Appendix C: TVM Risk Register Template

Date Identified

Asset / System

Vulnerability Description

Threat Source

CVE / Ref

Likelihood

Impact

Risk Rating (Lxl)

Exploitability

Current Controls

Mitigation Plan

Owner

Target Resolution Date

Status

Comments/Notes

TVM-001

03/06/2025

Internal CRM Server

Unpatched Apache Struts vuln.

External actors

CVE-2024-1234

High

Critical

Easily exploitable

Firewall, EDR

Apply patch, test

IT Ops

07/06/2025

Open

Coordinating outage

TVM-002

03/06/2025

VPN Gateway

Weak encryption protocol

Nation-state APT

Internal Ref

Medium

High

Moderate

IDS/IPS

Upgrade to TLS 1.3

SecOps

15/06/2025

In Progress

Approved change window

TVM-003

02/06/2025

HR Cloud Platform

Misconfigured IAM roles

Insider threat

N/A

Medium

Hard to detect

Role-based access

Re-audit permissions

HR Tech

10/06/2025

Open

Found during IAM audit

Key Field Descriptions

CVE / Ref: Reference to official CVE or internal vulnerability ID
Likelihood & Impact: Based on NIST SP 800-30 qualitative scale (e.g., Low, Medium, High)
Exploitability: Ease with which the vulnerability could be exploited (Manual/Automated, Known Exploit, etc.)
Risk Rating: Multiply Likelihood × Impact, or use a scoring matrix
Mitigation Plan: Patch, config change, remove exposure, etc.
Status: Open / In Progress / Mitigated / Closed
Owner: Assigned remediation owner (individual or team)

PreviousAppendix B: Risk Register (Template)NextAppendix D: Incident (Template)

Last updated 8 months ago

hashtagKey Field Descriptions

Key Field Descriptions