Risk Analysis¶

Classification: CONFIDENTIAL — Internal Use Only

This document maintains the GPUS-IT risk register. Risks are scored on a 5×5 likelihood × impact matrix. The register should be reviewed quarterly by the IT Manager and Security Ops.

Risk Scoring¶

Score	Likelihood	Impact
1	Rare	Negligible
2	Unlikely	Minor
3	Possible	Moderate
4	Likely	Significant
5	Almost certain	Critical

Risk Score = Likelihood × Impact

Score Range	Rating
1–4	Low
5–9	Medium
10–16	High
17–25	Critical

Risk Register¶

ID	Risk	Likelihood	Impact	Score	Rating	Mitigating Controls	Owner
R-001	SKY failure causes DNS outage	2	4	8	Medium	RAIN auto-failover; < 5 min RTO	DNS Admin
R-002	Both SKY and RAIN fail simultaneously	1	5	5	Medium	ESXi snapshots; /etc/hosts fallback	IT Manager
R-003	DNSSEC key compromise	1	4	4	Low	Keys chmod 600; management network only; rotation schedule	DNS Admin
R-004	Unauthorized admin access	2	5	10	High	SSH key-only; sudo logging; auditd; MFA via Okta (planned)	Security Ops
R-005	Ransomware / malware on a server	1	5	5	Medium	AIDE daily; minimal packages; no internet exposure; backups	Security Ops
R-006	VPN tunnel failure (WDC ↔ GCP)	2	3	6	Medium	Auto-reconnect IKEv2; GCP monitoring; status site alert	IT Admin
R-007	GCS backup inaccessible	1	4	4	Low	Local 30-day backup also retained; ESXi snapshots	Backup Admin
R-008	ESXi host failure	1	5	5	Medium	Local backup archives; GCS offsite	IT Manager
R-009	Insider threat	1	5	5	Medium	Minimal admin accounts; sudo logging; auditd; log retention 90 days	Security Ops
R-010	DNS amplification attack	2	3	6	Medium	Rate limiting on recursion; Prometheus spike alerts	DNS Admin

Review Schedule¶

Activity	Frequency	Owner
Risk register review	Quarterly	IT Manager + Security Ops
New risk identification	On any significant infrastructure change	IT Admin
Control effectiveness review	Annually	Security Ops

Risk Analysis · v1.1 · 2026-03-14 · GPUS-IT · Classification: CONFIDENTIAL — Internal Use Only