Risk # | Risk Name | Description/Risk Outcome | Annex A Controls | Likelihood | Impact Level | Severity | Mitigation/Treatment | Post-Treatment Likelihood | Post-Treatment SeverityPost-Treatment Assessment |
|---|
1 | Client Data Breach | A data breach may occur in one of our client’s software environments which may result in exposure of critical information. | | | | | | | |
2 | Staff Breach | A staff member may expose critical data from a client’s software environment which could then be published. | | | | | | | |
3 | Hardware Loss | We may experience the failure of our hardware (primarily work laptops) which could result in loss of critical information to perform our duties. | | | | | Information Continuity | | |
4 | Software Failures | Software we use might fail; this could include either Salesforce or other key services. | | | | | | | |
5 | Employee Fraud | An employee might defraud Vertic but stealing critical information. | | | | | | | |
6 | Employee Injury | An employee might get injured whilst performing their duties for Vertic. | | | | | | | |
7 | Natural Disaster | A natural disaster might strike impacting our geographic area. | | | | | | | |
8 | Software Development Standard Breach | An employee or contractor might breach our development standards. | | | | | | | |
9 | Physical Security Breach | An employee or contractor might breach physical security policies, such as leaving laptops unattended. | | | | | | | |
10 | Contractural Relations Breach | A supplier might breach their contractural obligations with Vertic. | | | | | | | |
11 | Damage caused by Third Party | A third party, such as visitors, might cause physical or virtual damage to critical Vertic assets. | | | | | | | |
12 | Malicious Code | An employee or contractor might deliberately produce malicious code. | | | | | | | |
13 | Equipment Theft | An employee might defraud Vertic but stealing critical hardware infrastructure or laptops. | | | | | | | |
14 | Sensitive Data Threat | Sensitive data might be under threat outside of Vertic’s control. | | | | | | | |
15 | Security Information System Failure | Our VQMS processes might fail resulting in critical data exposure and/or loss. | A.5.1.1 A.5.1.2 A.6.1.1 A.6.1.2 A.6.1.5 A.7.2.1
| | | | | | |
16 | Production Data Loss | Whilst performing our duties, we might experience production data loss. | A.8.2.1 A.8.2.2 A.8.3.2 A.8.3.3
| | | | | | We will not undertake production data migration as the information risk is too large for us to accept. |