RISK-0004
Risk summary
- Likelihood
- 3
- Impact
- 5
- Score
- 15
- Level
- High
- 01
Asset
Production systems, identity infrastructure, endpoint fleet, cloud accounts, and response decision records.
Business object or system that needs protection. - 02
Threat
Active attacker activity after initial compromise, including privilege escalation, lateral movement, data access, or destructive action.
Event, actor, or condition that can create harm. - 03
Vulnerability
Response procedures are too generic, response decisions are made in informal chat, action ownership is unclear, and legal/privacy/evidence decisions are delayed.
Weakness that makes the threat relevant. - 04
Risk
Because confirmed incidents are handled without a documented response record and authority model, containment may be delayed or inconsistent across teams, allowing compromise to spread.
Scenario evaluated with likelihood, impact, and ownership. - 05
Treatment
Mitigate through documented response procedures, incident action logs, ownership of containment and recovery, communication decisions, evidence decisions, and management approval for high-impact actions.
Decision path for reducing, accepting, transferring, or avoiding risk.
Controls that treat the risk
Evidence that proves operation
Assessment Rationale
Likelihood
The likelihood is medium because confirmed incidents require multiple teams to act under time pressure. Without a response record and authority model, action quality depends on who happens to be available.
Impact
The impact is critical because containment delay can increase affected systems, data exposure, recovery time, evidence loss, and stakeholder impact.
Residual Risk
After treatment, residual risk is estimated as medium if response records show timely containment, assigned owners, evidence decisions, and recovery validation.
Review Notes
Review after every confirmed incident and after tabletop exercises that expose response coordination gaps.
Software Object Mapping
- risk
- incident_response
- control
- evidence
- Iso27005
- Risk
- Iso27001
- Incident management
Note Metadata
Aliases: RISK-0004
Source: 05-Risk-Knowledge-Base/RISK-0004-Uncoordinated-Incident-Response.md