--- name: compliance-risk-registry-it description: Maintain IT compliance risk registries covering regulatory requirements, internal policies, audit findings, and risk treatment plans. Use when building risk registries, mapping controls to compliance requirements, tracking remediation activities, preparing for audits, managing IT risk assessments, or reporting risk posture to leadership. Triggers on phrases like "risk registry", "compliance risk", "IT risk assessment", "risk register", "control mapping", "risk treatment", "audit preparation", "IT governance", "risk reporting", "SOX IT controls". --- # IT Compliance & Risk Registry Maintain comprehensive risk registries and control frameworks for IT compliance. ## Workflow 1. Identify applicable compliance frameworks: regulatory (SOX, HIPAA, PCI-DSS, GDPR), industry (NIST, ISO 27001), contractual. 2. Build risk registry: catalog all IT risks with likelihood, impact, risk score, and treatment status. 3. Map controls to risks: existing controls, control effectiveness, control gaps, and ownership. 4. Define risk treatment: accept, mitigate, transfer, or avoid for each risk. 5. Assign risk owners: accountable individuals for each risk and remediation activity. 6. Track remediation: timeline, milestones, budget, dependencies, and completion status. 7. Conduct quarterly risk reviews: reassess risk scores, update treatment plans, report to leadership. 8. Prepare audit evidence: control documentation, testing results, exception reports, remediation proof. 9. Report risk posture: executive dashboard, board reporting, regulatory filings as required. 10. Continuously improve: update risk registry based on new threats, incidents, and regulatory changes. ## Risk Registry Structure ``` IT RISK REGISTRY TEMPLATE =========================== Risk ID: IT-RISK-001 Risk Title: Inadequate patch management for production servers Risk Category: Operational Security Sub-category: Vulnerability Management Framework Mapping: NIST CS.ID.RA-1, ISO 27001 A.12.6.1, SOC 2 CC6.1 Description: Production servers receive security patches with average 45-day delay after patch release. Industry benchmark is 14 days for critical patches. 15% of production servers have known critical vulnerabilities unpatched for > 60 days. This exposes systems to known exploits and increases likelihood of security breach. Risk Assessment: Inherent Risk (before controls): Likelihood: High (4/5) — known exploits actively targeted Impact: High (4/5) — potential data breach, system compromise Inherent Risk Score: 16/25 (High) Residual Risk (after controls): Current controls: C-001: Automated vulnerability scanning (weekly) — Effective: 70% C-002: Emergency patch process (for CVSS 9.0+) — Effective: 60% C-003: Network segmentation (limits blast radius) — Effective: 80% Residual Likelihood: Medium (3/5) Residual Impact: Medium (3/5) — segmentation limits impact Residual Risk Score: 9/25 (Medium) Risk Treatment: Treatment: Mitigate Owner: Director of Infrastructure Treatment Plan: 1. Implement automated patch deployment (Tenable + Ansible) — Due: 30 days 2. Reduce patch SLA: Critical (CVSS 9.0+) within 7 days, High (7.0–8.9) within 14 days — Due: 15 days 3. Add patch compliance to monthly security report — Due: 30 days 4. Quarterly patch audit with remediation tracking — Due: 60 days Budget: $50,000 (tooling) + $20,000 (implementation labor) Status: In Progress (40% complete) Last Review: 2024-01-15 Next Review: 2024-04-15 Risk ID: IT-RISK-002 Risk Title: Insufficient data backup coverage Risk Category: Business Continuity Sub-category: Data Protection Framework Mapping: NIST CS.RP.MD-1, ISO 27001 A.12.3.1, SOC 2 A3 Description: 60% of production databases have automated backups; 40% rely on manual backup procedures. Last backup test (restore) was 8 months ago. RPO target is 1 hour; actual RPO for some systems is 24+ hours. No offsite/cloud backup for on-premises data. Risk Assessment: Inherent Risk: Likelihood Medium (3), Impact Very High (5) = 15/25 (High) Residual Risk: Likelihood Medium (3), Impact High (4) = 12/25 (Medium-High) Risk Treatment: Treatment: Mitigate Owner: Database Administrator Lead Treatment Plan: 1. Implement automated backup for all remaining databases — Due: 45 days 2. Enable cloud backup (AWS S3/Azure Blob) for all on-prem data — Due: 60 days 3. Quarterly restore