201 lines
6.4 KiB
Markdown
201 lines
6.4 KiB
Markdown
# Risk Assessment
|
|
|
|
**Version:** 1.0
|
|
**Assessment Date:** January 2026
|
|
**Assessor:** Johan Jongsma
|
|
**Next Review:** January 2027
|
|
|
|
---
|
|
|
|
## 1. Purpose
|
|
|
|
Identify, assess, and document risks to inou systems and data, and the controls in place to mitigate them.
|
|
|
|
---
|
|
|
|
## 2. Scope
|
|
|
|
- inou production and staging systems
|
|
- User health data (medical imaging, labs, genome)
|
|
- Supporting infrastructure and processes
|
|
|
|
---
|
|
|
|
## 3. Risk Assessment Methodology
|
|
|
|
### Likelihood Scale
|
|
|
|
| Rating | Description | Frequency |
|
|
|--------|-------------|-----------|
|
|
| 1 - Rare | Unlikely to occur | < 1% annually |
|
|
| 2 - Unlikely | Could occur | 1-10% annually |
|
|
| 3 - Possible | Might occur | 10-50% annually |
|
|
| 4 - Likely | Will probably occur | 50-90% annually |
|
|
| 5 - Almost Certain | Expected to occur | > 90% annually |
|
|
|
|
### Impact Scale
|
|
|
|
| Rating | Description | Effect |
|
|
|--------|-------------|--------|
|
|
| 1 - Negligible | Minimal impact | Minor inconvenience |
|
|
| 2 - Minor | Limited impact | Some users affected, quick recovery |
|
|
| 3 - Moderate | Significant impact | Service degraded, data at risk |
|
|
| 4 - Major | Serious impact | Extended outage, data breach |
|
|
| 5 - Catastrophic | Severe impact | Complete data loss, regulatory action |
|
|
|
|
### Risk Score
|
|
|
|
**Score = Likelihood x Impact** (Range: 1-25)
|
|
|
|
| Score | Level | Response |
|
|
|-------|-------|----------|
|
|
| 1-4 | Low | Accept |
|
|
| 5-9 | Medium | Monitor |
|
|
| 10-16 | High | Mitigate |
|
|
| 17-25 | Critical | Immediate action |
|
|
|
|
---
|
|
|
|
## 4. Risk Register
|
|
|
|
### 4.1 Security Risks
|
|
|
|
| ID | Risk | L | I | Score | Controls | Residual |
|
|
|----|------|---|---|-------|----------|----------|
|
|
| S1 | Unauthorized data access | 2 | 5 | 10 | RBAC, encryption, token auth, audit logging | Low |
|
|
| S2 | Application vulnerability exploited | 2 | 5 | 10 | Parameterized queries, input validation, tarpit | Low |
|
|
| S3 | Credential theft/phishing | 2 | 4 | 8 | Passwordless auth, short token expiry | Low |
|
|
| S4 | Insider threat | 1 | 5 | 5 | Single operator, automated db access controls | Low |
|
|
| S5 | Master key compromise | 1 | 5 | 5 | FDE, file permissions, network isolation, key in Proton Pass | Low |
|
|
| S6 | DDoS attack | 3 | 3 | 9 | Rate limiting, tarpit, UFW, Starlink failover | Low |
|
|
| S7 | Ransomware | 2 | 5 | 10 | FDE, off-site backups, network isolation | Low |
|
|
| S8 | Supply chain attack | 2 | 4 | 8 | Minimal dependencies, Go standard library, FIPS module | Low |
|
|
|
|
### 4.2 Availability Risks
|
|
|
|
| ID | Risk | L | I | Score | Controls | Residual |
|
|
|----|------|---|---|-------|----------|----------|
|
|
| A1 | Hardware failure | 3 | 3 | 9 | ZFS RAID-Z2, UPS, generator | Low |
|
|
| A2 | Network outage | 2 | 3 | 6 | Fiber + Starlink backup | Low |
|
|
| A3 | Power outage | 2 | 2 | 4 | UPS + natural gas generator (11s failover) | Low |
|
|
| A4 | Database corruption | 2 | 4 | 8 | Daily snapshots, off-site backups, integrity checks | Low |
|
|
| A5 | Site disaster | 1 | 5 | 5 | Off-site backups (Google Drive), key in Proton Pass | Low |
|
|
|
|
### 4.3 Compliance Risks
|
|
|
|
| ID | Risk | L | I | Score | Controls | Residual |
|
|
|----|------|---|---|-------|----------|----------|
|
|
| C1 | HIPAA violation | 2 | 5 | 10 | Encryption, access controls, audit logging | Low |
|
|
| C2 | GDPR violation | 2 | 4 | 8 | Consent, deletion rights, export, privacy policy | Low |
|
|
