# Risk Assessment

**Version:** 1.0
**Assessment Date:** January 2026
**Assessor:** Johan Jongsma
**Next Review:** January 2027

---

## 1. Purpose

Identify, assess, and document risks to inou systems and data, and the controls in place to mitigate them.

---

## 2. Scope

- inou production and staging systems
- User health data (medical imaging, labs, genome)
- Supporting infrastructure and processes

---

## 3. Risk Assessment Methodology

### Likelihood Scale

| Rating | Description | Frequency |
|--------|-------------|-----------|
| 1 - Rare | Unlikely to occur | < 1% annually |
| 2 - Unlikely | Could occur | 1-10% annually |
| 3 - Possible | Might occur | 10-50% annually |
| 4 - Likely | Will probably occur | 50-90% annually |
| 5 - Almost Certain | Expected to occur | > 90% annually |

### Impact Scale

| Rating | Description | Effect |
|--------|-------------|--------|
| 1 - Negligible | Minimal impact | Minor inconvenience |
| 2 - Minor | Limited impact | Some users affected, quick recovery |
| 3 - Moderate | Significant impact | Service degraded, data at risk |
| 4 - Major | Serious impact | Extended outage, data breach |
| 5 - Catastrophic | Severe impact | Complete data loss, regulatory action |

### Risk Score

**Score = Likelihood x Impact** (Range: 1-25)

| Score | Level | Response |
|-------|-------|----------|
| 1-4 | Low | Accept |
| 5-9 | Medium | Monitor |
| 10-16 | High | Mitigate |
| 17-25 | Critical | Immediate action |

---

## 4. Risk Register

### 4.1 Security Risks

| ID | Risk | L | I | Score | Controls | Residual |
|----|------|---|---|-------|----------|----------|
| S1 | Unauthorized data access | 2 | 5 | 10 | RBAC, encryption, token auth, audit logging | Low |
| S2 | Application vulnerability exploited | 2 | 5 | 10 | Parameterized queries, input validation, tarpit | Low |
| S3 | Credential theft/phishing | 2 | 4 | 8 | Passwordless auth, short token expiry | Low |
| S4 | Insider threat | 1 | 5 | 5 | Single operator, automated db access controls | Low |
| S5 | Master key compromise | 1 | 5 | 5 | FDE, file permissions, network isolation, key in Proton Pass | Low |
| S6 | DDoS attack | 3 | 3 | 9 | Rate limiting, tarpit, UFW, Starlink failover | Low |
| S7 | Ransomware | 2 | 5 | 10 | FDE, off-site backups, network isolation | Low |
| S8 | Supply chain attack | 2 | 4 | 8 | Minimal dependencies, Go standard library, FIPS module | Low |

### 4.2 Availability Risks

| ID | Risk | L | I | Score | Controls | Residual |
|----|------|---|---|-------|----------|----------|
| A1 | Hardware failure | 3 | 3 | 9 | ZFS RAID-Z2, UPS, generator | Low |
| A2 | Network outage | 2 | 3 | 6 | Fiber + Starlink backup | Low |
| A3 | Power outage | 2 | 2 | 4 | UPS + natural gas generator (11s failover) | Low |
| A4 | Database corruption | 2 | 4 | 8 | Daily snapshots, off-site backups, integrity checks | Low |
| A5 | Site disaster | 1 | 5 | 5 | Off-site backups (Google Drive), key in Proton Pass | Low |

### 4.3 Compliance Risks

| ID | Risk | L | I | Score | Controls | Residual |
|----|------|---|---|-------|----------|----------|
| C1 | HIPAA violation | 2 | 5 | 10 | Encryption, access controls, audit logging | Low |
| C2 | GDPR violation | 2 | 4 | 8 | Consent, deletion rights, export, privacy policy | Low |
| C3 | Data request not fulfilled | 2 | 3 | 6 | Export functionality, 30-day response commitment | Low |
| C4 | Breach notification failure | 2 | 4 | 8 | Incident response plan, notification templates | Low |

### 4.4 Operational Risks

| ID | Risk | L | I | Score | Controls | Residual |
|----|------|---|---|-------|----------|----------|
| O1 | Key person dependency | 4 | 4 | 16 | Documentation, automated processes | Medium |
| O2 | Configuration error | 2 | 3 | 6 | Staging environment, automated tests, check-db | Low |
| O3 | Backup failure undetected | 2 | 4 | 8 | Monthly verification, monitoring planned | Low |
| O4 | Loss of encryption key | 1 | 5 | 5 | Key in Proton Pass, separate from data backups | Low |

---

## 5. Risk Treatment Plan

### High Priority

| Risk ID | Risk | Score | Treatment | Status |
|---------|------|-------|-----------|--------|
| O1 | Key person dependency | 16 | Document all procedures, automate where possible | In progress |

### Medium Priority (Monitoring)

| Risk ID | Treatment | Timeline |
|---------|-----------|----------|
| S1 | Continue audit logging implementation | Q1 2026 |
| S7 | Perform restore test to verify backup integrity | Q1 2026 |
| O3 | Implement backup monitoring alerts | Q1 2026 |

---

## 6. Control Summary

### Preventive Controls

| Control | Risks Mitigated |
|---------|-----------------|
| AES-256-GCM encryption | S1, S5, S7, C1 |
| Full disk encryption | S1, S4, S5, S7 |
| RBAC at data layer | S1, S4, C1 |
| Parameterized SQL queries | S2 |
| Token expiration (4 hours) | S1, S3 |
| Passwordless authentication | S3 |
| Network isolation (VLAN 10) | S1, S5, S7 |
| Tarpit for attack patterns | S2, S6 |
| UFW default deny | S2, S6 |
| AppArmor enforcement | S2 |
| Automatic security updates | S2, S8 |
| make check-db enforcement | S2, S4, O2 |

### Detective Controls

| Control | Risks Addressed |
|---------|-----------------|
| HTTP access logging | S1, S2, S6 |
| 404 monitoring alerts | S2 |
| Fail2ban | S3, S6 |
| Rate limiting | S3, S6 |
| Audit logging | S1, S4, C1 |

### Corrective Controls

| Control | Risks Addressed |
|---------|-----------------|
| ZFS snapshots (daily) | A4, S7 |
| Off-site backups (Google Drive) | A5, S7 |
| Incident response plan | S1-S8, C4 |
| Disaster recovery plan | A1-A5 |

---

## 7. Accepted Residual Risk

The following residual risks are formally accepted:

| Risk | Level | Rationale |
|------|-------|-----------|
| O1 - Key person dependency | Medium | Mitigated by documentation; acceptable for current scale |
| S4 - Insider threat | Low | Single operator with strong controls |
| S5 - Key compromise | Low | Multiple layers of protection |
| A5 - Site disaster | Low | Off-site backups with separate key storage |

**Accepted by:** Johan Jongsma
**Date:** January 25, 2026

---

## 8. Risk Monitoring

### Ongoing Monitoring

| Category | Method | Frequency |
|----------|--------|-----------|
| Security | Log review, 404 alerts | Daily |
| Availability | Service health checks | Continuous |
| Backups | Verification script | Monthly |
| Compliance | Policy review | Quarterly |

### Risk Review Triggers

Re-assess risks when:
- New features or systems added
- Security incident occurs
- Regulatory changes
- Significant infrastructure changes
- Annually (minimum)

---

*Document end*