RISK-0006
Risk summary
- Likelihood
- 3
- Impact
- 5
- Score
- 15
- Level
- High
- 01
Asset
Incident evidence, logs, forensic images, screenshots, statements, access records, and chain-of-custody records.
Business object or system that needs protection. - 02
Threat
Evidence contamination, overwriting, unauthorized access, missing metadata, legal challenge, or audit rejection.
Event, actor, or condition that can create harm. - 03
Vulnerability
No evidence collection trigger, no chain-of-custody record, broad evidence storage access, missing integrity checks, and responders modifying systems before evidence is preserved.
Weakness that makes the threat relevant. - 04
Risk
Because incident evidence is collected or stored without integrity controls, investigation, legal, regulatory, disciplinary, or audit conclusions may not be defensible.
Scenario evaluated with likelihood, impact, and ownership. - 05
Treatment
Mitigate through evidence collection procedures, chain-of-custody logging, restricted evidence storage, integrity checks, retention rules, and early evidence decisions during response.
Decision path for reducing, accepting, transferring, or avoiding risk.
Controls that treat the risk
Evidence that proves operation
Assessment Rationale
Likelihood
The likelihood is medium because incident responders are under pressure to restore service. Without a disciplined collection process, evidence preservation is often treated as secondary.
Impact
The impact is high because weak evidence can block root-cause analysis, weaken legal or disciplinary action, reduce insurance or regulatory defensibility, and create audit findings.
Residual Risk
After treatment, residual risk is estimated as medium if evidence records show integrity checks, custody transfers, access restrictions, and retention decisions.
Review Notes
Review after investigations, legal holds, audit findings, and changes to logging, storage, or incident response tooling.
Software Object Mapping
- risk
- evidence
- chain_of_custody
- control
- Iso27005
- Risk
- Iso27001
- Incident management
- Evidence
Note Metadata
Aliases: RISK-0006
Source: 05-Risk-Knowledge-Base/RISK-0006-Evidence-Integrity-Loss.md