# Organization Risk Catalog for Cloud and Container Workloads (Layer 3) # Conforms to Gemara #RiskCatalog (riskcatalog.cue). # gemara-version: v1.2.0 — https://github.com/gemaraproj/gemara/releases/tag/v1.2.0 # Risks drawn from Threat Assessment Guide: CCC (CCC.Core.TH14) and SEC.SLAM.CM (SEC.SLAM.CM.THR01). title: "Organization Risk Catalog for Cloud and Container Workloads" metadata: id: "org-risk-catalog-001" type: RiskCatalog gemara-version: "1.2.0" description: "Risks relevant to cloud and container management; threats linked to CCC Core and SEC.SLAM.CM threat catalog." version: "1.0.0" author: id: security-team name: "Security Team" type: Human mapping-references: - id: CCC title: Common Cloud Controls Core version: v2025.10 url: https://github.com/finos/common-cloud-controls/releases description: | Foundational repository of reusable security controls, capabilities, and threat models maintained by FINOS. - id: "SEC.SLAM.CM" title: "Container Management Tool Security Threat Catalog" version: "1.0.0" description: "Threat catalog from the Threat Assessment Guide (SEC.SLAM.CM)." groups: - id: "infrastructure" title: "Infrastructure and Operations" description: "Risks related to cloud infrastructure, container platforms, and operational security." appetite: "Low" max-severity: "High" - id: "data" title: "Data and Privacy" description: "Risks related to data exposure, residency, and compliance." appetite: "Minimal" max-severity: "Low" risks: - id: "R01" title: "Older or Compromised Container Images in Use" description: "Mutable image tags or lack of verification can lead to pulling stale or compromised images, increasing supply chain and runtime risk." group: "infrastructure" severity: "High" rank: 2 impact: "Supply chain compromise, unauthorized code execution, or data exfiltration." owner: responsible: - name: "Platform Engineering" affiliation: "Engineering" accountable: - name: "CISO" affiliation: "Security" threats: - reference-id: CCC entries: - reference-id: CCC.Core.TH14 remarks: "Older Resource Versions are Used" - id: "R02" title: "Container Image Tampering or Poisoning" description: "Images may be tampered with in transit or at rest, or built from poisoned dependencies or build pipelines." group: "infrastructure" severity: "High" rank: 1 threats: - reference-id: CCC entries: - reference-id: CCC.Core.TH14 remarks: "Older Resource Versions are Used" - reference-id: "SEC.SLAM.CM" entries: - reference-id: "SEC.SLAM.CM.THR01" remarks: "Container Image Tampering or Poisoning"