321 lines
35 KiB
YAML
321 lines
35 KiB
YAML
- segment_type: "organization"
|
||
content:
|
||
- name: "{{ document.organization.name }}"
|
||
date: |
|
||
Date of Report: {{ document.created_at|date:'Y-m-d' }}
|
||
|
||
- segment_type: "executive_summary"
|
||
content:
|
||
- title: "Executive Summary"
|
||
description: |
|
||
This Cyber Risk Assessment Report provides a comprehensive evaluation of {{ document.organization.name }}'s cybersecurity posture. The assessment focused on identifying critical risks, prioritizing mitigation strategies, and aligning practices with internationally recognized frameworks such as CIS CSC v8.1, NIST CSF 2.0, ISO 27001:2022, and regulatory requirements including NIS2, DORA, and GDPR. Conducted by StackSight LLC, the assessment leveraged data provided by representatives of {{ document.organization.name }}, insights from consultancy and industry reports, and threat intelligence sources to deliver actionable guidance tailored to {{ document.organization.name }}'s unique operational environment.
|
||
Key findings from the assessment reveal several areas where {{ document.organization.name }} faces heightened cybersecurity risks, particularly within the domains of phishing, ransomware, vendor risks, and unpatched software vulnerabilities. These identified risks pose significant threats to operational continuity, sensitive data, and regulatory compliance. The top risks are detailed in the findings section of this report.
|
||
To address these challenges effectively, a strategic roadmap comprising targeted safeguards is proposed. Each safeguard is prioritized based on its potential effectiveness in reducing both the likelihood and impact of identified risks. Key recommendations include the deployment of advanced email filtering systems, organization-wide enforcement of multi-factor authentication (MFA), implementation of a comprehensive patch management program, utilization of Endpoint Detection and Response (EDR) tools, ensuring frequent and securely stored data backups, and the establishment of robust vendor security standards coupled with continuous monitoring.
|
||
Implementation of these recommendations is projected to yield substantial quantifiable and qualitative benefits for {{ document.organization.name }}, including an estimated 75% reduction in financial exposure stemming from cyber incidents through targeted risk mitigation, increased adherence to relevant regulatory mandates, and enhanced operational continuity with significantly reduced downtime during potential cyber events.
|
||
|
||
- segment_type: "key_findings"
|
||
content:
|
||
- title: "Key Findings"
|
||
description: |
|
||
{{ document.key_findings|safe }}
|
||
- segment_type: "recommendations"
|
||
content:
|
||
- title: "Recommendations"
|
||
description: |
|
||
{{ document.recomendations|safe }}
|
||
|
||
- segment_type: "value_proposition"
|
||
content:
|
||
- title: "Value Proposition"
|
||
description: |
|
||
By diligently implementing the recommendations outlined in this report, {{ document.organization.name }} is positioned to achieve significant strategic and operational benefits:
|
||
- <b>Estimated 75% Reduction in Financial Exposure:</b> Through the targeted mitigation of high-impact cyber risks, the potential financial losses associated with security incidents can be substantially reduced.
|
||
- <b>Increased Compliance with Regulatory Mandates:</b> Alignment with frameworks such as GDPR, NIS2, and DORA will be enhanced, reducing the risk of non-compliance penalties and reputational damage.
|
||
- <b>Enhanced Operational Continuity and Reduced Downtime:</b> Proactive risk mitigation and improved incident response capabilities will minimize the likelihood and impact of disruptive cyber events, ensuring business operations remain resilient.
|
||
|
||
- segment_type: "next_steps"
|
||
content:
|
||
- title: "Next Steps"
|
||
description: |
|
||
We formally recommend initiating a phased implementation plan to address the identified risks. The initial phase should prioritize the deployment of high-impact safeguards, including organization-wide MFA enforcement, establishing a robust patch management program, and conducting initial vendor risk assessments to address the most pressing risks identified in this report. Concurrently, a structured and regular risk register review cycle should be established to ensure the organization's cybersecurity posture continuously adapts to the evolving threat landscape and changes in the operational environment.
