Risk Library

Risk Category
Risk ID
Risk Summary
Risk Description

Access Control

RISK-AC-001

Inability to maintain individual accountability

Failure to maintain asset ownership, preventing non-repudiation of actions.

Access Control

RISK-AC-002

Improper assignment of privileged functions

Failure to implement least privilege.

Access Control

RISK-AC-003

Privilege escalation

Inadequate control over access to privileged functions.

Access Control

RISK-AC-004

Unauthorized access

Access granted to unauthorized individuals, groups, or services.

Asset Management

RISK-AM-001

Lost, damaged or stolen asset(s)

Assets are lost, damaged, or stolen.

Asset Management

RISK-AM-002

Loss of integrity through unauthorized changes

Unauthorized changes corrupt system integrity.

Business Continuity

RISK-BC-001

Business interruption

Latency or outage impacting operations.

Business Continuity

RISK-BC-002

Data loss / corruption

Failure to maintain data confidentiality or integrity.

Business Continuity

RISK-BC-003

Information loss due to technical attack

Technical attacks (malware, phishing) compromise data/systems.

Business Continuity

RISK-BC-004

Information loss due to non-technical attack

Non-technical attacks (social engineering) compromise data/systems.

Exposure

RISK-EX-001

Unmitigated vulnerabilities

Vulnerabilities without compensating controls.

Exposure

RISK-EX-002

System compromise

Compromise affecting confidentiality, integrity, availability.

Governance

RISK-GV-001

Inability to support business processes

Insufficient security/privacy practices.

Governance

RISK-GV-002

Incorrect controls scoping

Inadequate scoping leading to control gaps.

Governance

RISK-GV-003

Lack of roles & responsibilities

Inadequate documented roles/responsibilities.

Governance

RISK-GV-004

Inadequate third-party practices

Third-party procedures below industry standards.

Governance

RISK-GV-005

Lack of oversight of third-party controls

Insufficient due diligence on third-party controls.

Governance

RISK-GV-006

Illegal content or abusive action

Abusive/illegal content impacting operations.

Incident Response

RISK-IR-001

Inability to investigate incidents

Response corrupts evidence or impedes prosecution.

Incident Response

RISK-IR-002

Improper response to incidents

Untimely or inappropriate incident response.

Incident Response

RISK-IR-003

Ineffective remediation actions

Lack of oversight on remediation effectiveness.

Situational Awareness

RISK-SA-001

Inability to maintain situational awareness

Inability to detect incidents.

Situational Awareness

RISK-SA-002

Lack of a security-minded workforce

Workforce lacks security/privacy understanding.

PreviousIT Risk and Control Library Policy and ProcedureNextControl Library

Last updated

Was this helpful?