Risk Register
Risk Score = Likelihood × Impact. Ratings: 1–3 Low · 4–8 Medium · 9–15 High · 16–25 Critical.
Status
Rating
Owner
NIST Function
| ID | Risk | Asset/Process | L | I | Score | Rating | NIST | Owner | Status | Due | Actions |
|---|---|---|---|---|---|---|---|---|---|---|---|
| R-002 | No periodic access reviews Stale or excessive access leads to privilege creep and insider risk. | All SaaS systems | 4 | 4 | 16 | Critical | Protect | Marcus Lee | Open | 2026-07-31 | |
| R-007 | No vendor risk management process Unvetted vendors may introduce supply chain and data exposure risk. | Vendor ecosystem | 4 | 4 | 16 | Critical | Govern | Marcus Lee | Open | 2026-09-04 | |
| R-009 | Logs not centrally reviewed Without log review, malicious activity may go undetected for months. (Control state unverified.) | AWS CloudTrail, Okta logs | 4 | 4 | 16 | Critical | Detect | Sam Okafor | Open | 2026-09-18 | |
| R-001 | MFA not enforced on critical systems Lack of MFA exposes accounts to credential-based attacks and account takeover. | Okta SSO, AWS Console, Email | 3 | 5 | 15 | High | Protect | Priya Shah | Open | 2026-07-24 | |
| R-004 | Backups not tested via restore Untested backups may fail during a real incident, prolonging downtime. | AWS Backup, NetSuite | 3 | 5 | 15 | High | Recover | Sam Okafor | Open | 2026-08-14 | |
| R-005 | No tested incident response plan Without a tested IR plan, response time and containment will suffer. | Enterprise-wide | 3 | 5 | 15 | High | Respond | Jordan Reyes | Open | 2026-08-21 | |
| R-012 | No BCP/DR plan in place An outage could result in extended downtime and revenue loss. | Enterprise-wide | 3 | 5 | 15 | High | Recover | Marcus Lee | Open | 2026-10-09 | |
| R-003 | Inconsistent onboarding/offboarding Departed employees may retain access, exposing data and systems. | HRIS, Okta | 3 | 4 | 12 | High | Protect | Elena Volkov | Open | 2026-08-07 | |
| R-008 | No formal vulnerability management Unpatched vulnerabilities can be exploited for initial access. | AWS workloads, endpoints | 3 | 4 | 12 | High | Identify | Elena Volkov | Open | 2026-09-11 | |
| R-011 | No comprehensive asset inventory Unknown assets cannot be protected, monitored, or patched. | Endpoints, cloud workloads | 4 | 3 | 12 | High | Identify | Priya Shah | Open | 2026-10-02 | |
| R-006 | Inconsistent security awareness training Untrained staff increase phishing and social engineering risk. | Workforce | 3 | 3 | 9 | High | Protect | Priya Shah | Open | 2026-08-28 | |
| R-010 | Incomplete policy documentation Gaps in policy create audit findings and inconsistent operations. | Policy library | 2 | 3 | 6 | Medium | Govern | Jordan Reyes | Open | 2026-09-25 |