Skip to content
Compliance Dungeon - Internal Copy
Welcome to the Compliance Dungeon
The Compliance Dungeon
About the Creator
Share
Explore

icon picker
Level 2 – Plains of Risk & Inventory

Level 2 Progress:
🔹🔹🔹⬜⬜⬜⬜⬜⬜⬜

📖 Field Notes

🧙‍♀️ Journal Entry – Day 17: The Whispering Tallgrass
You emerge from the forest canopy into a golden plain — vast, open, and unsettlingly quiet. The stillness is deceiving. The grass ripples not with wind, but as though something unseen stalks beneath the surface.
You kneel and sift through the soil, uncovering fragments: a shattered encryption token, a rusted key card, a badge that no longer pings. Each relic tells a story of access once granted and now forgotten. The landscape is dotted with dormant servers and ghost assets, each humming softly with neglected power.
This is the Plains of Risk & Inventory, where what you fail to track will, in time, begin to track you.
The deeper you walk, the stranger the terrain becomes. Shadows flit behind old terminal racks and cracked endpoint shells. Phantom risks loom in the distance — some real, some imagined — but all dangerous in the absence of clarity. There are no dragons here, no grand threats to battle. Just slow rot, quiet exposure, and doors left unintentionally ajar.
Awareness is your only weapon now. You must map the terrain, name each shadow, and give form to every asset under your domain. You begin to understand the stakes: a single forgotten laptop, an unlabeled S3 bucket, a rogue access token — each one a spark waiting to ignite.
Here in the Plains, there is no room for guessing. Everything must be accounted for.

🧠 Dungeon Purpose

The Plains of Risk & Inventory is your central zone for visibility and prioritization. The enemy of GRC isn’t always negligence—it’s often assumption.
This level focuses on:
Creating or validating an up-to-date asset inventory
Conducting risk assessments or threat modeling
Mapping assets to controls or frameworks
Logging known vulnerabilities, exposures, or third-party risks
Prioritizing remediation based on impact and likelihood
This stage is essential for understanding where your attention is needed and what could go wrong if left unchecked.
In fantasy terms: this is the zone where a general surveys the battlefield and prepares for siege.

📜 Quest Log

Status
Quest Name
Description
Assigned Class
Assigned To
Completion Date
Complete?
Conduct Asset Inventory (Hardware & Software)
Map all magical items and cursed relics (aka devices and applications) under your domain. If it connects, it gets cataloged.
Complete ✅
Draft Data Classification Policy
Define the types of data that flow through your kingdom—public, internal, confidential, restricted—and how each should be handled, protected, and enchanted. This quest ensures every scroll, crystal, and magical message receives the correct level of protection across the realm.
Complete ✅
Create Risk Register with Top 10 Risks
Chronicle the most fearsome threats facing the realm—from phishing banshees to shadow IT spirits—and assign them risk ratings.
Complete ✅
Review Vendor Data Processing Agreement (DPA)
Examine the DPA terms for privacy, security, and compliance obligations. Identify any gaps in vendor alignment with your control environment.
Complete ✅
Run First Risk Assessment Workshop
Gather the Council of Stakeholders to assess and align on top risks. May require coffee and charisma modifiers.
Complete ✅
Tag Crown Jewels (Critical Data/Systems)
Identify the realm’s most precious data vaults and enchanted systems. These require the strongest wards and attention.
🎉 DONE! 🎉
Define Risk Appetite & Scoring Methodology
Determine how much peril the kingdom is willing to tolerate before raising shields. Standardize how risk is scored across domains.
🎉 DONE! 🎉
No results from filter

Want to print your doc?
This is not the way.
Try clicking the ⋯ next to your doc name or using a keyboard shortcut (
CtrlP
) instead.