testing for all critical systems — Due: ongoing 4. Document and test RPO/RTO for all systems — Due: 30 days Budget: $30,000 (backup software) + $15,000/year (cloud storage) Status: Planned ``` ## Risk Scoring Methodology ``` RISK SCORING MATRIX ===================== Likelihood Scale: 5 — Almost Certain: Expected to occur in most circumstances; > 80% probability 4 — Likely: More likely than not; 50–80% probability 3 — Possible: Could occur at some time; 20–50% probability 2 — Unlikely: Might occur; 5–20% probability 1 — Rare: Very unlikely but possible; < 5% probability Impact Scale: Financial Impact: 5 — Catastrophic: > $1M loss; revenue impact > $5M; existential threat 4 — Major: $250K–$1M loss; revenue impact $1M–$5M 3 — Moderate: $50K–$250K loss; revenue impact $250K–$1M 2 — Minor: $10K–$50K loss; revenue impact $50K–$250K 1 — Negligible: < $10K loss; minimal revenue impact Operational Impact: 5 — Business halt: Core business operations stopped for > 24 hours 4 — Major disruption: Significant operations impaired for > 8 hours 3 — Moderate: Operations degraded but functional; workaround available 2 — Minor: Brief disruption; minimal operational impact 1 — Negligible: No noticeable operational impact Reputational Impact: 5 — Severe: National media coverage; regulatory action; customer exodus 4 — Significant: Industry media coverage; customer complaints; partner concern 3 — Moderate: Customer notifications required; local media coverage 2 — Minor: Limited customer awareness; internal concern 1 — Negligible: No external awareness Compliance Impact: 5 — Critical: Regulatory fines > $500K; license revocation; legal action 4 — Major: Regulatory fines $100K–$500K; audit findings; enforcement letter 3 — Moderate: Minor audit findings; required remediation within set timeline 2 — Minor: Observation noted; no formal finding 1 — Negligible: No compliance impact Risk Score Calculation: Risk Score = Likelihood × Impact Risk Level: 20–25: Critical (immediate action required; report to board within 24 hours) 12–16: High (action within 30 days; report to executive team) 6–9: Medium (action within 90 days; include in quarterly report) 3–4: Low (action within 180 days; include in annual review) 1–2: Minimal (accept and monitor; review annually) Risk Treatment Options: Mitigate: Implement controls to reduce likelihood and/or impact Example: Deploy antivirus, implement patching process, add encryption Use when: Cost of mitigation < expected loss from risk Transfer: Shift risk to third party (insurance, outsourcing, SLA penalties) Example: Cyber insurance ($50K–$500K/year), vendor SLA with credits Use when: Third party better positioned to manage the risk Accept: Acknowledge risk and accept the potential loss Example: Low-probability, low-impact risks; cost of mitigation > risk exposure Use when: Risk is within appetite; documented acceptance by risk owner Required: Board/executive sign-off for risks > Medium level Avoid: Eliminate the activity causing the risk Example: Discontinue high-risk service, sell high-risk business unit Use when: Risk cannot be mitigated to acceptable level ``` ## Compliance Framework Mapping ``` COMPLIANCE FRAMEWORK CROSS-REFERENCE ====================================== Common IT controls mapped across frameworks: Control Area NIST CS ISO 27001 SOC 2 PCI-DSS HIPAA GDPR ──────────────────────── ───────── ───────── ───────── ───────── ─────────── ────── Access Control ID.AM A.9 CC6.1 Req 7 164.312(a) Art 32 Encryption PR.DS A.10 CC6.4 Req 3, 4 164.312(e) Art 32 Incident Response RS.RP A.16 CC7.2 Req 12 164.308 Art 33 Vulnerability Mgmt PR.IP A.12.6 CC6.1 Req 6 164.308 Art 32 Backup & Recovery PR.IP A.12.3 A3 Req 12 164.310 Art 32 Logging & Monitoring DE.CM A.12.4 CC7.2 Req 10 164.312(b) Art 30 Security Awareness PR.AT A.7 CC6.1 Req 9 164.308 Art 32 Business Continuity PR.IP A.17 A3 Req 12 164.310 Art 32 Vendor Risk ID.GV A.15 CC6.2 Req 7.1 164.308 Art 28 Change Management PR.IP A.12.1 CC6.1 Req 6 164.308 Art 32 Compliance-specific requirements: SOX (Sarbanes-Oxley) — IT General Controls (ITGC): 1. Access to financial systems: - Segregation of duties (SoD) - User access provisioning/deprovisioning - Quarterly access review and certification - Privileged access management (PAM) - Audit trail for all financial data access 2. Change management: - All changes to financial