Risk R-010 - Personal Data Leakage from Identity Directory
| Field | Value |
|---|---|
| Risk ID | R-010 |
| Asset | Identity Platform / LDAP (Information – Owner: Sec) |
| Scenario | S-009 - Personal data leakage |
| Likelihood | 🟧 Medium - lateral movement or misconfigured access may expose personal data |
| Impact | 🟥 High - exposure of PII leads to GDPR violations, reputational damage, and legal consequences |
| Risk Level | 🟥 High |
| Owner | Sec |
| Last Review | 2026-03-08 |
| Next Review | 2026-09-08 |
Associated Controls:
- Encrypt PII at rest and in transit (LDAPS, disk-level encryption).
- Enforce RBAC for all LDAP accounts; restrict access to privileged identities.
- Enable audit logging; forward events to central SIEM for monitoring.
- Conduct regular access reviews and data protection impact assessments (DPIA).
- Apply network segmentation and least-privilege principles.
References:
- ISO 27001 - Control 5.1 Policies for information security.
- ISO 27001 - Control 8.2 Privileged access rights.
- ISO 27001 - Control 8.3 Information access restriction.
- NIST CSF - PR.AC Identity Management, Authentication and Access Control.
- NIST CSF - PR.DS Data Security.
- NIST CSF - DE.CM Continuous Monitoring.
- GDPR - Art. 5 Principles relating to processing of personal data.
- GDPR - Art. 32 Security of processing.
- GDPR - Art. 33 Notification of a personal data breach to the supervisory authority.
- GDPR - Art. 34 Communication of a personal data breach to the data subject.
- EBIOS RM - Analysis of risks related to leakage of personal data and identity information.
Response Actions:
- Containment - Isolate the affected LDAP host, revoke compromised credentials.
- Investigation - Analyze audit logs to determine scope of data exposure.
- Notification - Trigger GDPR breach notification to supervisory authority within 72h, inform affected data subjects if high risk.
- Remediation - Rotate credentials, enforce MFA, review ACLs, and update security policies.