RART

Created by Venkat Pothamsetty, Modified on Tue, 26 Aug at 11:13 AM by Venkat Pothamsetty

Risk Assessment & Risk Treatment (RART) – SquareX

ISMS Standard: ISO/IEC 27001:2022

1. Document Metadata

Field	Description
Document Title	Risk Assessment & Risk Treatment (RART) – SquareX
Version	1.1
Date	2025-08-22
Scope	AWS & Azure infrastructure and services supporting SquareX Browser Security Platform
Prepared by	Venkat Pothamsetty
Approved by	John Carse

Revision History

Version	Date	Changes	Approved by
1.0	2025-08-22	Initial creation for SquareX ISMS scope	Jeswin Mathai
1.1	2025-08-22	Updated to focus on AWS & Azure medium/low risks	Jeswin Mathai

2. Risk Assessment Methodology

Governance Framework: ISO/IEC 27001 Clause 6.1.3 & SquareX Risk Assessment Policy.
Process: Asset identification → Threats → Vulnerabilities → Likelihood/Impact → Risk Rating → Treatment → Residual Risk.
Risk Criteria:
- Low (<3): Acceptable with monitoring.
- Medium (3–7): Acceptable with treatment and CISO approval.
- High (>7): Immediate treatment required (not included here).

3. Risk Register (AWS & Azure – Medium/Low Risks Only)

Risk ID	Asset	Threat / Scenario	Vulnerability	Inherent Risk	Treatment	Residual Risk	Owner	Review Date
SX-AWS-01	AWS S3 Buckets	Data exposure via misconfigured public access	Lack of uniform bucket policies	3.2 (Medium)	Enforce SCPs, default encryption & access logs	2.0 (Low)	Cloud Ops Lead	2026-02-22
SX-AWS-02	AWS IAM	Privilege creep in service accounts	Infrequent role reviews	2.8 (Medium)	Implement IAM Access Analyzer, quarterly reviews	1.5 (Low)	SecOps Lead	2026-02-22
SX-AZ-01	Azure Key Vault	Unauthorized access attempts	Weak monitoring of access logs	3.5 (Medium)	Enable Azure Monitor, conditional access	2.3 (Medium)	Cloud Ops Lead	2026-02-22
SX-AZ-02	Azure AD	MFA bypass attempts	MFA brute force	2.5 (Medium)	Block legacy auth, enforce conditional MFA	1.8 (Low)	IT Manager	2026-02-22

4. Treatment Plan & Residual Risk Analysis

Risk SX-AWS-01 – S3 Misconfiguration

Controls: Service Control Policies (SCPs), block public access, encryption enforced.
Residual Risk: Low – accepted by CISO.

Risk SX-AWS-02 – IAM Privilege Creep

Controls: Access Analyzer, quarterly reviews, least-privilege enforcement.
Residual Risk: Low – accepted.

Risk SX-AZ-01 – Azure Key Vault Access Risks

Controls: Logging via Azure Monitor, conditional access enforcement.
Residual Risk: Medium – accepted with monitoring.

Risk SX-AZ-02 – Azure AD Legacy Auth

Controls: Disable legacy protocols, enforce MFA.
Residual Risk: Low – accepted.

Risk SX-AZ-03 – Blob Storage SAS Token Leakage

Controls: Short-lived tokens, logging, monitoring.
Residual Risk: Low – accepted.

5. Monitoring & Review

Review Cycle: Annually, or upon major cloud service changes.
Controls Verification: Quarterly access reviews, SIEM log analysis.
KPIs:
- 100% IAM role reviews on time.
- Zero unauthorized blob storage access events.
- Zero public S3 buckets detected.

6. Risk Scoring & Acceptance Criteria

Low (<3): Acceptable with monitoring.
Medium (3–7): Acceptable with treatment and CISO approval.
High (>7): Not in scope here (requires urgent mitigation).

7. Annex A Control Mapping

Risk ID	Threat Scenario	Control References
SX-AWS-01	Misconfigured S3 exposure	A.5.23 (Cloud services), A.8.9 (Config mgmt), A.13.1 (Network security)
SX-AWS-02	IAM privilege creep	A.8.2.2 (Ownership of assets), A.9.2 (User access mgmt), A.9.4 (Access restrictions)
SX-AZ-01	Unauthorized Key Vault access	A.5.13 (Access control), A.12.4 (Logging & monitoring), A.8.16 (Activity monitoring)
SX-AZ-02	Legacy protocol MFA bypass	A.9.1.2 (Access to networks), A.5.15 (Use of mobile devices), A.5.23 (Cloud security)
SX-AZ-03	Blob Storage token leakage	A.8.8 (Data leakage prevention), A.8.27 (Information deletion), A.13.2 (Network confidentiality)