| C3 | Data request not fulfilled | 2 | 3 | 6 | Export functionality, 30-day response commitment | Low |
|
|
| C4 | Breach notification failure | 2 | 4 | 8 | Incident response plan, notification templates | Low |
|
|
|
|
### 4.4 Operational Risks
|
|
|
|
| ID | Risk | L | I | Score | Controls | Residual |
|
|
|----|------|---|---|-------|----------|----------|
|
|
| O1 | Key person dependency | 4 | 4 | 16 | Documentation, automated processes | Medium |
|
|
| O2 | Configuration error | 2 | 3 | 6 | Staging environment, automated tests, check-db | Low |
|
|
| O3 | Backup failure undetected | 2 | 4 | 8 | Monthly verification, monitoring planned | Low |
|
|
| O4 | Loss of encryption key | 1 | 5 | 5 | Key in Proton Pass, separate from data backups | Low |
|
|
|
|
---
|
|
|
|
## 5. Risk Treatment Plan
|
|
|
|
### High Priority
|
|
|
|
| Risk ID | Risk | Score | Treatment | Status |
|
|
|---------|------|-------|-----------|--------|
|
|
| O1 | Key person dependency | 16 | Document all procedures, automate where possible | In progress |
|
|
|
|
### Medium Priority (Monitoring)
|
|
|
|
| Risk ID | Treatment | Timeline |
|
|
|---------|-----------|----------|
|
|
| S1 | Continue audit logging implementation | Q1 2026 |
|
|
| S7 | Perform restore test to verify backup integrity | Q1 2026 |
|
|
| O3 | Implement backup monitoring alerts | Q1 2026 |
|
|
|
|
---
|
|
|
|
## 6. Control Summary
|
|
|
|
### Preventive Controls
|
|
|
|
| Control | Risks Mitigated |
|
|
|---------|-----------------|
|
|
| AES-256-GCM encryption | S1, S5, S7, C1 |
|
|
| Full disk encryption | S1, S4, S5, S7 |
|
|
| RBAC at data layer | S1, S4, C1 |
|
|
| Parameterized SQL queries | S2 |
|
|
| Token expiration (4 hours) | S1, S3 |
|
|
| Passwordless authentication | S3 |
|
|
| Network isolation (VLAN 10) | S1, S5, S7 |
|
|
| Tarpit for attack patterns | S2, S6 |
|
|
| UFW default deny | S2, S6 |
|
|
| AppArmor enforcement | S2 |
|
|
| Automatic security updates | S2, S8 |
|
|
| make check-db enforcement | S2, S4, O2 |
|
|
|
|
### Detective Controls
|
|
|
|
| Control | Risks Addressed |
|
|
|---------|-----------------|
|
|
| HTTP access logging | S1, S2, S6 |
|
|
| 404 monitoring alerts | S2 |
|
|
| Fail2ban | S3, S6 |
|
|
| Rate limiting | S3, S6 |
|
|
| Audit logging | S1, S4, C1 |
|
|
|
|
### Corrective Controls
|
|
|
|
| Control | Risks Addressed |
|
|
|---------|-----------------|
|
|
| ZFS snapshots (daily) | A4, S7 |
|
|
| Off-site backups (Google Drive) | A5, S7 |
|
|
| Incident response plan | S1-S8, C4 |
|
|
| Disaster recovery plan | A1-A5 |
|
|
|
|
---
|
|
|
|
## 7. Accepted Residual Risk
|
|
|
|
The following residual risks are formally accepted:
|
|
|
|
| Risk | Level | Rationale |
|
|
|------|-------|-----------|
|
|
| O1 - Key person dependency | Medium | Mitigated by documentation; acceptable for current scale |
|
|
| S4 - Insider threat | Low | Single operator with strong controls |
|
|
| S5 - Key compromise | Low | Multiple layers of protection |
|
|
| A5 - Site disaster | Low | Off-site backups with separate key storage |
|
|
|
|
**Accepted by:** Johan Jongsma
|
|
**Date:** January 25, 2026
|
|
|
|
---
|
|
|
|
## 8. Risk Monitoring
|
|
|
|
### Ongoing Monitoring
|
|
|
|
| Category | Method | Frequency |
|
|
|----------|--------|-----------|
|
|
| Security | Log review, 404 alerts | Daily |
|
|
| Availability | Service health checks | Continuous |
|
|
| Backups | Verification script | Monthly |
|
|
| Compliance | Policy review | Quarterly |
|
|
|
|
### Risk Review Triggers
|
|
|
|
Re-assess risks when:
|
|
- New features or systems added
|
|
- Security incident occurs
|
|
- Regulatory changes
|
|
- Significant infrastructure changes
|
|
- Annually (minimum)
|
|
|
|
---
|
|
|
|
*Document end*
|