Information-Security-Risk-Assessment

Information Security Threat & Risk Assessment

Identify, minimise & manage the threats to your business’ information assets

Request a Quote

Information Security Threat & Risk Assessment Service

An information security threat and risk assessment (TRA) is the process of identifying and quantifying the cyber security threats to your business’ information assets. The assets that if illicitly or accidentally accessed, modified, corrupted or deleted could cause your business harm. How much harm? A security threat and risk assessment will answer that question. It provides the data set which allows intelligent, risk-based decisions and should determine budget considerations. Without it, your risk approach will be ad hoc and driven by external influences.

The only constant in cyber security is “change”. Markets change. Businesses change. Staff change. Information assets change. Technology changes. Vulnerabilities change. Threats change.

Everything changes. These constant changes require a continual reassessment of your risk environment. Your best tool to do this is conducting information security threat and risk assessments.

Industry best practice and most compliance frameworks dictate that they should be conducted annually or following any significant changes to the systems used to process, store or transmit your business’ information assets. This makes sense. But few businesses invest in this fundamental practice and so fail to protect their business from the ever-changing threat landscape. We have designed a straightforward, cost-effective service for providing this fundamental requirement.

Risk Crew use a 6-step methodology for delivering effective information security threat and risk assessments.

Threat & Risk Assessment Process

Features and Components

Our information security threat and risk assessment service is based upon established industry best practices and comprised of the following components:

Step 1: Identify & Value Assets

  • Risk Crew begins by interviewing your key business stakeholders to identify the specific information assets needed to achieve business objectives. The assets are then categorised based on their value and criticality to the business.
  • Our experts will then review current system documentation, GDPR/DPA workflows, hardware and data asset registers (if applicable) with stakeholders to confirm the location of these critical and sensitive information assets.

Step 2: Identify Threats

  • Once your information assets are identified, categorised and located, we shall then assess their hosting environments and associated processing operations to identify existing security threats to these assets.
  • We will systematically identify those threats that have the potential to exploit your system vulnerabilities and result in unauthorised access. A through inventory of the current threat landscape shall be documented for reference.
  • Risk Crew use a variety of industry and proprietary security threat databases on which to base our determinations to include known (manufacturer and vendor-recognised) and unknown (hacker-recognised) threats.

Step 3: Identify Vulnerabilities

      • Risk Crew will then assess the devices hosting your information assets to identify technical security vulnerabilities that could be exploited to compromise these assets. Vulnerabilities may be associated with either single or multiple operational or cyber security threats.
      • Network application and device build and deployment methodology, 3rd party solutions, network and workstation administration, support and management processes, change management and patching programs, incident identification and response processes, incident and anomaly investigation procedures, network disaster recovery and business continuity plans, network security auditing and testing, password management programs and network and user security policies & procedures.
      • As part of the assessment Risk Crew will run vulnerability scans on the systems hosting the assets to identify associated technical vulnerabilities.

Step 4: Determine Likelihood & Impact

      • Risk Crew shall then determine and document the likelihood that the identified threat will exploit the identified vulnerability.
      • The likelihood is an estimate of the frequency or the probability of such an event. Likelihood of occurrence is based on several factors that include system architecture, system environment, information system access and existing controls; the presence, motivation, tenacity, strength and nature of the threat; the presence of vulnerabilities and the effectiveness of existing controls.
      • Risk Crew shall then determine and document the magnitude/severity of impact on your business operations if the threat was realised and exploited the associated vulnerability.

Step 5: Determine Inherent Risk

      • The risk will be expressed in terms of the likelihood of the threat exploiting the vulnerability and the impact severity of that exploitation on the Confidentiality, Integrity and Availability (CIA) of the system.
      • The risk severity level is then identified and documented. This represents the current untreated or “inherent” risk level associated with the threat.

Step 6: Determine Risk Treatment

      • Finally, Risk Crew will recommend a cost-effective treatment or control to address the inherent risk and bring it into the risk appetite of your business.
      • The result is a comprehensive documentation of the risks to your information assets and a prioritised roadmap of remedial activities to implement to ensure the risks are acceptable to your business.

Service Deliverables

Upon completion, Risk Crew will deliver a comprehensive report documenting the overall findings and recommendations from the engagement. The report will include the following stand-alone deliverables as attachments:

  • An information asset register documenting all business information assets, value, owners and locations
  • A risk treatment plan documenting security vulnerability associated with information assets, the security threats to those assets, the estimated likelihood of those threats occurring, the locations affected, the potential impact on your business if they occurred and business risk owners
  • The “heat map” of risks and a management summary to ensure ease of interpretation

Additionally, Risk Crew will deliver:

  • A workshop presentation of findings and remedial recommendations to ensure understanding
  • A prioritised remedial action roadmap for risk reduction
  • On-call advice and assistance for up to 30 days following the workshop to answer any questions that may arise from implementing remedial actions and ensuring risk reduction.
Working from Home Risk Management
information security threat and risk assessment

Service Benefits

Quite simply, this fundamental service provides answers to the critical questions: What should our business protect? Why should we protect it? And, what happens if we fail to protect it?

All information security management starts with answers to these basic questions. Knowing the answer is the biggest benefit. An information security threat assessment provides the data on which to measure your businesses risk appetite, tolerance and capacity. It provides the framework to identify, minimise and manage cyber threats to your business.

Why Choose Risk Crew

Risk Crew security consultants possess over 30 years of hands-on skills and experience in conducting information security threat and risk assessments. It’s what we do.

We: think deeply, question assumptions, determine cause and effect and always deliver measurable results. We believe that you should accept nothing less. So much so if you are not happy, with our services, you are not charged. Who else does that?

Best Practice

Risk Crew follows best practices including ISO 27001, PCI, Data Protection Act 2018 and the GDPR

Accredited

ISO 27001 and Cyber Essentials Plus certified

Certified

Engineers hold CISSP, CISA, CRISC, CISM and CSX certifications

Experienced Practitioners

Risk Crew has over two decades of practical knowledge

Conducting comprehensive information threat and risk assessments is our business. Let us show you we mean business.

Contact Us

Request a Quote to Get Started Today

Our SOC 2 experts will contact you to discuss your specific requirements



    Information Risk Management Service(s) of interest:

    Information Security Threat & Risk AssessmentInformation Security PoliciesRansomware Readiness AuditSecure Code ReviewInformation Security Awareness TrainingSupply Chain Information Risk ManagementInformation Security Risk Consultancy Service

    Would you like to receive occasional emails on the latest security news and information on Risk Crew services?

    YesNo

    View our privacy notice here.

    Frequently Asked Questions

    What is an information security vulnerability?
    An information security vulnerability is a weakness in people, process or technology that if exploited could potentially expose an information asset to unauthorised access, disruption or compromise.
    What is an information security threat?
    An information security threat is anything that could cause potential harm to an information asset. In the context of cyber security, a threat is an attack that could exploit a vulnerability and result in harm, compromise, disruption or unauthorised access to an information asset.
    What is an information security risk?
    An information security risk is any event that that could cause potential harm, compromise, disruption or unauthorised access to an information asset.
    What is a risk owner?
    A risk owner is an accountable and senior point of contact within the business for an information security risk. He or she is primarily accountable for the information asset and responsible for coordinating efforts to identify, minimise and manage the security risks to that asset.
    What is an information security risk appetite?
    An information security risk appetite is the stated level of tolerance a business has for risks to their information. Critical components of an information security risk appetite are the levels of risk tolerance and capacity (i.e. what level is acceptable and what level is unacceptable).