cqrenet/antifragile
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
763da003d36dd9387e35758dbb93833da4cc30ae
antifragile/antifragile-consulting/assessment-templates/m365-project-risk-register.md
Tomas Kracmar 763da003d3 Initial commit: antifragile cybersecurity consulting blueprint 
Complete repository of frameworks, playbooks, and assessment resources
for cybersecurity consultations focused on antifragile enterprise design.

Includes:
- Core philosophy and manifest (5 pillars)
- 12 modular engagement packages
- AI sovereignty and operations frameworks
- Zero-budget vulnerability discovery and hardening playbooks
- M365 E3 hardening and antifragile project plans
- Osquery sovereign discovery platform blueprint
- Perimeter scanning capability guide
- AI-assisted TVM blueprint for AI-powered adversaries
- Vertical specializations: banking, telco, power/utilities
- CIS Controls v8 and NIST CSF 2.0 mappings
- Risk registers and assessment templates
- C-suite conversation guide and business case templates
2026-05-09 16:53:22 +02:00

171 lines
14 KiB
Markdown
Raw Blame History

# M365 Project Risk Register
> *"Most M365 projects fail not because Teams does not work, but because governance was an afterthought and the tenant became an ungovernable monoculture."*
This risk register applies the antifragile risk methodology specifically to Microsoft 365 projects—greenfield deployments, tenant modernisations, migrations, and consolidations. It is designed for M365/Azure consultancies to identify, classify, and mitigate project-specific risks before they become tenant-wide liabilities.
---
## M365-Specific Risk Taxonomy
### Category 1: Identity and Access Risks
| Risk ID | Risk Name | Description | T0/T1/T2 | Kill Chain | Antifragile Move | Owner |
|---------|-----------|-------------|----------|-----------|-----------------|-------|
| M365-001 | Excessive Global Admins | More than 3-5 Global Admins with standing access | T0 | Compromise any admin → full tenant control → data exfiltration / deletion | Reduce to minimum; deploy PIM; use delegated roles | Identity Team |
| M365-002 | No MFA on Admin Accounts | Admin accounts lack multi-factor authentication | T0 | Phish password → direct tenant access → no second factor to stop | Enforce MFA for all admins; hardware tokens for break-glass | Security |
| M365-003 | Legacy Authentication Enabled | Legacy auth protocols allow MFA bypass | T1 | Password spray via IMAP/POP3/SMTP → account access without MFA | Block legacy auth tenant-wide; monitor for attempts | Security |
| M365-004 | Stale Guest Accounts | Former partners/vendors retain guest access indefinitely | T1 | Stale guest → credential compromise → Teams/SharePoint access | Quarterly guest access review; time-bounded invitations | Collaboration Team |
| M365-005 | Unmanaged OAuth Consents | Users granted permissions to unauthorized applications | T1 | Malicious app → mailbox access / data exfiltration / phishing | Disable user consent; admin consent workflow; quarterly audit | Security |
| M365-006 | Shared Mailboxes with Login | Shared mailboxes configured with user passwords and sign-in enabled | T2 | Shared credential compromise → email access → BEC / data theft | Disable sign-in on shared mailboxes; convert to proper delegation | Exchange Team |
| M365-007 | No Conditional Access (E5/P1) | Missing location, device, or risk-based access controls | T1 | Compromised credentials usable from any device, any location | Deploy conditional access: MFA, device compliance, location, risk | Identity Team |
| M365-008 | Hybrid Identity Stuck | AAD Connect configured with no plan to migrate to cloud-native | T1 | AAD Connect compromise → cloud identity manipulation → tenant takeover | Document cloud-native migration path; secure AAD Connect server | Identity Team |
### Category 2: Data Governance Risks
| Risk ID | Risk Name | Description | T0/T1/T2 | Kill Chain | Antifragile Move | Owner |
|---------|-----------|-------------|----------|-----------|-----------------|-------|
| M365-009 | No Data Classification | Documents and emails stored without sensitivity labels | T1 | Proprietary/confidential data mixed with public data → uncontrolled sharing → leakage | Deploy sensitivity labels (Purview) or manual classification guidance | Compliance |
| M365-010 | Open External Sharing | SharePoint/OneDrive default allows anyone-links or external sharing | T1 | Accidental or malicious public link → data exposure → regulatory fine / reputational damage | Default sharing: internal only; anyone-links disabled; per-site justification | SharePoint Team |
| M365-011 | No Retention Policy | No defined retention for email, Teams, or files; data accumulates indefinitely | T2 | Excessive data → discovery cost → compliance failure → inability to respond to legal hold | Deploy retention policies for all workloads; legal hold procedures | Compliance |
| M365-012 | Teams Channel Sprawl | Uncontrolled team creation; stale teams with sensitive data | T2 | Stale team with external access → forgotten but accessible → data leakage | Governed team creation; expiration policies; access reviews | Collaboration Team |