systems documented and approved - Segregation: developers cannot deploy to production - Testing evidence retained for 7 years - Emergency change process with post-facto approval 3. System operations: - Job schedules monitored and exception reported - Incident management for financial systems - Backup and recovery testing documented - Data integrity controls 4. IT oversight: - IT risk assessment documented annually - Management review of IT controls - Monitoring and remediation of control deficiencies - Audit committee reporting PCI-DSS (Payment Card Industry) — Requirements Summary: Req 1: Install and maintain network security controls (firewalls) Req 2: Apply secure configurations to all systems Req 3: Protect stored cardholder data (encryption, truncation) Req 4: Encrypt transmission of cardholder data across networks Req 5: Protect against malware (antivirus, host-based firewall) Req 6: Develop and maintain secure systems (patching, secure coding) Req 7: Restrict access to cardholder data by business need to know Req 8: Identify and authenticate access (unique IDs, MFA) Req 9: Restrict physical access to cardholder data Req 10: Log and monitor all access (audit trails, log retention 1 year) Req 11: Test security regularly (vulnerability scans, pen testing) Req 12: Maintain information security policy (policies, training, risk assessment) Scopes: Level 1: > 6M transactions/year — on-site audit + quarterly ASV scan Level 2: 200K–6M transactions/year — SAQ + annual ASV scan Level 3: 20K–200K e-commerce — SAQ + annual ASV scan Level 4: < 20K e-commerce — SAQ only ``` ## Risk Reporting ``` RISK REPORTING DASHBOARDS =========================== Executive Risk Dashboard (Monthly): Portfolio Summary: Total risks: [X] (Critical: [Y], High: [Z], Medium: [W], Low: [V]) Risks on track: [X]% (target: > 80%) Risks overdue: [X] (Critical: [Y], High: [Z]) Total remediation budget: $[X]M allocated, $[Y]M spent Risk exposure trend: ↑ / ↓ / → (vs. last quarter) Top 10 Risks by Score: Rank Risk Title Score Status Owner Due Date Progress ───── ────────────────────────── ────── ──────── ──────────── ───────── ──────── 1 Unpatched critical vulns 16/25 🟡 Active J. Smith 02/28/24 40% 2 Insufficient backup 12/25 🔴 Overdue M. Jones 01/15/24 20% 3 Weak MFA coverage 12/25 🟢 Active K. Lee 03/30/24 70% 4 DDoS vulnerability 12/25 🟡 Active R. Garcia 04/15/24 30% 5 Data residency gap 9/25 🟢 Active S. Patel 05/31/24 50% 6 Legacy system EOL 9/25 🟡 Planned T. Brown 06/30/24 10% 7 Insider threat detection 9/25 🟢 Active L. Wilson 03/15/24 60% 8 Cloud misconfiguration 8/25 🟢 Active A. Davis 02/15/24 80% 9 Third-party risk 8/25 🟡 Active N. Martinez 04/30/24 35% 10 Disaster recovery gap 8/25 🔴 Overdue D. Taylor 01/01/24 15% Risk Heatmap: Impact 5 4 3 2 1 L 5 [●] [●] [●] [●] [ ] i 4 [●] [●] [●] [●] [ ] k 3 [ ] [●] [●] [●] [●] e 2 [ ] [ ] [●] [●] [●] l 1 [ ] [ ] [ ] [●] [●] h 1 2 3 4 5 ● = Critical (20–25) ● = High (12–16) ● = Medium (6–9) ● = Low (3–4) Board Risk Report (Quarterly): 1. Risk landscape overview (1 page) - Total risk count and distribution - Risk trend analysis (quarter-over-quarter) - Top 5 risks with status 2. Compliance status (1 page) - Frameworks: SOC 2, ISO 27001, PCI-DSS, SOX, HIPAA, GDPR - Compliance score per framework (%) - Audit findings (open and closed) - Upcoming audits and preparation status 3. Incident summary (1 page) - Security incidents: count, severity, resolution - Operational incidents: count, impact, resolution - Lessons learned and control improvements 4. Investment summary (1 page) - Security/compliance budget: $[X]M - Remediation spending: $[Y]M - Planned investments: $[Z]M (next quarter) - ROI on security investments (incidents prevented × average cost) ``` ## Integration Points - **ServiceNow GRC**: Governance, Risk, and Compliance module; risk registry; control assessment; audit management; policy management - **OneTrust**: Enterprise GRC platform; risk assessment; privacy compliance; vendor risk; policy management - **Archer (RSA)**: Enterprise GRC; risk assessment; compliance management; audit management; incident management - **MetricStream**: GRC platform; risk assessment; compliance; audit; policy management - **Vanta / Drata / Secureframe**: Automated compliance monitoring; evidence collection; control testing; SOC 2, ISO 27001, HIPAA, GDPR - **Qualys VMDR**: Vulnerability