Risk Assessments

A Critical Start Risk Assessment combines multiple security frameworks and regulations to identify appropriate controls based on ensuring you have the ability to prevent business disruption and defend against targeted attacks.  Defending against targeted attacks is about capabilities (people, process, and technology) versus just products.

The core inputs of our methodology are:

  • Attack phase maturity
    • initial compromise, lateral movement, data exfiltration, incident detection and response
    • Security Efficiency
    • Control effectiveness, impact to user experience, upfront costs, and ongoing costs
  • Security Efficiency is used to prioritize how to address attack phase maturity gaps
  • Critical assets – likelihood outside attackers would specifically target your organization
    • Critical assets are viewed from point of view of 3rd party value versus business impact
  • Impact of compliance/policies on security resources
An example of a security control used in the framework can be seen in the table below.  This approach provides security professionals a provable framework to prioritize limited budgets and headcount.

Risk-Assessments

Without this approach, organizations tend to procure a lot of products without actually improving their ability to prevent, detect, and respond to attacks.  We often get asked what can be done right now that would make the most impact on the security of a typical organization.  Without knowing specifics, we can recommend a variety of security controls and process changes that will make a substantial impact in your capabilities for the various attack phases.

Primarily based on ISO27002 and NIST 800-53 standards our framework allows for the mapping of current controls not only against existing but also emerging regulations such as the CyberSecurity Act of 2012.

The purpose of this risk assessment is to identify key strategic initiatives that will provide a better background to the sizing and scoping of your security program objectives by identifying and prioritizing risk areas and key improvement areas. Our process includes methods to measure risk, evaluate preventive gaps and provide recommendations for remediation. The maturity of the program is evaluated and risks are included in a remediation road map.

Regulations which may be included in the Security Risk Assessment are:

  • North American Electric Reliability Corporation Critical Infrastructure Protection Cyber Security Standards (NERC-CIP)

  • CobiT

  • North American Electric Reliability Corporation Critical Infrastructure Protection Cyber Security Standards (NERC-CIP)

  • North American Electric Reliability Corporation Critical Infrastructure Protection Cyber Security Standards (NERC-CIP)

  • North American Electric Reliability Corporation Critical Infrastructure Protection Cyber Security Standards (NERC-CIP)

The outcome of the assessment will support your security program objectives by:

  • Providing key findings and recommendations on the current maturity metrics and the requirements to improve on the security maturity curve.

  • Identifying important remediation activities for inclusion in your Security Program.

  • North American Electric Reliability Corporation Critical Infrastructure Protection Cyber Security Standards (NERC-CIP)

  • Aligning the Security Program initiatives to industry best-practice, ISO27000 series standards and security frameworks.

  • Enabling you to proactively improve on its security posture with a strategic view.