{ "total": 39, "risks": [ { "risk_id": "R-AC-1", "grouping": "Access Control", "name": "Inability to maintain individual accountability", "description": "The inability to maintain accountability (e.g., asset ownership, non-repudiation of actions or inactions, etc.).", "nist_csf_function": "Protect" }, { "risk_id": "R-AC-2", "grouping": "Access Control", "name": "Improper assignment of privileged functions", "description": "The inability to implement least privileges (e.g., Role-Based Access Control (RBAC), Privileged Account Management (PAM), etc.).", "nist_csf_function": "Protect" }, { "risk_id": "R-AC-3", "grouping": "Access Control", "name": "Privilege escalation", "description": "The inability to restrict access to privileged functions.", "nist_csf_function": "Protect" }, { "risk_id": "R-AC-4", "grouping": "Access Control", "name": "Unauthorized access", "description": "The inability to restrict access to only authorized individuals, groups or services.", "nist_csf_function": "Protect" }, { "risk_id": "R-AM-1", "grouping": "Asset Management", "name": "Lost, damaged or stolen asset(s)", "description": "Lost, damaged or stolen assets.", "nist_csf_function": "Protect" }, { "risk_id": "R-AM-2", "grouping": "Asset Management", "name": "Loss of integrity through unauthorized changes", "description": "Unauthorized changes that corrupt the integrity of the system / application / service.", "nist_csf_function": "Protect" }, { "risk_id": "R-AM-3", "grouping": "Asset Management", "name": "Emergent properties and/or unintended consequences", "description": "Emergent properties and/or unintended consequences from Artificial Intelligence & Autonomous Technologies (AAT).", "nist_csf_function": "Protect" }, { "risk_id": "R-BC-1", "grouping": "Business Continuity", "name": "Business interruption", "description": "Increased latency, or a service outage, that negatively impact business operations.", "nist_csf_function": "Recover" }, { "risk_id": "R-BC-2", "grouping": "Business Continuity", "name": "Data loss / corruption", "description": "The inability to maintain the confidentiality of the data (compromise) or prevent data corruption (loss).", "nist_csf_function": "Recover" }, { "risk_id": "R-BC-3", "grouping": "Business Continuity", "name": "Reduction in productivity", "description": "Diminished user productivity.", "nist_csf_function": "Protect" }, { "risk_id": "R-BC-4", "grouping": "Business Continuity", "name": "Information loss / corruption or system compromise due to technical attack", "description": "A technical attack that compromises data, systems, applications or services (e.g., malware, phishing, hacking, etc.).", "nist_csf_function": "Protect" }, { "risk_id": "R-BC-5", "grouping": "Business Continuity", "name": "Information loss / corruption or system compromise due to nonā€technical attack", "description": "A non-technical attack that compromises data, systems, applications or services (e.g., social engineering, sabotage, etc.).", "nist_csf_function": "Protect" }, { "risk_id": "R-EX-1", "grouping": "Exposure", "name": "Loss of revenue", "description": "A negative impact on the ability to generate revenue (e.g., a loss of clients or an inability to generate future revenue).", "nist_csf_function": "Recover" }, { "risk_id": "R-EX-2", "grouping": "Exposure", "name": "Cancelled contract", "description": "A cancelled contract with a client or other entity for cause (e.g., failure to fulfill obligations for secure practices).", "nist_csf_function": "Recover" }, { "risk_id": "R-EX-3", "grouping": "Exposure", "name": "Diminished competitive advantage", "description": "Diminished competitive advantage (e.g., lose market share, internal dysfunction, etc.).", "nist_csf_function": "Recover" }, { "risk_id": "R-EX-4", "grouping": "Exposure", "name": "Diminished reputation", "description": "Diminished brand value (e.g., tarnished reputation).", "nist_csf_function": "Recover" }, { "risk_id": "R-EX-5", "grouping": "Exposure", "name": "Fines and judgements", "description": "Financial damages due to fines and/or judgements from statutory / regulatory / contractual non-compliance.", "nist_csf_function": "Recover" }, { "risk_id": "R-EX-6", "grouping": "Exposure", "name": "Unmitigated vulnerabilities", "description": "Unmitigated technical vulnerabilities that lack compensating controls or other mitigation actions.", "nist_csf_function": "Protect" }, { "risk_id": "R-EX-7", "grouping": "Exposure", "name": "System compromise", "description": "A compromise of a system, application or service that affects confidentiality, integrity, availability and/or safety.", "nist_csf_function": "Protect" }, { "risk_id": "R-GV-1", "grouping": "Governance", "name": "Inability to support business processes", "description": "Insufficient cybersecurity and/or privacy practices that cannot securely support the organization's technologies & processes.", "nist_csf_function": "Protect" }, { "risk_id": "R-GV-2", "grouping": "Governance", "name": "Incorrect controls scoping", "description": "Missing or incorrect cybersecurity and/or privacy controls due to incorrect or inadequate control scoping practices.", "nist_csf_function": "Identify" }, { "risk_id": "R-GV-3", "grouping": "Governance", "name": "Lack