management; compliance scanning; policy compliance; patch management - **Splunk ES / Microsoft Sentinel**: SIEM with compliance dashboards; regulatory reporting; threat detection - **Microsoft Purview Compliance Manager**: Compliance score; regulatory guidance; control mapping; assessment - **AWS Security Hub / Azure Security Center**: Cloud compliance; automated controls; benchmark assessment (CIS, NIST) ## Edge Cases - **Multi-jurisdictional compliance** (global operations across 20+ countries): Map requirements per country; identify overlapping and conflicting requirements; implement highest common denominator controls; maintain country-specific evidence; coordinate with legal for local regulatory changes; appoint local data protection officers (DPOs) per GDPR requirement - GDPR: DPO required if processing > 250 employees' data or special category data - China: PIPL compliance; data localization requirements; CAC security assessment - India: DPDP Act 2023; data localization for government data - Brazil: LGPD compliance; ANPD regulatory oversight - Cost: $500K–$2M/year for global compliance program; $100K–$500K per major framework - **Startup compliance** (pre-revenue, limited resources): Prioritize SOC 2 Type I first (3–6 months, $30K–$80K); use automated compliance platforms (Vanta, Drata: $10K–$30K/year); focus on customer-required controls first; defer ISO 27001 until Series B+; implement basic controls: MFA, encryption, access review, incident response plan - MVP compliance: MFA (free), encryption (built-in), basic logging (free tier tools), access review (quarterly manual) - Cost-efficient stack: AWS Security Hub (free tier), GitHub secret scanning (free), Prisma Cloud trial - Timeline: SOC 2 Type I in 90 days; Type II after 12 months of operation - **M&A risk integration** (acquired company with different risk posture): Conduct IT risk assessment of acquired company within 30 days; identify critical gaps (security, compliance, backup); create 100-day remediation plan; align policies and procedures; merge risk registries; report combined risk to board within 60 days - Day 1–30: assess current state; document gaps; contain critical risks - Day 31–60: implement critical controls; begin policy alignment - Day 61–100: complete remediation plan; integrate monitoring; report to board - Common gaps: no MFA, no backup, no incident response plan, outdated patches - **Regulatory changes** (new laws, updated requirements): Subscribe to regulatory intelligence feeds; quarterly legal review of applicable regulations; impact assessment within 30 days of new requirement; update risk registry and control mapping; implement required changes within regulatory deadline; budget for compliance updates (5–10% of annual compliance budget) - AI regulations: EU AI Act (2024), US Executive Order on AI, NIST AI RMF - Cybersecurity: SEC cyber disclosure rules (2023), DORA (EU, 2025) - Data privacy: expanding state laws (US), new country regulations - **Third-party risk cascade** (vendor breach affects your compliance): Monitor vendor security posture continuously; require vendors to report breaches within 24 hours; maintain contingency plans for critical vendor failures; contractual right to audit vendors; exit strategy for high-risk vendors; update risk registry with vendor-dependent risks - Contractual requirements: SOC 2 report annual, breach notification < 24 hours, right to audit, data return/deletion - Monitoring: vendor security ratings (BitSight, SecurityScorecard); continuous monitoring ($5K–$20K/year) - Response: activate contingency within 4 hours; communicate to affected customers within 24 hours - **Risk appetite definition** (board-approved tolerance levels): Define acceptable risk levels per category; document risk appetite statement; align with business strategy; review annually; cascade to department-level risk tolerances; use for risk treatment decisions - Example statement: "The organization accepts Medium residual risk (6–9) for operational risks with documented treatment plans. High risk (12–16) requires executive sponsorship and 90-day remediation. Critical risk (20–25) requires immediate board notification and 30-day remediation." - Categories: financial, operational, reputational, compliance, strategic - Review: annual board approval; interim review on material events