1# Organization Risk Catalog for Cloud and Container Workloads (Layer 3)
2# Conforms to Gemara #RiskCatalog (riskcatalog.cue).
3# gemara-version: v1.2.0 — https://github.com/gemaraproj/gemara/releases/tag/v1.2.0
4# Risks drawn from Threat Assessment Guide: CCC (CCC.Core.TH14) and SEC.SLAM.CM (SEC.SLAM.CM.THR01).
5title: "Organization Risk Catalog for Cloud and Container Workloads"
6metadata:
7 id: "org-risk-catalog-001"
8 type: RiskCatalog
9 gemara-version: "1.2.0"
10 description: "Risks relevant to cloud and container management; threats linked to CCC Core and SEC.SLAM.CM threat catalog."
11 version: "1.0.0"
12 author:
13 id: security-team
14 name: "Security Team"
15 type: Human
16 mapping-references:
17 - id: CCC
18 title: Common Cloud Controls Core
19 version: v2025.10
20 url: https://github.com/finos/common-cloud-controls/releases
21 description: |
22 Foundational repository of reusable security controls, capabilities,
23 and threat models maintained by FINOS.
24 - id: "SEC.SLAM.CM"
25 title: "Container Management Tool Security Threat Catalog"
26 version: "1.0.0"
27 description: "Threat catalog from the Threat Assessment Guide (SEC.SLAM.CM)."
28
29groups:
30 - id: "infrastructure"
31 title: "Infrastructure and Operations"
32 description: "Risks related to cloud infrastructure, container platforms, and operational security."
33 appetite: "Low"
34 max-severity: "High"
35 - id: "data"
36 title: "Data and Privacy"
37 description: "Risks related to data exposure, residency, and compliance."
38 appetite: "Minimal"
39 max-severity: "Low"
40
41risks:
42 - id: "R01"
43 title: "Older or Compromised Container Images in Use"
44 description: "Mutable image tags or lack of verification can lead to pulling stale or compromised images, increasing supply chain and runtime risk."
45 group: "infrastructure"
46 severity: "High"
47 rank: 2
48 impact: "Supply chain compromise, unauthorized code execution, or data exfiltration."
49 owner:
50 responsible:
51 - name: "Platform Engineering"
52 affiliation: "Engineering"
53 accountable:
54 - name: "CISO"
55 affiliation: "Security"
56 threats:
57 - reference-id: CCC
58 entries:
59 - reference-id: CCC.Core.TH14
60 remarks: "Older Resource Versions are Used"
61 - id: "R02"
62 title: "Container Image Tampering or Poisoning"
63 description: "Images may be tampered with in transit or at rest, or built from poisoned dependencies or build pipelines."
64 group: "infrastructure"
65 severity: "High"
66 rank: 1
67 threats:
68 - reference-id: CCC
69 entries:
70 - reference-id: CCC.Core.TH14
71 remarks: "Older Resource Versions are Used"
72 - reference-id: "SEC.SLAM.CM"
73 entries:
74 - reference-id: "SEC.SLAM.CM.THR01"
75 remarks: "Container Image Tampering or Poisoning"