Files
tm_back/docs/security/RISK_ASSESSMENT_MATRIX.md
T
Mazyar 06e663b691 Add security and compliance documentation for ISO/IEC 27001
- Introduced a comprehensive suite of security documents to support ISO/IEC 27001 certification, including the ISMS Foundation, Risk Assessment Matrix, Gap Analysis Report, Statement of Applicability, and ISO27001 Roadmap.
- Updated the README to include links to the new security documentation, enhancing the project's compliance framework and providing clear guidance on security policies and procedures.

This addition strengthens the overall security posture of the Tender Management System and aligns with industry standards for information security management.
2026-06-11 01:53:24 +03:30

11 KiB
Raw Blame History

Risk Assessment Matrix — Tender Management System

Field Value
Document ID ISMS-002
Version 1.0
Status Initial assessment
Owner Information Security Officer (ISO)
Last Updated 2026-06-11
Review Cycle Quarterly (minimum)

1. Purpose

This document records the initial information security risk assessment for the Tender Management System ISMS. It identifies threats, evaluates inherent and residual risk, and defines treatment plans aligned with ISO/IEC 27001 Clause 6.1.2 and Annex A controls.

Related: ISMS Foundation | ISO 27001 Roadmap


2. Methodology

2.1 Risk Formula

Risk Score = Likelihood (15) × Impact (15)

2.2 Likelihood Scale

Score Label Description
1 Rare Unlikely in 3+ years
2 Unlikely Possible but not expected annually
3 Possible May occur once per year
4 Likely Expected several times per year
5 Almost certain Expected frequently or already observed

2.3 Impact Scale

Score Label Description
1 Negligible No data exposure; minimal downtime (<1 h)
2 Minor Limited internal data; downtime 14 h
3 Moderate PII exposure for subset of users; downtime 424 h
4 Major Large-scale PII breach; regulatory notification; downtime 13 days
5 Critical Systemic breach; legal liability; prolonged outage (>3 days)

2.4 Risk Level Matrix

Score Range Level Action Required
14 Low Monitor; accept with documented justification
59 Medium Mitigate within 6 months
1015 High Mitigate within 3 months; management awareness
1625 Critical Immediate treatment; executive escalation

2.5 Treatment Options

  • Mitigate — Apply controls to reduce likelihood or impact
  • Transfer — Insurance or contractual liability shift
  • Avoid — Discontinue the activity
  • Accept — Documented acceptance by authorized role (residual risk only)

3. Risk Register

3.1 Authentication & Access

Risk ID Threat Vulnerability Asset(s) L I Inherent Existing Controls Residual L Residual I Residual Treatment Owner Target Date Status
R-001 Credential stuffing / brute force Login endpoints without sufficient throttling A-004, A-006, A-007 4 4 16 Critical JWT auth, hCaptcha on selected flows, rate limit config 3 3 9 Medium Enforce rate limiting on all auth endpoints; account lockout; MFA for admin Engineering Q3 2026 Open
R-002 JWT token theft (XSS, MITM) Tokens in client storage A-008 3 4 12 High HTTPS required in prod; short token TTL; refresh rotation partial 2 3 6 Medium Complete refresh token rotation; HttpOnly cookies where applicable; CSP headers Engineering Q3 2026 Open
R-003 Privilege escalation Insufficient RBAC checks on admin routes A-006, A-014 2 5 10 High Role middleware in pkg/authorization 2 4 8 Medium RBAC audit of all admin endpoints; automated authorization tests Engineering Q2 2026 Open
R-004 Orphaned / excessive access No formal access review process A-006, A-010 3 3 9 Medium Manual provisioning 2 2 4 Low Quarterly access review procedure; offboarding checklist ISO Q3 2026 Open

3.2 Data Protection & Privacy

Risk ID Threat Vulnerability Asset(s) L I Inherent Existing Controls Residual L Residual I Residual Treatment Owner Target Date Status
R-005 Unauthorized PII access Missing encryption at rest A-001, A-004, A-005 3 5 15 High Network isolation; app-level auth 2 4 8 Medium Enable MongoDB encryption at rest; field-level encryption for sensitive fields DevOps Q3 2026 Open
R-006 Data breach via backup exposure Unencrypted or overly permissive backups A-019 2 5 10 High Ad-hoc backups 2 3 6 Medium Encrypted backups; restricted access; backup retention policy DevOps Q3 2026 Open
R-007 GDPR non-compliance (DSR) No documented data subject request process A-004, A-005 3 4 12 High 3 3 9 Medium DSR procedure; data inventory mapping; deletion API/workflow DPO Q4 2026 Open
R-008 Sensitive data in logs Accidental logging of passwords/tokens A-011 3 4 12 High Coding standards prohibit password logging 2 3 6 Medium Log scrubbing; automated secret detection in CI Engineering Q2 2026 Open