|
||
|
||
- segment_type: "inherent_limitations"
|
||
content:
|
||
- title: "Inherent Limitations"
|
||
description: |
|
||
This assessment, while conducted with due professional care and based on available information, is subject to certain inherent limitations that warrant explicit mention:
|
||
- subtitle: "Dynamic Nature of Cyber Threats:"
|
||
description: |
|
||
The landscape of cybersecurity threats is inherently dynamic, characterized by rapid advancements in attack techniques, continuous changes in technology, and the emergence of new vulnerabilities. This report represents a "point-in-time" snapshot of the organization's risk landscape as assessed on the report date and does not account for changes or new threats that may materialize subsequent to the assessment. Regular, periodic updates to the risk assessment are therefore crucial to ensure the organization remains resilient against emerging threats.
|
||
For instance, a phishing risk rated as medium during this assessment could potentially escalate rapidly in severity due to unforeseen external factors, such as a sudden surge in highly sophisticated targeted attacks specifically directed at the healthcare industry.
|
||
- subtitle: "Focus on Risk Management Frameworks:"
|
||
description: |
|
||
This assessment adopts a risk-based approach, aligning findings and recommendations with established international frameworks such as ISO 27001, CIS CSC v8.1, NIST CSF 2.0, and relevant regulatory requirements including GDPR, NIS2, PCI DSS, and DORA. While these frameworks provide a comprehensive basis for cybersecurity governance, they are not exhaustive. The recommendations provided are tailored to {{ document.organization.name }}'s specific organizational priorities and risk tolerances; however, it is important to acknowledge that residual risks will inevitably remain even after the implementation of recommended controls. Residual risk is an inherent characteristic of any risk management approach.
|
||
- subtitle: "Residual Risk:"
|
||
description: |
|
||
Residual risk is formally defined as the level of risk that persists after the implementation of all feasible and recommended controls. By way of example, while the implementation of multi-factor authentication (MFA) is highly effective in significantly reducing phishing risks, a small degree of residual risk may still persist due to factors such as potential human error or the emergence of novel attack vectors not fully mitigated by current controls.
|
||
- subtitle: "Scope and Context:"
|
||
description: |
|
||
This report is an organization-level assessment, emphasizing risks related to strategic and operational cybersecurity governance. It does not provide a system-level evaluation (e.g., penetration testing or vulnerability scanning) or an asset-level analysis of specific infrastructure components, devices, or applications.
|
||
For a more detailed understanding of individual systems or assets, supplementary assessments, such as technical audits, vulnerability scans, or penetration tests, are recommended.
|
||
- subtitle: "Control Maturity Assumptions:"
|
||
description: |
|
||
Residual risk calculations presented in this report are predicated on the assumption that all recommended controls are implemented and maintained at the highest achievable maturity levels (e.g., aligned with CMMI Level 5 principles for process management). However, the actual maturity level of implemented controls within {{ document.organization.name }} may vary in practice, influenced by factors such as available resources, implementation timelines, and the effectiveness of ongoing maintenance and operational efforts.
|
||
For example, while a comprehensive patch management program is designed to significantly reduce software vulnerabilities, its ultimate effectiveness is directly dependent on operational factors such as the frequency and timeliness of patch deployment and adherence to established organizational policies and procedures.
|
||
- subtitle: "Scope of External Factors:"
|
||
description: |
|
||
While this assessment focuses primarily on internal cybersecurity risks that are largely within {{ document.organization.name }}'s direct control, it does not encompass an evaluation of broader external factors that could potentially impact the organization's risk profile. These external factors may include, but are not limited to, geopolitical risks, the impact of natural disasters on infrastructure, or systemic vulnerabilities inherent within wider third-party ecosystems beyond {{ document.organization.name }}'s immediate vendor relationships.
|
||
- subtitle: "Dependency on Timely Implementation:"
|
||
description: |
|
||
The effectiveness of the recommendations provided in this report in reducing risk is directly dependent upon the timely and effective implementation of the proposed controls. Delays in implementation, partial adoption of recommendations, or inadequate ongoing maintenance of controls may result in higher residual risks than those estimated in this assessment.