| M365-013 | OneDrive as Shadow IT | Users store business-critical data in personal OneDrive without backup | T1 | User departure / account deletion → data loss; no organizational recovery | Migrate business data to SharePoint; backup strategy; user education | SharePoint Team |
| M365-014 | Copilot Without Governance | Microsoft 365 Copilot deployed without data governance baseline | T0 | Copilot surfaces sensitive data to unauthorized users → internal data breach | Deploy sensitivity labels BEFORE Copilot; conditional access; user training | Security / Compliance |
| M365-015 | eDiscovery Unprepared | No eDiscovery processes, legal hold capability, or retention for litigation | T2 | Litigation → inability to produce documents → adverse inference / sanctions | eDiscovery training; retention hold procedures; Purview eDiscovery licensing | Legal / Compliance |
### Category 3: Security and Threat Risks
| Risk ID | Risk Name | Description | T0/T1/T2 | Kill Chain | Antifragile Move | Owner |
|---------|-----------|-------------|----------|-----------|-----------------|-------|
| M365-016 | Business Email Compromise (BEC) | Executive mailbox compromised; fraudulent payment instructions sent | T1 | Phish executive → mailbox control → invoice fraud / wire transfer | Impersonation protection; mailbox auditing; MFA; financial process verification | Security |
| M365-017 | EOP Misconfiguration | Basic Exchange Online Protection not tuned for client's threat profile | T1 | Phishing email reaches inbox → user compromise → lateral movement | Tune anti-phishing, anti-malware, anti-spam; impersonation protection | Security |
| M365-018 | No Audit Logging | Unified Audit Log disabled or unmonitored | T1 | Incident occurs → no forensic evidence → cannot determine scope or contain | Enable UAL immediately; forward to SIEM; 90-day minimum retention | Security |
| M365-019 | Device Unmanaged | Corporate devices accessing M365 without MDM or compliance policy | T1 | Compromised personal device → M365 access → data exfiltration | Intune enrollment; conditional access requiring compliance | Endpoint Team |
| M365-020 | No Backup Beyond Native | Reliance on recycle bin and soft delete as "backup" | T1 | Ransomware / malicious admin / sync error → data loss → no recovery | Third-party immutable backup; quarterly recovery testing | Backup Team |
### Category 4: AI and Emerging Technology Risks
| Risk ID | Risk Name | Description | T0/T1/T2 | Kill Chain | Antifragile Move | Owner |
|---------|-----------|-------------|----------|-----------|-----------------|-------|
| M365-021 | Shadow AI via M365 Apps | Employees paste proprietary data into Copilot, Bing, or third-party AI through browser | T0 | Proprietary data → public AI model → competitive intelligence loss | Deploy Azure OpenAI bridge; DLP policies blocking AI uploads; user education | Security |
| M365-022 | Copilot Data Overexposure | Copilot synthesizes and surfaces data the user should not have access to | T1 | Overpermissioned user → Copilot reveals sensitive synthesis → internal breach | Zero-trust permissions review; sensitivity labels; just-in-time access | Security |
| M365-023 | AI-Generated Misinformation | Users make business decisions based on unverified AI-generated content | T2 | AI hallucination → bad decision → financial loss / compliance failure | Human-in-the-loop for critical decisions; source attribution requirements; user training | Compliance |
| M365-024 | No AI Governance Policy | Organization has no policy for approved AI tools, data handling, or vendor evaluation | T1 | Uncontrolled AI adoption → data leakage → regulatory / legal exposure | AI governance framework; approved tool list; data classification for AI inputs | Security / Legal |
### Category 5: Project and Organizational Risks
| Risk ID | Risk Name | Description | T0/T1/T2 | Kill Chain | Antifragile Move | Owner |
|---------|-----------|-------------|----------|-----------|-----------------|-------|
| M365-025 | Tenant as Monoculture | All data, identity, and collaboration in one tenant with no exit architecture | T0 | Tenant compromise / lockout / vendor change → total organizational paralysis | Domain ownership by client; data portability architecture; documented tenant exit | Architecture |
| M365-026 | Scope Creep Without Governance | Workloads deployed incrementally without security review | T2 | New app/service → unmapped risk → incident | Governance gate before new workload; security review checklist | Project Manager |
| M365-027 | Insufficient Admin Training | Client team lacks skills to operate and secure the tenant post-handover | T2 | Misconfiguration → vulnerability → incident | Structured training program; runbook documentation; knowledge transfer sessions | Training |
| M365-028 | Power Platform Shadow IT | Citizen developers create apps and flows with ungoverned data access | T1 | Unmanaged flow → external data sharing / credential exposure → breach | DLP policies; environment governance; citizen developer training | Power Platform Team |
| M365-029 | Migration Data Loss | Legacy data lost or corrupted during migration to M365 | T1 | Corrupted migration → missing records → compliance / operational failure | Pre-migration backup; validation sampling; rollback plan | Migration Team |
