Risk ID,Risk Description,Risk Level,Status,Control Domain,Responsible Owner,Target Remediation Date,Remediation Notes,ISO 27001 Reference,SOC 2 Reference
R-001,14 legacy shared administrator accounts remain active in on-premises Active Directory — prevents individual accountability and session attribution,Critical,Open,Access Control,Priya Nair (VP Information Security),July 15 2026,PAM project in progress; accounts identified and documented; migration plan approved. Critical to complete before October audit.,A.9.2 / A.5.15,CC6.1
R-002,Encryption at rest not enabled for 3 Azure Blob Storage containers holding client PII — data exposed if storage account is compromised,Critical,Open,Data Protection,Marcus Chen (Cloud Infrastructure Lead),August 1 2026,Azure storage encryption retrofit in progress. Two of five containers remediated as of February 2026.,A.8.24,CC6.7
R-003,23 Azure service accounts not enrolled in MFA — provisioned prior to MFA mandate and not yet migrated to managed identity,Critical,Open,Identity & Access Management,Marcus Chen (Cloud Infrastructure Lead),August 31 2026,Service account MFA migration project initiated Q1 2026. 8 of 23 accounts migrated as of March 2026.,A.5.17,CC6.1
R-004,Third-party vendor Clearbridge Analytics has standing 24/7 access to the Zava data warehouse — no time-limited or supervised access controls in place,Critical,Open,Third-Party Risk,Jordan Lee (Vendor Manager),September 15 2026,Vendor access review initiated. New Third-Party Access Agreement drafted and under legal review. Interim control: enhanced logging of Clearbridge sessions.,A.5.19 / A.5.22,CC9.2
R-005,Incident response plan has not been tested (tabletop exercise) in 18 months — last test was April 2024,Critical,Open,Incident Response,Priya Nair (VP Information Security),September 30 2026,Tabletop exercise scheduled for September 2026. Facilitator engaged. Scenario: ransomware affecting production trading systems.,A.5.24 / A.5.26,CC7.3
R-006,Business continuity plan (BCP) has not been reviewed or updated since 2023 — does not reflect current cloud architecture or hybrid work environment,High,Open,Business Continuity,Dana Olufsen (CCO),September 30 2026,BCP review kicked off March 2026. External consultant engaged. Draft expected by August 2026.,A.5.29 / A.5.30,A1.2
R-007,Quarterly access review for Q4 2025 completed 47 days late — review process is manual and dependent on individual reminders,High,Open,Access Control,Marcus Chen (Cloud Infrastructure Lead),Completed (Process fix ongoing),Q4 2025 review completed February 14 2026. Automated ServiceNow reminders configured for Q1 2026 forward. Monitoring to confirm on-time completion.,A.9.5,CC6.3
R-008,Security awareness training completion rate at 67% — 33% of employees have not completed mandatory annual training,High,Open,Human Resources Security,Jordan Lee (HR / Compliance),June 30 2026,Completion campaign launched March 2026. Manager reminders sent. Target: 95% completion by June 30.,A.6.3,CC2.2
R-009,Penetration test findings from November 2025 include 2 High-severity findings not yet remediated — SQL injection vulnerability in the client portal and insecure direct object reference in the API,High,Open,Vulnerability Management,Marcus Chen (Cloud Infrastructure Lead),July 31 2026,Web application firewall rules applied as interim mitigation. Full remediation requires application code changes. Developer sprint scheduled for June 2026.,A.8.8,CC7.1
R-010,Change management process does not require security review for infrastructure changes under a defined threshold — 3 recent changes bypassed security assessment,High,In Progress,Change Management,Priya Nair (VP Information Security),July 1 2026,Change management policy under revision. New security review threshold being defined. Expected policy update by July 1 2026.,A.8.32,CC8.1
R-011,Data classification scheme has not been applied to legacy SharePoint content — approximately 12000 documents have no sensitivity label,Medium,In Progress,Data Classification,Jordan Lee (Vendor Manager / Content Owner),October 31 2026,Microsoft Purview auto-labeling pilot running on 500 documents. Full rollout plan in development. Expected completion post-audit.,A.5.12 / A.5.13,CC6.7
R-012,Audit log retention configured at 90 days in Microsoft 365 Purview — policy requires 2-year retention per ISO 27001 A.8.15 and SOC 2 CC7.2,High,Open,Audit & Logging,Priya Nair (VP Information Security),September 30 2026,Purview retention policy update in progress. Requires Compliance Administrator approval and testing. Interim: manual log export to Azure Blob (encrypted) weekly.,A.8.15,CC7.2