Security Risk Assessments
An audit of business security strategy and controls
to ensure key digital assets are secure.
Discover risk and define appropriate mitigation strategies that fit your company’s objectives.
Security Risk Assessments:
A Business Security Audit
The most important part of security assessments is the security review & gap analysis. It is the glue that ties the entire security risk assessment solution together. As with security audits, there must be a process for assessing a company’s risk profile. In a security review, we review your key assets, current security strategy, controls, IT infrastructure, and prioritize your top vulnerabilities, risks and recommended security control solutions. Following, MainNerve provides a final report for the purpose of defining future security strategies, determining budgets, and implementing security risk mitigation solutions.
Discover Risk and Define Mitigation Strategies
Security risk assessments are essential for discovering risk and defining appropriate mitigation strategies that fit your company’s objectives. There are two components to security assessments: 1) Security Reviews (often called security audits) provide a complete process for defining security risk strategies based upon your objectives, security posture and status and 2) Security tests such as penetration testing, vulnerability testing and phishing tests which diagnose actual vulnerabilities in specific areas of your security infrastructure.
THE MAIN NERVE PROCESS
Security risk assessments are a fundamental foundation for the security of any organization. At MainNerve, our security risk assessments help companies ensure that controls and expenditure are fully commensurate with the risks to which organizations are exposed. Determine which security controls are appropriate and cost effective for your business.
Security Risk Assessment
As threats to computer systems grow more complex and sophisticated, risk assessments are an important tool for organizations to rely on as part of a comprehensive risk management program. This security risk assessment will help the customer to:
- Determine the most appropriate risk responses to ongoing cyber-attacks.
- Guide investment strategies and decisions for the most effective cyber defenses to help protect your organizational operations (including missions, functions, image and reputation), organizational assets, and employees.
- Maintain ongoing situational awareness of the security state of your organization’s information systems and the environments in which those systems operate.
The risk assessment methodology and approach will be conducted using the guidelines in NIST SP 800-30, “Risk Management Guide for Information Technology Systems.” The assessment is broad in scope and evaluates security vulnerabilities affecting confidentiality, integrity, and availability of information. The assessment report will recommend appropriate security safeguards, permitting customer management to make knowledge-based decisions about security-related initiatives. MainNerve will hold regular status meetings with key personnel to report on progress, discuss any issues that may have been identified, and solicit feedback and guidance related to the engagement. This will ensure that all interested parties are well informed as work progresses and any issues requiring immediate attention or further validation are promptly addressed. The following controls are assessed:
- Administrative Safeguards: This information includes policies and procedures revolving around the administrative side of protecting networks and resources. These policies and procedures may include information about termination procedures and requirements, when training is conducted, sanction policies, etc.
- Physical Safeguards: This section assess the policies and procedures used to protect the physical networks and resources. These safeguards might include locks on doors to server rooms, how access to said server rooms is granted, and who has the authority to grant access.
- Technical Safeguards: This information gathered in this sections allows MainNerve to determine how well the networks and resources are protected technically and virtually. This will include procedures on allowing employees access to specific data required to do their jobs, information about encryption, anti-virus and anti-malware software, as well as information gleaned during the vulnerability scan and penetration test.
MainNerve will hold regular status meetings with key personnel to report on progress, discuss any issues that may have been identified, and solicit feedback and guidance related to the engagement. This will ensure that all interested parties are well informed as work progresses and any issues requiring immediate attention or further validation are promptly addressed.
MainNerve will interview key personnel identified by the customer either by questionnaire or phone and perform document reviews in accordance with NIST SP800-30. Document reviews will provide the MainNerve risk assessment team with the basis on which to evaluate compliance with policies and procedures in order to ultimately identify potential shortfalls in the administrative, technical, and/or physical security posture.
Deliverables (* Excluded from Gap Analysis)
The following deliverables may be provided as part of the engagement depending upon services chosen:
- Gap analysis results that include risk rating and assessment of items such as: physical safeguards, network resources inventoried, data protection measures, log monitoring and auditing.
- *Risk ratings results based on interview or questionnaire (High, Medium, Low, Risk number)
- *The final report will provide information on current assessment and findings of customers’ security posture, recommended remediation and a description of potential risk due to non-remediation.
- *A “Crosswalk to Security” report will also be provided to assist customer in how to develop a plan to mitigate risk. The findings will be presented as a strategic “Crosswalk” in the form of recommendations only. These recommendations are intended to assist the customer’s security posture. This includes items such as: recommended security roles, how to evaluate key security policies and controls ongoing, control implementation guidelines and internal review processes.
- Remediation recommendations.
The deliverables will be provided to the customer via secure e-mail or through a secure website as mutually agreed. All final deliverables are shared only with the customer approved representatives.
WANT TO LEARN MORE?
Network Penetration Testing
Network penetration testing assists with the identification and examination of vulnerabilities for external, Internet-facing and internal, intranet systems. A network pen test will help determine whether an attack can exploit and compromise targeted systems. Take the next step to improving your business’ security with a network pen test.
MainNerve’s compliance solutions are designed to help fill one of the biggest challenges for businesses: staying in alignment with the exhaustive list of Governance, Risk Management, and Compliance (GRC) requirements. From PCI DSS and HIPAA, to CJIS and FINRA, MainNerve can help your business navigate the GRC landscape with specialized penetration tests.
Social engineering, in the context of information security, is commonly defined as the of persuasion and/or manipulation techniques in order to influence people into performing actions or divulging confidential information. Ensure that your business is secure by testing and evaluating your employees against general phishing and “spear-phishing” attacks.