|
||
For instance, a delayed adoption and operationalization of endpoint detection and response (EDR) tools could leave the organization exposed to the full impact of ransomware attacks for a longer duration than would otherwise be necessary.
|
||
- subtitle: "Regular Reassessment Requirement:"
|
||
description: |
|
||
This report serves as a baseline assessment of {{ document.organization.name }}'s cybersecurity risks at a specific point in time. Given the dynamic nature of cyber threats, continuous changes in technology, and evolving business processes, we formally recommend periodic reassessments of the cybersecurity risk landscape. Such reassessments are essential to keep the risk register updated, ensure alignment with the evolving threat environment, and validate the effectiveness of implemented controls.
|
||
A risk initially identified as low severity at the time of this report might increase significantly in severity over time due to changes in prevalent attack vectors, shifts in the regulatory environment, or organizational growth and expansion.
|
||
|
||
- segment_type: "approach_and_methodologies"
|
||
content:
|
||
- title: "Approach and Methodologies"
|
||
subtitle: "Methodology Overview"
|
||
description: |
|
||
The risk assessment methodology employed in the preparation of this report is formally rooted in the principles and guidance outlined in the NIST Special Publication 800-30 Revision 1: Guide for Conducting Risk Assessments. This widely recognized standard defines risk as a function of the likelihood of a threat exploiting a vulnerability and the resulting impact. This methodology is broadly adopted across industries due to its scalability and inherent alignment with organizational risk management needs. The approach is also compliant with key international standards and frameworks, including ISO 27001, ISO 31000, PCI DSS, ENISA guidelines, and the CSA Cloud Controls Matrix (CCM), by focusing on the following common key elements:
|
||
1. <b>Risk Identification:</b> The systematic process of identifying potential threats, existing vulnerabilities, and the potential adverse impacts that could result from a cybersecurity event.
|
||
2. <b>Risk Assessment:</b> The formal evaluation of identified risks, involving the determination of both the likelihood of occurrence and the severity of the potential impact.
|
||
3. <b>Risk Mitigation/Treatment:</b> The process of selecting and implementing appropriate strategies and controls to reduce, transfer, or formally accept identified risks based on organizational risk tolerance.
|
||
4. <b>Documentation:</b> Maintaining a detailed and accurate record of the entire risk assessment process, including methodologies, findings, analysis, and treatment decisions.
|
||
5. <b>Continuous Monitoring:</b> Establishing ongoing processes to monitor the risk environment, assess the effectiveness of implemented controls, and identify new risks as they emerge.
|
||
6. <b>Communication:</b> Ensuring that risk findings, assessment results, and treatment plans are effectively communicated to relevant stakeholders across the organization.
|
||
- subtitle: "Inputs and Data Collection"
|
||
description: |
|
||
This assessment was specifically tailored to {{ document.organization.name }}'s operational context using a combination of internal data and external threat intelligence. The primary inputs from {{ document.organization.name }} included:
|
||
- Organizational Scale: Data pertaining to employee headcount and annual revenue, providing context for potential financial impact calculations.
|
||
- Technology Landscape: Information on critical applications, network architecture, and segmentation, informing the identification of technical vulnerabilities and dependencies.
|
||
- Regulatory Frameworks: Details on applicable regulatory requirements and compliance obligations, such as GDPR, ISO 27001, and NIST CSF compliance status.
|
||
- Operational Context: Information regarding the industry sector in which {{ document.organization.name }} operates and the extent of its reliance on third-party vendors, informing the assessment of sector-specific and supply chain risks.
|
||
These internal insights were further enriched by incorporating relevant data and trend analysis from leading industry and consultancy sources.
|
||
|
||
- segment_type: "risk_matrix"
|
||
content:
|
||
- title: "Risk Matrix"
|
||
description: |
|
||
The Risk Score is calculated as the product of the Inherent Impact Score and the Inherent Likelihood Score.
