Skip to main content

Risk Register Seed List

Source basis

Ported from reference/Risk Register.md in the legacy ISMS backup. Use this as the current maintained Markdown version and track operational records in core12-isms-management.

Guidelines when completing a Data Protection Assessment

  • Unintentional data disclosure

  • Lack of security awareness training

  • Failure to follow security procedure

  • Unpatched OS / Software

  • Missing or incorrect configuration

  • Weak or reused passwords

  • Lack of endpoint protection

  • Insufficient Backup / Recovery plan

  • Insufficient Access Control Review processes.

  • Insufficient review of vendor contracts or SLAs

  • Misunderstanding of classification levels

  • Excessive data collection or retention

  • Unclassified or misclassified information

  • Inadequate protection of PII or confidential data

  • Missing or incorrect configuration

  • Lack of endpoint protection

  • Misunderstanding of classification levels

  • Insufficient Backup / Recovery plan

  • Inadequate onboarding/offboarding processes

  • No documented procedures for key processes

  • No change management or approval process

  • Insufficient review of vendor contracts or SLAs

  • Insufficient Backup / Recovery plan

๐Ÿง‘ Human / Personnelโ€‹

  • Lack of security awareness training

  • Failure to follow security procedures

  • Weak or reused passwords

  • Misdelivery of emails or documents

  • Inadequate onboarding/offboarding processes

  • Social engineering susceptibility

  • Unintentional data disclosure

  • Access granted beyond need-to-know

  • Personal accounts used for Core 12 or client collaboration without approval or review

๐Ÿ› ๏ธ Technical / IT Systemsโ€‹

  • Unpatched OS / Software

  • Unsupported legacy systems

  • Default or hardcoded passwords

  • Legacy shared password spreadsheets remain in use after password-manager migration

  • Lack of endpoint protection

  • Insecure APIs or web apps

  • Lack of input validation (e.g., XSS, SQLi)

  • Poor logging or audit trails

  • Missing encryption (at rest or in transit)

  • Misconfigured cloud storage (e.g., open buckets)

๐Ÿงพ Process / Policy / Governanceโ€‹

  • Missing or outdated policies

  • No documented procedures for key processes

  • No change management or approval process

  • Lack of documented roles/responsibilities

  • Inconsistent data classification or handling

  • Inadequate backup or disaster recovery testing

  • Lack of segregation of duties

  • Shared credential owner, group assignment, or rotation responsibility is not documented

  • No formal risk assessment process

  • Insufficient review of vendor contracts or SLAs

๐ŸŒ Network / Infrastructureโ€‹

  • Open Wi-Fi without VPN enforcement

  • Unsecured ports or services

  • Flat network with no segmentation

  • Lack of firewall rules or reviews

  • No intrusion detection or monitoring

  • Public IP exposure without proper hardening

๐Ÿงณ Physical / Environmentalโ€‹

  • Unlocked cabinets or server rooms

  • No CCTV in secure areas

  • No badge or access control system

  • Visitor access not logged or monitored

  • Shared workspaces without clean desk enforcement

  • No facility-specific emergency plans

โ˜๏ธ Cloud / SaaS / Vendorโ€‹

  • No review of cloud provider security posture

  • No defined ownership of cloud configurations

  • Lack of visibility into subcontractor use

  • Insecure file sharing or storage settings

  • Overreliance on one cloud region/provider

  • SaaS tools enabled without IT oversight

  • Shadow IT (tools used without approval)

  • Google, Apple, or client SaaS accounts created outside the approved primary identity account model

AI / Automationโ€‹

  • Unapproved AI tools used with client or Core 12 Confidential information

  • Sensitive information disclosed through prompts, uploaded files, transcripts, embeddings, or tool context

  • AI-generated code merged without human review, testing, or security checks

  • AI agents granted excessive access to repositories, files, browsers, shells, APIs, or production systems

  • AI output used as factual, legal, security, or compliance evidence without verification

  • Prompt injection or malicious tool output causing unsafe downstream action

  • Unclear AI vendor data retention, model training, deletion, or subcontractor terms

  • Client data used for model training or fine-tuning without written authorization

  • Personal or reimbursed AI accounts connected to Core 12 services without inventory, access review, or offboarding controls

  • Core 12 or client work products duplicated, synchronized, or retained in personal AI workspaces

  • AI tools used to work on concepts, systems, repositories, or projects outside the user's role without senior management approval

๐Ÿ”„ Data Handling / Retentionโ€‹

  • No retention schedule or enforcement

  • Insecure disposal of physical/digital media

  • Unclassified or misclassified information

  • Excessive data collection or retention

  • Unclassified or misclassified information

  • Inadequate protection of PII or confidential data

  • No DLP (Data Loss Prevention) controls