RISK-0015
Risk summary
- Likelihood
- 4
- Impact
- 5
- Score
- 20
- Level
- Critical
- 01
Asset
Cloud services, cloud-hosted data, cloud identities, security configurations, provider contracts, shared responsibility records, cloud logs, backups, and exit plans.
Business object or system that needs protection. - 02
Threat
Cloud misconfiguration, provider incident, unauthorized support access, data residency violation, unmanaged shadow cloud use, loss of logs or backups, service lock-in, or failed migration/exit.
Event, actor, or condition that can create harm. - 03
Vulnerability
Cloud services are adopted without approved acquisition criteria, cloud register entries, shared responsibility decisions, security configuration evidence, provider monitoring, data location review, incident notification, or exit planning.
Weakness that makes the threat relevant. - 04
Risk
Because cloud services are not governed from acquisition through use, monitoring, change, and exit, the organization may misunderstand shared responsibility, misconfigure security controls, lose data location visibility, or fail to exit safely.
Scenario evaluated with likelihood, impact, and ownership. - 05
Treatment
Mitigate through cloud acquisition and approval processes, cloud service register, shared responsibility matrix, required security configuration, data/support location review, provider assurance review, incident notification routing, monitoring, and exit planning.
Decision path for reducing, accepting, transferring, or avoiding risk.
Controls that treat the risk
Evidence that proves operation
Assessment Rationale
Likelihood
The likelihood is high because cloud services are easy to acquire and configure, while responsibility boundaries, optional security features, provider terms, and exit paths are often misunderstood.
Impact
The impact is critical because cloud governance failure can expose sensitive data, break continuity assumptions, weaken incident response, create regulatory issues, and make provider exit operationally disruptive.
Residual Risk
After treatment, residual risk is estimated as medium when cloud services are approved, configured, monitored, reviewed, and exit-tested according to risk and criticality.
Review Notes
Review after new cloud adoption, major configuration changes, provider term changes, region/support location changes, provider incidents, assurance report findings, renewal, and planned exit.
Software Object Mapping
- risk
- cloud_service
- supplier
- control
- evidence
- exit_plan
- Iso27005
- Risk
- Iso27001
- Cloud security
- Supplier security
Note Metadata
Aliases: RISK-0015
Source: 05-Risk-Knowledge-Base/RISK-0015-Cloud-Governance-and-Exit-Failure.md