| M365-030 | Vendor Lock-in via Add-ons | Heavy reliance on third-party M365 add-ins that create dependency | T2 | Add-on vendor discontinues / changes terms → workflow collapse | Evaluate add-ons for portability; maintain native fallback; contractual exit clauses | Procurement |
---
## Risk Scoring for M365 Projects
### Probability Scale
| Score | Definition | M365 Example |
|-------|-----------|--------------|
| 1 | Rare (< 1% annually) | Total Azure region failure |
| 2 | Unlikely (1-10%) | Major zero-day in Exchange Online |
| 3 | Possible (10-50%) | Successful phishing campaign against users |
| 4 | Likely (50-90%) | Stale guest account remains accessible |
| 5 | Almost certain (> 90%) | Shadow AI usage if no sanctioned alternative |
### Impact Scale
| Score | Definition | M365 Example |
|-------|-----------|--------------|
| 1 | Negligible | Minor inconvenience; no data loss |
| 2 | Minor | Single user/service affected; recoverable in hours |
| 3 | Moderate | Departmental impact; recoverable in days; potential compliance notice |
| 4 | Major | Organizational impact; recoverable in weeks; regulatory fine likely |
| 5 | Catastrophic | Existential threat; business termination possible; criminal liability |
### M365-Specific Convexity Assessment
| Convexity | Definition | M365 Example |
|-----------|-----------|--------------|
| **Extreme** | €0 control prevents €500K+ loss | Enabling MFA (free in E3) prevents total tenant compromise |
| **High** | Small labor investment prevents major incident | Quarterly guest access review prevents data breach via stale account |
| **Moderate** | Moderate investment prevents significant loss | Third-party backup prevents data loss from ransomware |
| **Low** | Investment comparable to potential loss | Advanced threat protection add-on vs. basic EOP |
---
## Project Phase Risk Gates
### Greenfield Deployment Gates
| Phase | Gate | Risk Closure Requirement |
|-------|------|-------------------------|
| **Architecture** | Go/No-Go before provisioning | M365-025 (tenant monoculture) assessed and mitigated; M365-030 (add-on lock-in) evaluated |
| **Foundation** | Go/No-Go before user onboarding | M365-001 (excessive admins), M365-002 (no MFA), M365-018 (no audit) closed |
| **Workload Rollout** | Go/No-Go per workload | M365-009 (no classification), M365-010 (open sharing), M365-028 (Power Platform) addressed |
| **Go-Live** | Go/No-Go before production | M365-016 (BEC), M365-017 (EOP), M365-020 (no backup) mitigated; M365-027 (training) completed |
| **30-Day Post** | Review | M365-021 (shadow AI) inventoried; M365-024 (AI governance) drafted |
### Modernisation Gates
| Phase | Gate | Risk Closure Requirement |
|-------|------|-------------------------|
| **Audit** | Complete before changes | All 30 risks assessed; T0 and T1 risks prioritized |
| **Kill Chain Closure** | Day 30 checkpoint | All T0 risks closed or accepted with board sign-off |
| **Governance Deployment** | Day 60 checkpoint | All T1 identity and data risks closed |
| **Sovereignty** | Day 90 checkpoint | M365-021 (shadow AI) mitigated via sanctioned alternative; M365-020 (backup) tested |
| **Antifragility** | Day 180 checkpoint | Automated monitoring for M365-003, M365-005, M365-010; quarterly review cadence established |
---
## The M365 Risk Dashboard (For Steering Committee)
```
M365 PROJECT RISK DASHBOARD — [Client] — [Date]
T0 RISKS (Existential)
├─ Open: [X] ├─ In Progress: [X] └─ Closed: [X]
├─ [Risk ID] [Name] — Owner: [Name] — Target: [Date]
└─ [Risk ID] [Name] — Owner: [Name] — Target: [Date]
T1 RISKS (Major)
├─ Open: [X] ├─ In Progress: [X] └─ Closed: [X]
├─ [Risk ID] [Name] — Owner: [Name] — Target: [Date]
└─ [Risk ID] [Name] — Owner: [Name] — Target: [Date]
IDENTITY & ACCESS [████░░░░░░] [X]% mitigated
DATA GOVERNANCE [██████░░░░] [X]% mitigated
SECURITY & THREATS [█████░░░░░] [X]% mitigated
AI & EMERGING TECH [███░░░░░░░] [X]% mitigated
PROJECT & ORGANIZATIONAL [███████░░░] [X]% mitigated
TOP 3 RISKS REQUIRING ESCALATION
1. [Risk ID] — [Reason for escalation]
2. [Risk ID] — [Reason for escalation]
3. [Risk ID] — [Reason for escalation]
RECOMMENDATION: [Proceed / Pause / Escalate]
```
---
## Integration With Project Deliverables
| Deliverable | Risk Register Integration |
|------------|--------------------------|
| **Project charter** | Include T0 risk identification as success criterion |
| **Architecture document** | Map each design decision to risk mitigation |
| **Configuration baselines** | Reference risk IDs in change justification |
| **Test plan** | Include recovery drills for M365-020; penetration testing for M365-016 |
| **Training plan** | Address M365-027; include AI governance for M365-024 |
| **Handover document** | Transfer risk ownership to client team with review cadence |
---
*For the general antifragile risk register methodology, see [Antifragile Risk Register](antifragile-risk-register.md).*
*For the M365 antifragile project playbook, see [M365 Antifragile Project](../playbooks/m365-antifragile-project.md).*
Reference in New Issue View Git Blame Copy Permalink