|
||
- html: |
|
||
<div class="risk-matrix">
|
||
<table>
|
||
<thead>
|
||
<tr>
|
||
{% for cell in table_risk_matrix_header %}
|
||
<th>{{ cell }}</th>
|
||
{% endfor %}
|
||
</tr>
|
||
</thead>
|
||
<tbody>
|
||
{% for row in table_risk_matrix_rows %}
|
||
<tr>
|
||
<td>{{ row.0 }}</td>
|
||
{% for cell in row|slice:"1:" %}
|
||
<td class="{{ cell.1 }}">{{ cell.0 }}</td>
|
||
{% endfor %}
|
||
</tr>
|
||
{% endfor %}
|
||
</tbody>
|
||
</table>
|
||
</div>
|
||
- description: |
|
||
Risk Tolerance Range: Scores between 5 and 7 are generally considered within the acceptable risk tolerance range for capcarap, subject to formal acceptance by leadership.
|
||
- warning: |
|
||
Intolerable Risks: Risks with scores of 8 or above are formally classified as intolerable and require immediate treatment.
|
||
- subtitle: "Risk Matrix Visualization - Inherent Risk"
|
||
description: |
|
||
The chart below visually represents the inherent risk scores of the top 10 identified risks based on their Inherent Likelihood and Impact, mapped onto the risk matrix gradient. The size of the marker indicates the number of risks at that specific Likelihood/Impact intersection.
|
||
image: "data:image/png;base64,{{ graph }}"
|
||
|
||
- segment_type: "results_and_recommendations"
|
||
content:
|
||
- title: "Results and Recommendations"
|
||
- subtitle: "Organizational Context:"
|
||
description: |
|
||
{{ document.organization.name }} operates within the {{ document.organization.industry_sector }} sector, employing {{ document.organization.employee_headcount }} ersonnel and annual revenues estimated to be between {{ document.organization.annual_revenue }}. The organization exhibits a {{ document.organization.it_dependency }} dependency on technology for its core operations and service delivery. The operational environment is subject to stringent regulatory mandates including but not limited to {{ document.organization.compliance_frameworks }}. These regulatory requirements underscore the critical need for robust and demonstrable cybersecurity governance and controls.
|
||
- subtitle: "Top 10 Risks Identified:"
|
||
description: |
|
||
Based on the comprehensive assessment methodology applied, the following top 10 cybersecurity risks have been formally identified and prioritized for {{ document.organization.name }} based on their inherent risk scores:
|
||
- html: |
|
||
<table>
|
||
<tr>
|
||
<th>Risk ID</th>
|
||
<th>Risk Name</th>
|
||
<th>Inherent Impact </th>
|
||
<th>Interent Liklihood </th>
|
||
<th>Inherent Risk Score </th>
|
||
<th>Description of Risk </th>
|
||
</tr>
|
||
{% for item in risks_with_controls %}
|
||
<tr>
|
||
<td>{{ item.risk.id }}</td>
|
||
<td>{{ item.risk.name }}</td>
|
||
<td>{{ item.r_impact }}</td>
|
||
<td>{{ item.r_likelihood}}</td>
|
||
<td>{{ item.risk_score }}</td>
|
||
<td>{{ item.risk_description}} </td>
|
||
</tr>
|
||
{% endfor %}
|
||
</table>
|
||
- description: |
|
||
Each identified risk has been assigned an inherent impact and likelihood score, which are then used to calculate the inherent risk score. These risks are visually represented on the risk matrix chart to facilitate prioritization and understanding of their relative positions within the risk landscape.
|
||
|
||
- segment_type: "risks_with_residuals"
|
||
content:
|
||
- title: "Risks with Residuals"
|
||
subtitle: "Risk Treatment Plan:"
|
||
description: |
|
||
To effectively address the identified risks, a comprehensive risk treatment plan is formally proposed. This plan prioritizes the implementation of controls based on their assessed capacity to reduce the inherent risk. Standard risk treatment strategies considered include:
|
||
1. <b>Mitigation:</b> Implementing specific safeguards and controls designed to reduce the likelihood of a risk event occurring or minimize its potential impact.
