Risk Assessment
Version: 1.0
Assessment Date: February 2026
Assessor: Johan Jongsma
Next Review: February 2027
1. Purpose
Identify, assess, and document risks to Dealspace systems and data, and the controls in place to mitigate them.
2. Scope
- Dealspace production systems
- M&A deal data (financial documents, transaction details)
- Supporting infrastructure and processes
3. Risk Assessment Methodology
Likelihood Scale
| Rating |
Description |
Frequency |
| 1 - Rare |
Unlikely to occur |
< 1% annually |
| 2 - Unlikely |
Could occur |
1-10% annually |
| 3 - Possible |
Might occur |
10-50% annually |
| 4 - Likely |
Will probably occur |
50-90% annually |
| 5 - Almost Certain |
Expected to occur |
> 90% annually |
Impact Scale
| Rating |
Description |
Effect |
| 1 - Negligible |
Minimal impact |
Minor inconvenience |
| 2 - Minor |
Limited impact |
Some users affected, quick recovery |
| 3 - Moderate |
Significant impact |
Service degraded, data at risk |
| 4 - Major |
Serious impact |
Extended outage, data breach |
| 5 - Catastrophic |
Severe impact |
Complete data loss, regulatory action, criminal exposure |
Risk Score
Score = Likelihood x Impact (Range: 1-25)
| Score |
Level |
Response |
| 1-4 |
Low |
Accept |
| 5-9 |
Medium |
Monitor |
| 10-16 |
High |
Mitigate |
| 17-25 |
Critical |
Immediate action |
4. Risk Register
4.1 Security Risks
| ID |
Risk |
L |
I |
Score |
Controls |
Residual |
| S1 |
Unauthorized deal data access |
2 |
5 |
10 |
RBAC, per-project encryption, JWT auth, audit logging |
Low |
| S2 |
Application vulnerability exploited |
2 |
5 |
10 |
Parameterized queries, input validation, rate limiting |
Low |
| S3 |
Credential theft/phishing |
2 |
4 |
8 |
MFA for IB users, short token expiry, session management |
Low |
| S4 |
Insider threat |
1 |
5 |
5 |
Single operator, automated access controls |
Low |
| S5 |
Master key compromise |
1 |
5 |
5 |
Separate storage, file permissions, key derivation |
Low |
| S6 |
DDoS attack |
3 |
3 |
9 |
Rate limiting, UFW |
Low |
| S7 |
Ransomware |
2 |
5 |
10 |
Off-site backups, OS hardening |
Low |
| S8 |
Email spoofing (fake deal messages) |
2 |
5 |
10 |
DKIM verification, channel participants table |
Low |
4.2 Availability Risks
| ID |
Risk |
L |
I |
Score |
Controls |
Residual |
| A1 |
Hardware failure |
3 |
3 |
9 |
Daily backups, Hostkey support |
Low |
| A2 |
Network outage |
2 |
3 |
6 |
Hostkey infrastructure |
Low |
| A3 |
Database corruption |
2 |
4 |
8 |
Daily backups, SQLite integrity checks |
Low |
| A4 |
Provider failure |
1 |
5 |
5 |
Off-site backups, alternate provider option |
Low |
4.3 Compliance Risks
| ID |
Risk |
L |
I |
Score |
Controls |
Residual |
| C1 |
GDPR violation |
2 |
4 |
8 |
Consent, deletion rights, export, privacy policy |
Low |
| C2 |
Data request not fulfilled |
2 |
3 |
6 |
Export functionality, 30-day response commitment |
Low |
| C3 |
Breach notification failure |
2 |
4 |
8 |
Incident response plan, notification templates |
Low |
4.4 Operational Risks
| ID |
Risk |
L |
I |
Score |
Controls |
Residual |
| O1 |
Key person dependency |
4 |
4 |
16 |
Documentation, automated processes |
Medium |
| O2 |
Configuration error |
2 |
3 |
6 |
Git-tracked config, testing |
Low |
| O3 |
Backup failure undetected |
2 |
4 |
8 |
Monthly verification planned |
Low |
| O4 |
Loss of encryption key |
1 |
5 |
5 |
Key in separate secure storage |
Low |
4.5 M&A-Specific Risks
| ID |
Risk |
L |
I |
Score |
Controls |
Residual |
| M1 |
Deal data leaked to competitor |
1 |
5 |
5 |
Per-project encryption, watermarking, access controls |
Low |
| M2 |
Insider trading via leaked data |
1 |
5 |
5 |
Audit logging, access restrictions, watermarking |
Low |
| M3 |
Competing bidder gains access |
1 |
5 |
5 |
RBAC, invitation-only access, audit trail |
Low |
5. Risk Treatment Plan
High Priority
| Risk ID |
Risk |
Score |
Treatment |
Status |
| O1 |
Key person dependency |
16 |
Document all procedures, automate where possible |
In progress |
Medium Priority (Monitoring)
| Risk ID |
Treatment |
Timeline |
| S1 |
Continue audit logging implementation |
Q1 2026 |
| S7 |
Perform restore test to verify backup integrity |
Q1 2026 |
| O3 |
Implement backup monitoring alerts |
Q1 2026 |
6. Control Summary
Preventive Controls
| Control |
Risks Mitigated |
| AES-256-GCM encryption (per-project) |
S1, S5, S7, M1, M2, M3 |
| HKDF-SHA256 key derivation |
S5 |
| Blind indexes (HMAC-SHA256) |
S1 (prevents deterministic encryption attacks) |
| RBAC at data layer |
S1, S4, M1, M3 |
| JWT with 1-hour expiry |
S1, S3 |
| MFA for IB users |
S3 |
| Rate limiting |
S2, S6 |
| DKIM verification |
S8 |
| UFW default deny |
S2, S6 |
| AppArmor enforcement |
S2 |
| Automatic security updates |
S2 |
Detective Controls
| Control |
Risks Addressed |
| HTTP access logging |
S1, S2, S6 |
| Audit logging |
S1, S4, M1, M2 |
| Rate limiting alerts |
S3, S6 |
| Anomaly detection |
S1, S3 |
Corrective Controls
| Control |
Risks Addressed |
| Daily backups |
A3, S7 |
| Off-site backups |
A4, S7 |
| Incident response plan |
S1-S8, C3 |
| Disaster recovery plan |
A1-A4 |
7. Accepted Residual Risk
The following residual risks are formally accepted:
| Risk |
Level |
Rationale |
| O1 - Key person dependency |
Medium |
Mitigated by documentation; acceptable for current scale |
| S4 - Insider threat |
Low |
Single operator with strong controls |
| S5 - Key compromise |
Low |
Multiple layers of protection |
| A4 - Provider failure |
Low |
Off-site backups with separate key storage |
Accepted by: Johan Jongsma
Date: February 28, 2026
8. Risk Monitoring
Ongoing Monitoring
| Category |
Method |
Frequency |
| Security |
Log review, rate limit alerts |
Daily |
| Availability |
Health checks |
Continuous |
| Backups |
Verification |
Monthly |
| Compliance |
Policy review |
Quarterly |
Risk Review Triggers
Re-assess risks when:
- New features or systems added
- Security incident occurs
- Regulatory changes
- Significant infrastructure changes
- Annually (minimum)
Document end