Organizations that create, receive, transmit or store confidential information assets electronically or hard copy should conduct formal risk assessments on a regular basis. A risk assessment is a process by which an organization determines what information assets exist and what level of protection is warranted based on the potential risks that may impact the information’s confidentiality, integrity, or availability.
The objective of a risk assessment is to assist management in creating the appropriate strategies for resource allocation and security control implementation plans. Risk Based Security’s risk assessment model identifies the true risks to an organization’s most valuable assets and directs spending where it’s needed most, resulting in the right security.
Risk Based Security clients can distinguish themselves by implementing a risk based security program that truly identifies ‘their’ risks and protects assets while fulfilling compliance requirements.
Summary of Risk Assessment Methodology
Risk Based Security’s information security risk assessment methodology is based on the guidelines found in ISO/IEC 27001:2005, Information technology – Security techniques – Information security management systems – Requirements, NIST SP 800-30, Risk Management Guide for Information Technology Systems and BS 7799-3:2006, Guidelines for Information Security Risk Assessment.
Once the risk assessment scope is defined the most ‘valuable’ information assets are identified in regards to the potential impact to the business if the asset’s Confidentiality, Integrity or Availability was breached. Through a series of data gathering techniques, including Risk Based Security’s dashboards and analytics, the most likely threats to those assets are defined and are used to focus the assessment questionnaires, interviews and tests. The observed organizational vulnerabilities to the threats, based on existing security controls, are assessed and a detailed risk analysis is performed.
At this point in the risk assessment process Risk Based Security recommends the completion of a Gap Analysis to determine the organization’s compliance with the appropriate regulations, laws and security standards.
A risk treatment recommendation and a Security Improvement Plan is defined for each risk and ‘Gap’ identified and the implementation of the risk treatment plan is prioritized according to the highest risk scores. Our goal is to reduce your organization’s risks to an acceptable level.
Questions? Contact Us to get Started email@example.com