|
||
2. <b>Avoidance:</b> Making a conscious decision to refrain from engaging in activities or adopting architectures that introduce a specific high-level risk.
|
||
3. <b>Transference:</b> Shifting the financial or operational impact of a risk to a third party, typically through mechanisms such as cybersecurity insurance or contractual agreements with vendors.
|
||
4. <b>Acceptance:</b> An informed decision by organizational leadership to acknowledge a specific risk and choose not to implement further controls, based on a formal assessment that the residual risk is within acceptable tolerance levels.
|
||
|
||
Where the implementation of controls is assessed as feasible and effective, all risks should be formally treated. Based on the established risk assessment procedure, any risk with an inherent risk score of 8 or above is formally classified as intolerable and must be treated in a timely and prioritized manner to reduce it to an acceptable residual level.
|
||
Prior to formally considering the acceptance of any risk, a rigorous evaluation must be conducted to ensure that the risk has been reduced to the smallest possible residual level through the application of one or more appropriate risk treatment approaches.
|
||
- html: |
|
||
<table class="residual-table">
|
||
<tr>
|
||
<th>Risk ID</th>
|
||
<th>Risk Name</th>
|
||
<th>Inherent Impact</th>
|
||
<th>Inherent Likelihood</th>
|
||
<th>Inherent Risk Score</th>
|
||
<th>Residual Impact</th>
|
||
<th>Residual Likelihood</th>
|
||
<th>Residual Risk Score</th>
|
||
</tr>
|
||
{% for item in risks_with_controls %}
|
||
<tr>
|
||
<td>{{ item.risk.id }}</td>
|
||
<td>{{ item.risk.name }}</td>
|
||
<td>{{ item.r_impact }}</td>
|
||
<td>{{ item.r_likelihood }}</td>
|
||
<td>{{ item.risk_score }}</td>
|
||
<td>{{ item.residual_impact }}</td>
|
||
<td>{{ item.residual_likelihood }}</td>
|
||
<td>{{ item.residual_risk_score }}</td>
|
||
</tr>
|
||
{% endfor %}
|
||
</table>
|
||
|
||
- segment_type: "residual_risk_matrix"
|
||
content:
|
||
- title: "Risk Matrix Visualization - Residual Risk"
|
||
description: |
|
||
The chart below visually represents the residual risk scores of the top 10 identified risks based on their Residual Likelihood and Impact after applying proposed mitigating controls. The size of the marker indicates the number of risks at that specific Likelihood/Impact intersection.
|
||
image: "data:image/png;base64,{{ residual_graph }}"
|
||
|
||
- segment_type: "framework_alignment"
|
||
content:
|
||
- title: "Framework Alignment"
|
||
- subtitle: "CIS Critical Security Controls (CSC) v8.1:"
|
||
description: |
|
||
The CIS Critical Security Controls (CSC) v8.1 is a globally recognized, prioritized set of cybersecurity best practices designed to help organizations improve their cyber defenses against known attack vectors. Developed by the Center for Internet Security (CIS), the framework provides a structured approach to implementing and managing essential cybersecurity safeguards. CIS CSC v8.1 consists of 18 top-level Controls, each supported by a set of Safeguards (formerly known as Sub-Controls). The framework is designed to be actionable and provide a clear path for organizations of varying sizes and complexities to enhance their cybersecurity posture effectively.
|
||
- subtitle: "NIST Cybersecurity Framework (CSF) 2.0:"
|
||
description: |
|
||
The NIST Cybersecurity Framework (CSF) 2.0 provides a structured and flexible approach for organizations to understand, manage, reduce, and communicate cybersecurity risks. Developed by the National Institute of Standards and Technology (NIST), CSF 2.0 maintains the core structure of its predecessor but introduces enhancements, including a new Govern function to emphasize cybersecurity governance. The framework is organized around six key functions that represent the lifecycle of managing cybersecurity risk: Identify, Govern, Protect, Detect, Respond, and Recover. CSF 2.0 is designed to be adaptable to various technologies and sectors, providing a common language for internal and external stakeholders to discuss and manage cybersecurity risks effectively.
