Skip to main content

regulator-portal-service — Service Risk Register

Version: 1.0 Status: Draft Owner: Regulator-facing + Legal + Security + SRE Last Updated: 2026-04-21 References: FAILURE_MODES.md, SECURITY_MODEL.md

Scored 1–5 Likelihood × Impact; residual ≤ Medium required for GA.

1. Risk Summary

IDRiskCategoryLIPreResidualOwner
REG-RISK-01ATRA PKI not finalised at launchRegulatory44HighMediumRegulator Liaison
REG-RISK-02SIEM destination schema vendor changes (Splunk/LEEF vendor)Dependency33MediumMediumSecurity
REG-RISK-03LI workflow SLA breach → regulator penaltyAvailability35HighMediumLegal + SRE
REG-RISK-04HSM outage during report-signing windowDependency24MediumLowSecurity + SRE
REG-RISK-05Upstream unavailability → incomplete report → regulator trust impactIntegration33MediumLowSRE
REG-RISK-06Auditor portal credential compromiseSecurity24MediumLowSecurity
REG-RISK-07Evidence auto-collection false positive (CURRENT when actually stale)Correctness33MediumMediumCompliance
REG-RISK-08Disk-WAL fills during prolonged SIEM outage → event lossAvailability24MediumLowSRE
REG-RISK-09Regulator cert-revocation propagation delay (CRL cache freshness)Security33MediumLowSecurity
REG-RISK-10Complaint-triage classifier biasML fairness23MediumLowT&S
REG-RISK-11Multi-region portal: data residency concern (sovereign vs. DR)Regulatory23MediumMediumLegal + Platform Arch
REG-RISK-12LI dual-control bottleneck off-hoursProcess33MediumMediumLegal
REG-RISK-13Attestation-bundle regeneration after annual audit failureOps22LowLowCompliance
REG-RISK-14Cross-jurisdictional LI request (rare but possible)Legal14MediumMediumLegal

2. Risk Details

REG-RISK-01 — ATRA PKI not finalised

Mitigation. Interim Ghasi Government Trust Anchor (per cbc-bridge CBC-RISK-01 mitigation); migrate when ATRA PKI available. Legal MoU defines interim model.

Residual. Medium.

REG-RISK-02 — SIEM schema change

Mitigation. Adapter per destination; multi-destination fan-out; vendor-change notice tracked. SIEM-destination-unreachable alert catches cutover-gone-wrong.

Residual. Medium.

REG-RISK-03 — LI SLA breach

Mitigation. SLA timers + alerts at 75% of budget. Emergency-approver runbook for edge cases. Multi-region standby. Internal escalation to CISO on breach.

Residual. Medium.

REG-RISK-04 — HSM outage

Mitigation. HSM HA. Reports queue on sign failure. Backup manual-signing procedure with dual-control.

Residual. Low.

REG-RISK-05 — Upstream unavailability

Mitigation. Partial-report mode with warning banner. Status-page dashboard for regulator visibility.

Residual. Low.

REG-RISK-06 — Auditor credential compromise

Mitigation. mTLS with auditor PKI; time-boxed access (default 30 d); session logging + anomaly detection; revocation within 5 min of compromise report.

Residual. Low.

REG-RISK-07 — Evidence false-positive

Mitigation. Multi-source evidence validation where practical (cross-check evidence against two upstream sources). Quarterly Compliance-review against CURRENT evidence.

Residual. Medium.

REG-RISK-08 — WAL fill event loss

Mitigation. 50 GB WAL sized for 7-day outage; alerts at 50/75/90%; manual expansion procedure; Legal-approval required for any event drop.

Residual. Low.

REG-RISK-09 — Cert revocation delay

Mitigation. CRL cache 4 h TTL; OCSP staple required for active sessions; manual cert-block runbook for urgent cases.

Residual. Low.

REG-RISK-10 — Triage classifier bias

Mitigation. Fairness audit; human-in-loop for all complaint categorisations at launch; classifier shifts to advisory-only until audit passes.

Residual. Low.

REG-RISK-11 — Data residency

Mitigation. Regulator portal sovereign-region only. DR region is Afghan (mzr) not Dubai. Dubai retains only audit-mirror (LI events + attestation evidence) with Legal-approved data residency policy.

Residual. Medium.

REG-RISK-12 — Off-hours LI approver

Mitigation. Emergency-approver rotation (CISO + CTO on-call). Dual-control window 60 s during business hours; extended window with documented approval out-of-hours.

Residual. Medium.

REG-RISK-13 — Bundle regeneration fail

Mitigation. Idempotent bundle generator; manual re-run available.

Residual. Low.

REG-RISK-14 — Cross-jurisdictional LI

Mitigation. Legal-signed procedure. Refuse + escalate to MFA + Cabinet if valid legal authority uncertain. Logged extensively.

Residual. Medium.

3. Residual Summary

ResidualCount
Low7
Medium7
High0

4. Review Cadence

  • Weekly during dev.
  • Monthly post-GA (all owners).
  • Quarterly (CTO + CISO + Legal + Regulator Liaison).
  • Annual (CEO-chaired; political risk + regulator relationship).