Security Risk Management Plan
An outline of how the Skpr platform manages security risk.
This Security Risk Management Plan (SRMP) has been prepared by PreviousNext to support clients planning to leverage the Skpr hosting platform.
The purpose of this SRMP is to identify the risks to a client hosting on the Skpr platform.
The scope of this SRMP is limited to those threats and risks specific to the Skpr hosting platform.
The Skpr hosting platform Risk Matrix is managed in the central document repository.
Detailed assessment of the risks to the system's operation are outlined in the following sections which demonstrate the controls required to manage risks within the solution.
R01 - Inadequate Privileged Account Management
If a privileged account were to be compromised or system privileges were incorrectly assigned, the environment could be accessed by staff without a legitimate need to know. Once inside, the unauthorized user could use the account to make malicious changes, such as adding, altering, or deleting data. Depending on the nature of the account used, the unauthorized user could bring down the environment.
- All Skpr platform components
- Adversarial – Individual – Trusted Insider, Insider, Outsider
- Unintentional – Agency system administrator
- Account creation is managed by Skpr infrastructure as code manifests.
- Approval process in place to obtain a privileged user account (code peer review).
- All privileged accounts are required to have MFA configured.
R02 - Unauthorized Access to Data Hosted within Skpr Platform
An unauthorized user attempts to access data hosted within the Skpr hosting platform to gain access to PROTECTED data.
- Protected data within the tenant
- Adversarial – Individual – Insider, Trusted Insider, Privileged Insider
- Adversarial – Individual – Outsider
- Adversarial – Group – Established
- Adversarial – Nation State
- Intrusion detection services configured e.g. Falco.
- AWS GuardDuty configured (currently in the trial phase).
- Event logging and auditing configured for both AWS and Skpr API interactions.
- Password complexity is enforced.
- MFA is enforced for platform administrators.
R03 - Unskilled Administrator Misconfigures Services
An authorized administrator misconfigures services increasing the risk of further exploitation. This may be due to a misunderstanding of the functionality of specific Skpr platform services due to a lack of training or insufficient procedural documentation.
- All infrastructure
- Accidental – Privileged User/Administrator
- Infrastructure configuration is managed in a central repository.
- All changes are peer-reviewed.