|
||
- subtitle: "Cybersecurity Capability Maturity Levels (CMMI Adaptation):"
|
||
description: |
|
||
The table below presents an assessment of the organization's cybersecurity capabilities across key functions derived from the NIST CSF 2.0, mapped against maturity levels adapted from the Capability Maturity Model Integration (CMMI) framework. These levels describe a progression from initial, chaotic processes (Level 1) to optimized, continuously improving processes (Level 5).
|
||
headers: ["NIST CSF 2.0 Function", "Level 1 (Initial)", "Level 2 (Managed)", "Level 3 (Defined)", "Level 4 (Quantitatively Managed)", "Level 5 (Optimizing)"]
|
||
rows:
|
||
- ["Govern", "Reactive and ad hoc.", "Nascent and unreliable.", "Established, predictable, reliable.", "Provides direction and shapes program.", "Key pillar, known and reportable state."]
|
||
- ["Identify", "Little to no identification.", "Immature process.", "Standard, well-defined process.", "Proactively monitored periodically.", "Continuously monitored, incorporated into business decisions."]
|
||
- ["Protect", "Reactive and ad hoc.", "Implemented across environment.", "Formally defined, protected in accordance with classification.", "Proactively monitored via protective technologies.", "Operationalized through automation and advanced technologies."]
|
||
- ["Detect", "Not detected timely.", "Established through tools and procedures.", "Baseline of 'normal' activity established and applied.", "Continuous monitoring program established for real-time threats.", "Continuously learning behaviors and adjusting capabilities."]
|
||
- ["Respond", "Reactive or non-existent.", "Reactive or non-existent.", "Analysis capabilities applied consistently by IR roles.", "IR Plan defines steps for preparation, analysis, containment, eradication, post-incident.", "Times and impacts monitored and minimized."]
|
||
- ["Recover", "Applied consistently to incidents impacting business operations.", "Continuity & Disaster Recovery Plan defines steps to continue critical functions and resume operations.", "Recovery times and impacts monitored and minimized.", "Capabilities of all IT personnel, procedures, technologies regularly tested and updated.", "Capabilities of all IT personnel, procedures, technologies regularly tested and updated."]
|
||
|
||
- segment_type: "industry_and_consultancy_benchmarks"
|
||
content:
|
||
- title: "Industry and Consultancy Benchmarks"
|
||
description: |
|
||
The insights and analysis presented in this report were informed by incorporating data and trend analysis from leading industry and consultancy publications. These sources provide valuable context regarding prevalent threats, attack methodologies, and effective control strategies observed across various sectors.
|
||
|
||
- segment_type: "risks_with_mitigating_controls"
|
||
content:
|
||
- title: "Risks with Mitigating Controls"
|
||
description: |
|
||
The following section details the top identified risks and lists relevant mitigating controls. The controls are referenced using their corresponding CIS CSC v8.1 identifier and are assigned a weight indicating their relative effectiveness or importance in mitigating the specific risk. Controls are listed in numerical order by Safeguard ID.
|
||
- html: |
|
||
- html: |
|
||
{% for item in risks_with_controls %}
|
||
<h3>Risk: {{ item.risk.name }}</h3>
|
||
<h4>Mitigating Controls:</h4>
|
||
<ul>
|
||
{% for control in item.controls %}
|
||
<li>{{ control.control__subcategory }} - Weight: {{ control.weight }}</li>
|
||
{% endfor %}
|
||
</ul>
|
||
{% endfor %}
|
||
|
||
- segment_type: "cis_control_safeguard_summary"
|
||
content:
|
||
- title: "NIST CSF Control Summary"
|
||
description: |
|
||
The following table summarizes the controls referenced as mitigating safeguards for the identified risks and shows how many times each control was listed across all risks. The table displays the Control ID along with its Subcategory, Category, and Function fields, and the total Count of references.
