RISK-0007
Risk summary
- Likelihood
- 4
- Impact
- 4
- Score
- 16
- Level
- High
- 01
Asset
Sensitive information, production systems, repositories, business applications, privileged administration paths, and restricted physical areas.
Business object or system that needs protection. - 02
Threat
Unauthorized access, insider misuse, compromised user account abuse, accidental disclosure, or uncontrolled physical/logical access.
Event, actor, or condition that can create harm. - 03
Vulnerability
Access is granted without role-based rules, business need, asset-owner approval, least privilege, review cadence, or exception handling.
Weakness that makes the threat relevant. - 04
Risk
Because access rules are not clearly defined, approved, and reviewed, users may have more access than their role requires across sensitive systems, data, repositories, or locations.
Scenario evaluated with likelihood, impact, and ownership. - 05
Treatment
Mitigate through access-control rules, role/access matrices, least privilege, owner approval, periodic access reviews, privileged-access review, and exception tracking.
Decision path for reducing, accepting, transferring, or avoiding risk.
Controls that treat the risk
Evidence that proves operation
Assessment Rationale
Likelihood
The likelihood is high because access naturally accumulates when roles, systems, projects, and suppliers change. Without defined access rules, excessive access becomes the default state.
Impact
The impact is high because excessive access expands breach impact, weakens segregation of duties, increases insider-risk exposure, and creates audit findings across ISO 27001, SOC 2, and NIS2-aligned programs.
Residual Risk
After treatment, residual risk is estimated as medium when access rules are mapped to assets, reviews produce corrections, and privileged access is tested separately.
Review Notes
Review after major system changes, role/profile changes, supplier onboarding, access review findings, and access-related incidents.
Software Object Mapping
- risk
- access
- control
- evidence
- Iso27005
- Risk
- Iso27001
- Access control
Note Metadata
Aliases: RISK-0007
Source: 05-Risk-Knowledge-Base/RISK-0007-Excessive-Access-to-Sensitive-Assets.md