of roles & responsibilities", "description": "Insufficient cybersecurity and/or privacy roles & responsibilities that cannot securely support the organization's technologies & processes.", "nist_csf_function": "Identify" }, { "risk_id": "R-GV-4", "grouping": "Governance", "name": "Inadequate internal practices", "description": "Insufficient cybersecurity and/or privacy practices that can securely support the organization's technologies & processes.", "nist_csf_function": "Protect" }, { "risk_id": "R-GV-5", "grouping": "Governance", "name": "Inadequate third-party practices", "description": "Insufficient Cybersecurity Supply Chain Risk Management (C-SCRM) practices that cannot securely support the organization's technologies & processes.", "nist_csf_function": "Protect" }, { "risk_id": "R-GV-6", "grouping": "Governance", "name": "Lack of oversight of internal controls", "description": "The inability to demonstrate appropriate evidence of due diligence and due care in overseeing the organization's internal cybersecurity and/or privacy controls.", "nist_csf_function": "Identify" }, { "risk_id": "R-GV-7", "grouping": "Governance", "name": "Lack of oversight of third-party controls", "description": "The inability to demonstrate appropriate evidence of due diligence and due care in overseeing third-party cybersecurity and/or privacy controls.", "nist_csf_function": "Identify" }, { "risk_id": "R-GV-8", "grouping": "Governance", "name": "Illegal content or abusive action", "description": "Disruptive content or actions that negatively affect business operations (e.g., abusive content, harmful speech, threats of violence, illegal content, etc.).", "nist_csf_function": "Identify" }, { "risk_id": "R-IR-1", "grouping": "Incident Response", "name": "Inability to investigate / prosecute incidents", "description": "Insufficient incident response practices that prevent the organization from investigating and/or prosecuting incidents (e.g., chain of custody corruption, available sources of evidence, etc.).", "nist_csf_function": "Respond" }, { "risk_id": "R-IR-2", "grouping": "Incident Response", "name": "Improper response to incidents", "description": "The inability to appropriately respond to incidents in a timely manner.", "nist_csf_function": "Respond" }, { "risk_id": "R-IR-3", "grouping": "Incident Response", "name": "Ineffective remediation actions", "description": "The inability to ensure incident response actions were correct and/or effective.", "nist_csf_function": "Protect" }, { "risk_id": "R-IR-4", "grouping": "Incident Response", "name": "Expense associated with managing a loss event", "description": "Financial repercussions from responding to an incident or loss.", "nist_csf_function": "Respond" }, { "risk_id": "R-SA-1", "grouping": "Situational Awareness", "name": "Inability to maintain situational awareness", "description": "The inability to detect cybersecurity and/or privacy incidents (e.g., a lack of situational awareness).", "nist_csf_function": "Detect" }, { "risk_id": "R-SA-2", "grouping": "Situational Awareness", "name": "Lack of a security-minded workforce", "description": "The inability to appropriately educate and train personnel to foster a security-minded workforce.", "nist_csf_function": "Protect" }, { "risk_id": "R-SC-1", "grouping": "Supply Chain", "name": "Third-party cybersecurity exposure", "description": "Loss of Confidentiality, Integrity, Availability and/or Safety (CIAS) from third-party cybersecurity practices, vulnerabilities and/or incidents that affects the supply chain through impacted products and/or services.", "nist_csf_function": "Protect" }, { "risk_id": "R-SC-2", "grouping": "Supply Chain", "name": "Third-party physical security exposure", "description": "Loss of Confidentiality, Integrity, Availability and/or Safety (CIAS) from physical security exposure of third-party structures, facilities and/or other physical assets that affects the supply chain through impacted products and/or services.", "nist_csf_function": "Protect" }, { "risk_id": "R-SC-3", "grouping": "Supply Chain", "name": "Third-party supply chain relationships, visibility and controls", "description": "Loss of Confidentiality, Integrity, Availability and/or Safety (CIAS) from \"downstream\" third-party relationships, visibility and controls that affect the supply chain through impacted products and/or services.", "nist_csf_function": "Protect" }, { "risk_id": "R-SC-4", "grouping": "Supply Chain", "name": "Third-party compliance / legal exposure", "description": "The inability to maintain compliance due to third-party non-compliance, criminal acts, or other relevant legal action(s).", "nist_csf_function": "Protect" }, { "risk_id": "R-SC-5", "grouping": "Supply Chain", "name": "Use of product / service", "description": "The misuse of the product / service in a manner that it was not designed or how it was approved for use.", "nist_csf_function": "Protect" }, { "risk_id": "R-SC-6", "grouping": "Supply Chain", "name": "Reliance on the third-party", "description": "The inability to continue business operations, due to the reliance on the third-party product and/or service.", "nist_csf_function": "Protect" } ] }