|
||
- html: |
|
||
<table class="safeguard-summary-table">
|
||
<tr>
|
||
<th>Control ID</th>
|
||
<th>Subcategory</th>
|
||
<th>Category</th>
|
||
<th>Function</th>
|
||
<th>Count</th>
|
||
</tr>
|
||
{% for item in safeguard_summary_table %}
|
||
<tr>
|
||
<td>{{ item.id }}</td>
|
||
<td>{{ item.subcategory }}</td>
|
||
<td>{{ item.category }}</td>
|
||
<td>{{ item.function }}</td>
|
||
<td>{{ item.count }}</td>
|
||
</tr>
|
||
{% endfor %}
|
||
</table>
|
||
- note: |
|
||
Note: Data reflects the current control model (NIST CSF 2.0). Some controls may not have Category or Function populated; those cells will appear blank. "Count" represents how many times the control was referenced across all risk mitigation sections.
|
||
|
||
|
||
- segment_type: "continuous_improvement"
|
||
content:
|
||
- title: "Continuous Improvement"
|
||
description: |
|
||
Cybersecurity is formally recognized as a continuous journey, not a static destination. To effectively adapt to the evolving threat landscape and changes in the operational environment, {{ document.organization.name }} should establish processes for regular risk register reviews and cybersecurity maturity assessments. Implementing a structured cybersecurity improvement roadmap will ensure that controls remain effective, are continuously optimized, and remain aligned with organizational priorities and strategic objectives.
|
||
The risk register should be reviewed and updated on a regular, defined cycle. This review process must include a formal re-assessment of existing risks based on identified changes to organizational information systems, the environments in which the systems operate (change monitoring), and changes in the feasibility or effectiveness of ongoing risk response measures. Risks that have been formally accepted should also be re-evaluated during each cycle to confirm that the residual risk remains within acceptable tolerance levels. Concerted efforts should be made to optimize risk response measures where feasible, aiming for continuous reduction of residual risk.
|
||
|
||
- segment_type: "disclaimer"
|
||
content:
|
||
- subtitle: "Disclaimer"
|
||
description: |
|
||
This report is provided for informational purposes only and is based on the data and information available to StackSight LLC at the time of the assessment. The findings and recommendations contained herein are intended solely to provide guidance to {{ document.organization.name }} in enhancing its cybersecurity posture. Cybersecurity risks are inherently dynamic and subject to continuous evolution. StackSight LLC makes no warranties, express or implied, regarding the completeness, accuracy, or suitability of this report for any specific purpose or outcome. The implementation of the recommendations outlined in this report does not constitute a guarantee of complete protection against all potential cyber threats or incidents.
|
||
{{ document.organization.name }} assumes full responsibility for all decisions made based on the content of this report and for the implementation, ongoing management, and effectiveness of its cybersecurity controls and risk management program. This report should not be construed as, nor relied upon as, legal or regulatory advice.
|
||
|
||
- segment_type: "risk_assessment_process"
|
||
content:
|
||
- title: "Risk Assessment Process - Scales"
|
||
description: |
|
||
For determining likelihood, StackSight LLC utilizes a commonly referenced scale, presented below:
|
||
- headers: ["Likelihood Score", "Probability of Happening in a Year", "Descriptor", "Criteria"]
|
||
rows:
|
||
- ["1", "0-10%", "Rare", "Has never occurred or has not occurred in the prior 10 years. Highly unlikely, but it may occur in exceptional circumstances. It could happen, but probably never will."]
|
||
- ["2", "11-24%", "Unlikely", "Has occurred in the past 10 to 4 years. Not expected, but there's a slight possibility it may occur at some time."]
|
||
- ["3", "25-50%", "Probable", "Has occurred in the past 4 to 2 years. The event might occur at some time as there is a history of casual occurrence at similar organizations."]
|
||
- ["4", "51-89%", "Likely", "Has occurred in the past 2 to 1 years. There is a strong probability the event will occur as there is a history of frequent occurrence at similar organizations."]
|
||
- ["5", "90-100%", "Almost Certain", "Currently occurs or has occurred in the last year. The event is expected to occur in most circumstances as there is a history of regular occurrence at similar organizations."]
