Information Security Threat & Risk Assessment Service
An information security threat and risk assessment (TRA) is the process of identifying and quantifying the cyber security threats to your business’ information assets. The assets that if illicitly or accidentally accessed, modified, corrupted or deleted could cause your business harm. How much harm? A security threat and risk assessment will answer that question. It provides the data set which allows intelligent, risk-based decisions and should determine budget considerations. Without it, your risk approach will be ad hoc and driven by external influences.
The only constant in cyber security is “change”. Markets change. Businesses change. Staff change. Information assets change. Technology changes. Vulnerabilities change. Threats change.
Everything changes. These constant changes require a continual reassessment of your risk environment. Your best tool to do this is conducting information security threat and risk assessments.
Industry best practice and most compliance frameworks dictate that they should be conducted annually or following any significant changes to the systems used to process, store or transmit your business’ information assets. This makes sense. But few businesses invest in this fundamental practice and so fail to protect their business from the ever-changing threat landscape. We have designed a straightforward, cost-effective service for providing this fundamental requirement.
Risk Crew use a 6-step methodology for delivering effective information security threat and risk assessments.
Our information security threat and risk assessment service is based upon established industry best practices and comprised of the following components:
Step 1: Identify & Value Assets
- Risk Crew begins by interviewing your key business stakeholders to identify the specific information assets needed to achieve business objectives. The assets are then categorised based on their value and criticality to the business.
- Our experts will then review current system documentation, GDPR/DPA workflows, hardware and data asset registers (if applicable) with stakeholders to confirm the location of these critical and sensitive information assets.
Step 2: Identify Threats
- Once your information assets are identified, categorised and located, we shall then assess their hosting environments and associated processing operations to identify existing security threats to these assets.
- We will systematically identify those threats that have the potential to exploit your system vulnerabilities and result in unauthorised access. A through inventory of the current threat landscape shall be documented for reference.
- Risk Crew use a variety of industry and proprietary security threat databases on which to base our determinations to include known (manufacturer and vendor-recognised) and unknown (hacker-recognised) threats.
Step 3: Identify Vulnerabilities
- Risk Crew will then assess the devices hosting your information assets to identify technical security vulnerabilities that could be exploited to compromise these assets. Vulnerabilities may be associated with either single or multiple operational or cyber security threats.
- Network application and device build and deployment methodology, 3rd party solutions, network and workstation administration, support and management processes, change management and patching programs, incident identification and response processes, incident and anomaly investigation procedures, network disaster recovery and business continuity plans, network security auditing and testing, password management programs and network and user security policies & procedures.
- As part of the assessment Risk Crew will run vulnerability scans on the systems hosting the assets to identify associated technical vulnerabilities.
Step 4: Determine Likelihood & Impact
- Risk Crew shall then determine and document the likelihood that the identified threat will exploit the identified vulnerability.
- The likelihood is an estimate of the frequency or the probability of such an event. Likelihood of occurrence is based on several factors that include system architecture, system environment, information system access and existing controls; the presence, motivation, tenacity, strength and nature of the threat; the presence of vulnerabilities and the effectiveness of existing controls.
- Risk Crew shall then determine and document the magnitude/severity of impact on your business operations if the threat was realised and exploited the associated vulnerability.
Step 5: Determine Inherent Risk
- The risk will be expressed in terms of the likelihood of the threat exploiting the vulnerability and the impact severity of that exploitation on the Confidentiality, Integrity and Availability (CIA) of the system.
- The risk severity level is then identified and documented. This represents the current untreated or “inherent” risk level associated with the threat.
Step 6: Determine Risk Treatment
- Finally, Risk Crew will recommend a cost-effective treatment or control to address the inherent risk and bring it into the risk appetite of your business.
- The result is a comprehensive documentation of the risks to your information assets and a prioritised roadmap of remedial activities to implement to ensure the risks are acceptable to your business.
Upon completion, Risk Crew will deliver a comprehensive report documenting the overall findings and recommendations from the engagement. The report will include the following stand-alone deliverables as attachments:
- An information asset register documenting all business information assets, value, owners and locations
- A risk treatment plan documenting security vulnerability associated with information assets, the security threats to those assets, the estimated likelihood of those threats occurring, the locations affected, the potential impact on your business if they occurred and business risk owners
- The “heat map” of risks and a management summary to ensure ease of interpretation
Additionally, Risk Crew will deliver:
- A workshop presentation of findings and remedial recommendations to ensure understanding
- A prioritised remedial action roadmap for risk reduction
- On-call advice and assistance for up to 30 days following the workshop to answer any questions that may arise from implementing remedial actions and ensuring risk reduction.