Managed Risk thru Security Assessment is our way. As you work diligently to mitigate the myriad of threats to IT security, a security assessment can provide the critical insight and data you need to develop the most effective cyber security strategy possible.
By identifying and quantifying risks and documenting the effectiveness of existing controls, a security assessment enables you to make smarter decisions about your current technology, potential new investments and the optimal approach to enterprise risk management based on your environment and business goals. Performing a superior security assessment not only requires proven methodologies but an extensive and in-depth understanding of the security space. When your IT team lacks the expertise, resources or bandwidth to manage your security assessment initiatives, the security professionals at Optiv have the know-how and expertise to fill the gaps.
With a highly skilled staff of subject matter experts, thought leaders and seasoned security professionals, we provide a full range of services, solutions and technology to help our clients develop, nurture and run remarkably effective security programs.
Our Security assessment services help you:
Understand your current risk posture as compared to leading practices, compliance requirements and peer organizations
Reconcile current controls with your appetite for risk
Document existing controls and security effortsIdentify and quantify risks to your information assets
Understand the strengths and weaknesses of your current defensesExamine weaknesses from the perspective of the attackerAlign your IT risk management programs with your security and business goals
Identify areas of operation where the risk to your organization may be too high
Our Security Assessment include traditional IS/IT security auditing, security maturity assessments and security risk assessments. In a security maturity assessment, our team will evaluate your current controls and benchmark them against leading practices and industry standards. With a better understanding of how you manage risk relative to best practices and your risk appetite, you can optimize your security investments more effectively. In a security risk assessment, our experts help you assess and identify areas of weakness and modify your security posture to address them. A comprehensive IT security audit can help to ensure compliance with regulatory frameworks and technical safeguards, and reveal where essential information like credit card data or protected individual information could be at risk.
Our IS/IT auditing, security assessment and risk management teams are cognizant about the risk owned by the chief information officer (CIO), chief security officer (CSO), chief information security officer (CISO), their teams and prospective externalized (outsourcing, cloud services, other providers, vendors, etc.) resources. We are adept at interfacing with enterprise risk management (ERM) functions at all levels to determine the business impact of the associated IS/IT risk.
In 1999, The Institute of Internal Auditors (The IIA) published an updated definition of internal IT auditing, describing it as “an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes.”
The Risk Management Society (RIMS) defines ERM as a strategic business discipline, while the IIA defines it as a structured, consistent and continuous process across the whole organization. We educate and instill confidence in organizations to engineer disciplines that translate into repeatable, effective processes.
Bridging security/risk assessment into the auditing function as an unbiased trusted agent, we enable the CIO/CSO/CISO by providing appropriate risk assessments for the IT systems and services offered based on formal and established frameworks. And, to every extent possible, quantified for performance measurement and metrics. Our risk assessment services, and any related risk register, describe mitigation plans, their ownership (via RACI or other methods) and time scales that have clear linkage to the business impact analysis and supported business continuity plans.
Business managers, process, system and data owners are responsible for prioritizing risk for appropriate action and, thus, become the risk owners. This implies accountability that internal auditing and risk assessment teams assume as an information assurance function.
Risk Management Auditable Activities
Figure 1 shows a mapping of elements that an auditor/risk assessor may consider including in an IS/IT risk management audit:
The organization’s business continuity and impact assessment analysis, assuming the data exists and is current, assists the auditors in defining the scope of risk assessment. If these artifacts do not exist or are outdated, the first critical audit recommendation should be that they be conducted as a matter of urgency.
Figure 1 illustrates many activities thus a starting point is find out which of them have been done, by whom and when. It may be useful to identify first if a formal framework for risk management was adopted by the IS/IT function and, if so, which one. Some are simplistic, such as drawing risk heat or “stoplight” maps based on intuition, and others are relatively complex, requiring considerable time to master (e.g., COBIT 5 for Risk and Operationally Critical Threat, Asset, and Vulnerability Evaluation [OCTAVE], available in versions for large and small organizations).
Adopting a methodology is, in itself, not enough if those who need to apply it do not know how. This implies some kind of training plus exhaustion of crucial time and resources.
IS/IT Risk Translated Into Business Risk
Figure 2 presents a typical starting point in the risk assessment as it is transformed into business risk.
The CIO and the chief information security officer (CISO), as custodians of the organization’s systems and data, including incident management and disaster recovery plans, inescapably (and hopefully) focus on the threats and vulnerabilities that can adversely impact business operations. They are many times not conversant with the contents of the various business impact analyses, the “risk appetite” of the organization and a coherent roadmap of the organization’s priorities for mitigating business risk.
What often happens is that, having identified threats (from hackers to earthquakes) and vulnerabilities (the usual suspects: people, process and technology), the CIO moves quickly to address issues that, in terms of business impact, may not be at all important and are, therefore, a poor use of resources. Achieving a successful translation into business risk and balance requires extensive dialog with business process owners, senior management and the ERM team. Collaboration is critical towards producing an integrated risk register that can be used to illustrate the need and request the resources needed to mitigate the highest risks to the business.
However, this requires every one of the key players and stakeholders to make time available for such discussions and engage in a spirit of collaboration, not allowing it to be inhibited by unavoidable corporate politics. Small organizations may not have a formal ERM team and/or business processes; and in most cases have limited knowledge of risk and impact assessment. The risk assessment frameworks we use are scalable and flexible to accommodate any size of business.