Why Risk Assessment?
A risk assessment determines what type of controls are required to protect assets and resources (physical locations, networks/servers, staff, etc.) from threats – allowing your organization to reduce exposure and maintain an acceptable “risk tolerance”.
The risk assessment process evaluates the likelihood and potential damage of identified threats, measures the individual risk level of each asset as they relate to Confidentiality, Integrity and Availability (CIA), and then gauges the effectiveness of existing controls to limit the organization’s exposure to such risk. Results help the organization identify which assets are the most critical, provides a basis for prioritization and recommends a course for remediation.
The risk assessment will encompass provisions that address both internal and external threats and answers the following questions:
- What can go wrong?
- How can it go wrong?
- What is the potential impact?
- What preventive steps can be taken to reduce the risk?
The Compliance Overview
Financial institutions, healthcare providers, government agencies, insurance companies, educational institutions and other organizations who are subject to strict compliance standards have a responsibility to implement and maintain a formal risk assessment process to identify and evaluate risks.
Information security compliance regulations and guidelines (FDIC, FFIEC, GLBA, HIPAA, HITECH, NCUA, OCC, PCI DSS, etc.) require an organization to conduct regular risk assessments in order to identify reasonably foreseeable risks that – if left unchecked – could lead to service interruption or unauthorized disclosure, misuse, alteration, or destruction of confidential information.
DOISS’s information security risk assessments follow standard methodologies designed to meet all regulatory requirements and best-practice guidelines.
Our experts closely scrutinize your organization’s controls, vulnerabilities, threat vectors, asset information, and loss expectancies. Each individual risk is then analyzed and compared against other identified risks, enabling the organization to prioritize remediation efforts and preempt losses with the most exposure.
In addition to providing the most thorough, objective, and easy-to-read risk assessment available, our risk assessment methodology offers significant advantages if you are in a highly regulated industry. Advantages include:
- Based on NIST 800-30
- Customizable assessments based on your organization’s specific needs and compliance requirements
- Dynamic integration with your audit program
- Influence by regulatory requirements and industry standards
- Streamlined development of a standard and repeatable compliance process to help you achieve and maintain an ongoing risk-based information security program
- The ability to generate standardized, easy-to-understand reports for examiners, management and board members
Key service activities include:
- Data gathering (based on interviews and documentation)
- Identify key personnel
- Identify and collect key documentation
- Based on the data gathered, the analyst performs:
- Asset Group Analysis
- Asset group mission factor weighting classification
- Asset group sensitivity classification based on Confidentiality, Integrity, and Availability
- Threat Analysis
- Threat mapping
- Probability analysis
- Impact analysis
- Risk assignment
- Control Analysis
- Control mapping
- Implementation analysis
- Risk Analysis
- Report Briefing
The Risk Assessment results are provided in an extensive report containing:
- Project overview
- Risk assessment methodology
- Executive summary
- Detailed risk analysis by asset group
- Control group summary
- Information security policy analysis
- Recommended action plan
Automation of the risk management process includes:
- Asset group analysis – Identifies core assets and assigns a level of criticality to each asset in the areas of CIA
- Threat analysis – Identifies all relevant threats, evaluates each threat to determine which assets are affected, then assigns a level of criticality to each asset in the areas of CIA
- Control analysis – Identifies safeguards that can be used to protect each asset, assigns values to each control in terms of how it protects against specified threats
- Risk assessment reporting – Automatically associates and calculates data to produce a detailed risk assessment report
Other capabilities include:
- Creation of new assessments using preconfigured templates or existing, customized templates
- Addition of new threats, assets and controls from a centralized repository
- Fully customizable parameters for each
- Includes all major threat types & security controls
- Predefined information for assets
- Predefined severity levels for threats, controls and vulnerabilities
- Ability to revise risk assessments, then track and log each revision
- Summary reports for boards or examiners
- Detailed reporting capabilities with charts & graph
- Integrated regulation information to aid in compliace