3.3 Application Security

Risk ID Threat Vulnerability Asset(s) L I Inherent Existing Controls Residual L Residual I Residual Treatment Owner Target Date Status
R-009 Injection attacks (NoSQL, XSS) Unvalidated user input A-014 3 4 12 High Govalidator; Bluemonday XSS policy 2 3 6 Medium SAST/DAST in CI; security test cases for injection Engineering Q2 2026 Open
R-010 Dependency vulnerability exploit Outdated Go modules A-009 4 4 16 Critical go.mod pinned versions 3 3 9 Medium Dependabot/Renovate; monthly dependency review; govulncheck in CI Engineering Q2 2026 Open
R-011 Insecure file upload Malicious document upload A-003, A-005 2 4 8 Medium File store service; GridFS/MinIO 2 3 6 Medium MIME validation; size limits; malware scanning Engineering Q4 2026 Open
R-012 API abuse / DoS High-volume unauthenticated requests A-014 4 3 12 High Rate limit config exists 2 2 4 Low Enable rate limiting in production; WAF/CDN DevOps Q2 2026 Open

3.4 Infrastructure & Operations

Risk ID Threat Vulnerability Asset(s) L I Inherent Existing Controls Residual L Residual I Residual Treatment Owner Target Date Status
R-013 Secret leakage Secrets in repo, logs, or .env files A-010, A-018 3 5 15 High .gitignore; env priority system 2 4 8 Medium Secret manager (Vault/AWS SM); secret scanning in CI; rotate FCM keys out of repo DevOps Q2 2026 Open
R-014 Service outage (MongoDB/Redis/MinIO) Single points of failure A-001, A-002, A-003 3 4 12 High Managed services assumed 2 3 6 Medium HA deployment; DR plan; RTO/RPO definitions DevOps Q4 2026 Open
R-015 Insufficient monitoring Delayed incident detection A-011, A-012 4 4 16 Critical Application logging only 3 3 9 Medium SIEM integration; alerting on auth failures, error spikes DevOps Q3 2026 Open
R-016 Unpatched OS/container images Delayed security patching A-014, A-015 3 4 12 High 2 3 6 Medium Patch management procedure; automated image scanning DevOps Q3 2026 Open

3.5 Third-Party & Supply Chain

Risk ID Threat Vulnerability Asset(s) L I Inherent Existing Controls Residual L Residual I Residual Treatment Owner Target Date Status
R-017 AI service data leakage Tender text sent to external AI A-017, A-013 3 4 12 High Configurable AI endpoint 2 3 6 Medium DPA with AI vendor; data minimization; on-prem option evaluation DPO / DevOps Q4 2026 Open
R-018 Notification service compromise Email content interception A-016 2 3 6 Medium TLS to notification API 2 2 4 Low Vendor security questionnaire; TLS enforcement ISO Q4 2026 Open
R-019 Compromised TED source data Malicious XML in scraper pipeline A-013, A-015 2 3 6 Medium XML parser validation 2 2 4 Low Schema validation; sandboxed parsing; input size limits Engineering Q3 2026 Open

3.6 Human & Process

Risk ID Threat Vulnerability Asset(s) L I Inherent Existing Controls Residual L Residual I Residual Treatment Owner Target Date Status
R-020 Insider threat Broad production DB access A-001, A-004 2 5 10 High 2 4 8 Medium Least privilege; break-glass access; audit DB queries DevOps Q3 2026 Open
R-021 Phishing / social engineering Staff credential compromise A-006, A-010 3 4 12 High 2 3 6 Medium Security awareness training; MFA for admin and infra ISO Q3 2026 Open
R-022 Undocumented change deployment No formal change management A-009, A-014 3 3 9 Medium Git + PR workflow informal 2 2 4 Low Change management procedure; prod deployment approval Engineering Q3 2026 Open
R-023 Delayed incident response No IR plan or runbooks All 3 5 15 High 2 4 8 Medium Incident response plan; tabletop exercise ISO Q2 2026 Open

4. Risk Summary Dashboard

Risk Level Count Risk IDs
Critical (1625) 0 (after treatment planning) R-001, R-010, R-015 were Critical inherent — all have mitigation plans
High (1015) 8 residual R-003, R-005, R-007, R-009, R-013, R-014, R-020, R-023
Medium (59) 12 residual R-001, R-002, R-004, R-006, R-008, R-010, R-011, R-015, R-016, R-017, R-021, R-022
Low (14) 3 residual R-012, R-018, R-019

4.1 Top Priority Actions (Next 90 Days)

  1. R-023 — Draft and approve incident response plan
  2. R-013 — Remove secrets from repository; implement secret scanning
  3. R-010 — Add govulncheck and dependency scanning to CI
  4. R-003 — Complete RBAC audit of admin API routes
  5. R-001 — Enforce authentication rate limiting in production

5. Risk Acceptance Log

Use this section to record risks explicitly accepted after treatment.

Risk ID Residual Score Accepted By Role Date Justification Review Date
None yet

6. Review History

Version Date Reviewer Changes
1.0 2026-06-11 Engineering Initial risk identification for TM platform

Next scheduled review: 2026-09-11


7. Annex — Asset Reference

See ISMS Foundation §4 for full asset inventory (A-001 through A-020).