using Azure Log Analytics or Blob archival. Current 30-day rolling retention is insufficient for incident forensics and compliance. Owner: Sebastian Windeck (CTO) Target: Q2 2026
R13 — Error Images via Email (Residual: Medium)
Action: Automated 7-day deletion is active. Formalise customer consent workflow and document the process. Owner: Sebastian Windeck (DPO)
R14 — Confidentiality Agreements Not Formalised (Residual: Medium)
Action: Implement standalone NDA or add formal confidentiality clause to all employment/contractor agreements. Current agreements lack formal confidentiality provisions. Owner: Jan Marc Castlunger (ISO) Target: Q2 2026
Review Log¶
| Date | Reviewer | Changes |
|---|---|---|
| March 2026 | Jan Marc Castlunger (ISO) | Initial risk register — 12 risks identified |
| March 2026 | Jan Marc Castlunger (ISO) | Added R13 — error images via email risk |
| March 2026 | Sebastian Windeck (CTO) | Added R14 (NDAs); corrected R01, R03, R12 controls; upgraded R12 to Medium residual |
How to add a new risk
- Add a row with the next ID (e.g. R13)
- Score Likelihood and Impact (1-3)
- Calculate Rating = L x I
- Document the control(s) applied and the resulting residual risk
- If residual is Medium or High, add an open risk action above
- Commit:
docs: add risk R13 - [brief description]