Skip to content

Security Risk Management Plan

An outline of how the Skpr platform manages security risk.

Introduction

This Security Risk Management Plan (SRMP) has been prepared by PreviousNext to support clients planning to leverage the Skpr hosting platform.

Purpose

The purpose of this SRMP is to identify the risks to a client hosting on the Skpr platform.

Scope

The scope of this SRMP is limited to those threats and risks specific to the Skpr hosting platform.

Risk Matrix

The Skpr hosting platform Risk Matrix is managed in the central document repository.

Risk Assessment

Detailed assessment of the risks to the system's operation are outlined in the following sections which demonstrate the controls required to manage risks within the solution.

R01 - Inadequate Privileged Account Management

Risk Overview

If a privileged account were to be compromised or system privileges were incorrectly assigned, the environment could be accessed by staff without a legitimate need to know. Once inside, the unauthorized user could use the account to make malicious changes, such as adding, altering, or deleting data. Depending on the nature of the account used, the unauthorized user could bring down the environment.

Assets Affected

  • All Skpr platform components

Threat Sources

  • Adversarial – Individual – Trusted Insider, Insider, Outsider
  • Unintentional – Agency system administrator

Likelihood

  • Possible

Consequences

  • Severe

Risk Rating

  • Extreme

Mitigations

  • Account creation is managed by Skpr infrastructure as code manifests.
  • Approval process in place to obtain a privileged user account (code peer review).
  • All privileged accounts are required to have MFA configured.

R02 - Unauthorized Access to Data Hosted within Skpr Platform

Risk Overview

An unauthorized user attempts to access data hosted within the Skpr hosting platform to gain access to PROTECTED data.

Assets Affected

  • Protected data within the tenant

Threat Sources

  • Adversarial – Individual – Insider, Trusted Insider, Privileged Insider
  • Adversarial – Individual – Outsider
  • Adversarial – Group – Established
  • Adversarial – Nation State

Likelihood

  • Possible

Consequences

  • Severe

Risk Rating

  • Extreme

Mitigations

  • Intrusion detection services configured e.g. Falco.
  • AWS GuardDuty configured (currently in the trial phase).
  • Event logging and auditing configured for both AWS and Skpr API interactions.
  • Password complexity is enforced.
  • MFA is enforced for platform administrators.

R03 - Unskilled Administrator Misconfigures Services

Risk Overview

An authorized administrator misconfigures services increasing the risk of further exploitation. This may be due to a misunderstanding of the functionality of specific Skpr platform services due to a lack of training or insufficient procedural documentation.

Assets Affected

  • All infrastructure

Threat Sources

  • Accidental – Privileged User/Administrator

Likelihood

  • Rare

Consequences

  • Minor

Risk Rating

  • Low

Mitigations

  • Infrastructure configuration is managed in a central repository.
  • All changes are peer-reviewed.