|
||
- description: |
|
||
The risk impact is formally scored using the following definitions and corresponding operational recovery metrics (RPO/RTO):
|
||
- headers: ["Impact/Severity", "Cost", "Reputation (Internal & External)", "Management Effort", "Operational Resources", "Compliance/SOX/CRA/NIS2 Impact"]
|
||
rows:
|
||
- ["Insignificant (1)", "0% to .04% of Gross Revenue", "Unaware – A reasonable person does not have knowledge of the situation or fact. Additionally there is no obligation to divulge the incident.", "Normal Activity - Usual, average or typical company processes. Typically no extra managements cumulative time needed.", "Additional Resources - No extra Internal or External personnel needed to bring resolution to the issue outside of normal processes.", "Low direct regulatory implications. Baseline operational obligations and internal controls are expected to be maintained."]
|
||
- ["Significant (2)", "~.05% to .25% Gross Revenue", "Minimum Concern - If a reasonable person obtains knowledge of the situation or fact and there is no reaction either positive or negative. Additionally, there is no obligation to divulge the incident.", "Minimum Management Effort - 1-10hrs of managements cumulative time.", "Minor Operational Resources - Internal or External personnel may be needed to bring resolution to the issue, typically 4- 40hrs worth of cumulative time.", "Primarily an internal control issue. Notification to designated authorities may be required. Potential for initial warnings or minor penalties depending on the nature."]
|
||
- ["Severe (3)", "~.25% to .5% Gross Revenue", "Moderate Concern – A reasonable person obtain knowledge of the situation that could violate, laws, regulations or compliance but the narrative is that management is in control and are rectifying the situation appropriately.", "Moderate Management Effort - 10 to 20 hrs. of managements cumulative time.", "Moderate Operational Resources - Internal or External personnel may be needed to bring resolution to the issue, typically 40 - 80hrs (2 weeks) worth of cumulative time.", "A clear deviation from expected operational or product/service standards, requiring notification and remediation actions. Mandatory reporting to authorities. Risk of financial penalties and increased regulatory scrutiny."]
|
||
- ["Material (4)", "~ .5% to 1% Gross Revenue", "Severe Concern – A reasonable person obtains knowledge of the situation that could violate, laws, regulations or compliance and the narrative is that management is acting in a negligent manner to rectify the situation.", "Severe Management Effort - 20 to 40hrs of managements cumulative time", "Severe Operational Resources - Internal or External personnel may be needed to bring resolution to the issue, typically 80hrs (2 weeks) - 160hrs (4 weeks) worth of cumulative time.", "Serious non-compliance with established standards. Risk of significant operational disruptions, including potential product/service restrictions or recalls. Mandatory and detailed reporting to authorities is required. High likelihood of substantial financial penalties, potential suspension of services, and personal accountability for responsible management."]
|
||
- ["Major (5)", "~ 1% Gross Revenue", "Outrage from a reasonable person – A reasonable person obtains knowledge of the situation that violates, laws, regulations or compliance and the narrative is that management is acting in a negligent manner to rectify the situation or is not rectifying the situation.", "Precarious Management Effort - 40hrs or more of managements cumulative time, potential management will be removed from their position.", "Precarious Operational Resources - Internal or External personnel may be needed to bring resolution to the issue over 160 hrs. (4 weeks) worth of cumulative time.", "Systemic failure with severe consequences. Significant regulatory sanctions expected. Mandatory, multi-stage, and comprehensive reporting to authorities is required. Maximum financial penalties are likely, with potential for temporary prohibition of managerial functions and other stringent enforcement actions. The possibility of criminal liability may be considered depending on applicable law or regulation."]
|
||
- description: |
|
||
The specific definition of material impact is contingent upon the organizational type and scale. For companies exceeding 1 billion USD in annual revenue, the materiality threshold for major impact is set at 1% of annual revenue. For organizations below this revenue threshold, it is set at 10%. For non-profit organizations, alternative, pre-defined guidelines are utilized. |