# Risk Assessment **Version:** 1.0 **Assessment Date:** February 2026 **Assessor:** Johan Jongsma **Next Review:** February 2027 --- ## 1. Purpose Identify, assess, and document risks to Dealspace systems and data, and the controls in place to mitigate them. --- ## 2. Scope - Dealspace production systems - M&A deal data (financial documents, transaction details) - Supporting infrastructure and processes --- ## 3. Risk Assessment Methodology ### Likelihood Scale | Rating | Description | Frequency | |--------|-------------|-----------| | 1 - Rare | Unlikely to occur | < 1% annually | | 2 - Unlikely | Could occur | 1-10% annually | | 3 - Possible | Might occur | 10-50% annually | | 4 - Likely | Will probably occur | 50-90% annually | | 5 - Almost Certain | Expected to occur | > 90% annually | ### Impact Scale | Rating | Description | Effect | |--------|-------------|--------| | 1 - Negligible | Minimal impact | Minor inconvenience | | 2 - Minor | Limited impact | Some users affected, quick recovery | | 3 - Moderate | Significant impact | Service degraded, data at risk | | 4 - Major | Serious impact | Extended outage, data breach | | 5 - Catastrophic | Severe impact | Complete data loss, regulatory action, criminal exposure | ### Risk Score **Score = Likelihood x Impact** (Range: 1-25) | Score | Level | Response | |-------|-------|----------| | 1-4 | Low | Accept | | 5-9 | Medium | Monitor | | 10-16 | High | Mitigate | | 17-25 | Critical | Immediate action | --- ## 4. Risk Register ### 4.1 Security Risks | ID | Risk | L | I | Score | Controls | Residual | |----|------|---|---|-------|----------|----------| | S1 | Unauthorized deal data access | 2 | 5 | 10 | RBAC, per-project encryption, JWT auth, audit logging | Low | | S2 | Application vulnerability exploited | 2 | 5 | 10 | Parameterized queries, input validation, rate limiting | Low | | S3 | Credential theft/phishing | 2 | 4 | 8 | MFA for IB users, short token expiry, session management | Low | | S4 | Insider threat | 1 | 5 | 5 | Single operator, automated access controls | Low | | S5 | Master key compromise | 1 | 5 | 5 | Separate storage, file permissions, key derivation | Low | | S6 | DDoS attack | 3 | 3 | 9 | Rate limiting, UFW | Low | | S7 | Ransomware | 2 | 5 | 10 | Off-site backups, OS hardening | Low | | S8 | Email spoofing (fake deal messages) | 2 | 5 | 10 | DKIM verification, channel participants table | Low | ### 4.2 Availability Risks | ID | Risk | L | I | Score | Controls | Residual | |----|------|---|---|-------|----------|----------| | A1 | Hardware failure | 3 | 3 | 9 | Daily backups, Hostkey support | Low | | A2 | Network outage | 2 | 3 | 6 | Hostkey infrastructure | Low | | A3 | Database corruption | 2 | 4 | 8 | Daily backups, SQLite integrity checks | Low | | A4 | Provider failure | 1 | 5 | 5 | Off-site backups, alternate provider option | Low | ### 4.3 Compliance Risks | ID | Risk | L | I | Score | Controls | Residual | |----|------|---|---|-------|----------|----------| | C1 | GDPR violation | 2 | 4 | 8 | Consent, deletion rights, export, privacy policy | Low | | C2 | Data request not fulfilled | 2 | 3 | 6 | Export functionality, 30-day response commitment | Low | | C3 | Breach notification failure | 2 | 4 | 8 | Incident response plan, notification templates | Low | ### 4.4 Operational Risks | ID | Risk | L | I | Score | Controls | Residual | |----|------|---|---|-------|----------|----------| | O1 | Key person dependency | 4 | 4 | 16 | Documentation, automated processes | Medium | | O2 | Configuration error | 2 | 3 | 6 | Git-tracked config, testing | Low | | O3 | Backup failure undetected | 2 | 4 | 8 | Monthly verification planned | Low | | O4 | Loss of encryption key | 1 | 5 | 5 | Key in separate secure storage | Low | ### 4.5 M&A-Specific Risks | ID | Risk | L | I | Score | Controls | Residual | |----|------|---|---|-------|----------|----------| | M1 | Deal data leaked to competitor | 1 | 5 | 5 | Per-project encryption, watermarking, access controls | Low | | M2 | Insider trading via leaked data | 1 | 5 | 5 | Audit logging, access restrictions, watermarking | Low | | M3 | Competing bidder gains access | 1 | 5 | 5 | RBAC, invitation-only access, audit trail | Low | --- ## 5. Risk Treatment Plan ### High Priority | Risk ID | Risk | Score | Treatment | Status | |---------|------|-------|-----------|--------| | O1 | Key person dependency | 16 | Document all procedures, automate where possible | In progress | ### Medium Priority (Monitoring) | Risk ID | Treatment | Timeline | |---------|-----------|----------| | S1 | Continue audit logging implementation | Q1 2026 | | S7 | Perform restore test to verify backup integrity | Q1 2026 | | O3 | Implement backup monitoring alerts | Q1 2026 | --- ## 6. Control Summary ### Preventive Controls | Control | Risks Mitigated | |---------|-----------------| | AES-256-GCM encryption (per-project) | S1, S5, S7, M1, M2, M3 | | HKDF-SHA256 key derivation | S5 | | Blind indexes (HMAC-SHA256) | S1 (prevents deterministic encryption attacks) | | RBAC at data layer | S1, S4, M1, M3 | | JWT with 1-hour expiry | S1, S3 | | MFA for IB users | S3 | | Rate limiting | S2, S6 | | DKIM verification | S8 | | UFW default deny | S2, S6 | | AppArmor enforcement | S2 | | Automatic security updates | S2 | ### Detective Controls | Control | Risks Addressed | |---------|-----------------| | HTTP access logging | S1, S2, S6 | | Audit logging | S1, S4, M1, M2 | | Rate limiting alerts | S3, S6 | | Anomaly detection | S1, S3 | ### Corrective Controls | Control | Risks Addressed | |---------|-----------------| | Daily backups | A3, S7 | | Off-site backups | A4, S7 | | Incident response plan | S1-S8, C3 | | Disaster recovery plan | A1-A4 | --- ## 7. Accepted Residual Risk The following residual risks are formally accepted: | Risk | Level | Rationale | |------|-------|-----------| | O1 - Key person dependency | Medium | Mitigated by documentation; acceptable for current scale | | S4 - Insider threat | Low | Single operator with strong controls | | S5 - Key compromise | Low | Multiple layers of protection | | A4 - Provider failure | Low | Off-site backups with separate key storage | **Accepted by:** Johan Jongsma **Date:** February 28, 2026 --- ## 8. Risk Monitoring ### Ongoing Monitoring | Category | Method | Frequency | |----------|--------|-----------| | Security | Log review, rate limit alerts | Daily | | Availability | Health checks | Continuous | | Backups | Verification | Monthly | | Compliance | Policy review | Quarterly | ### Risk Review Triggers Re-assess risks when: - New features or systems added - Security incident occurs - Regulatory changes - Significant infrastructure changes - Annually (minimum) --- *Document end*