Information systems are increasingly subjected to an alarming number of threats. These threats can adversely affect organizational operations and assets by exploiting vulnerabilities that compromise the confidentiality, integrity or availability of information that’s processed, stored or transmitted. Targeted attacks, environmental disruptions, human/machine errors and structural failures all pose a risk and can quickly stifle the economic sustainability of your organization.
Unlike our enterprise risk assessment, a system risk assessment focuses on a single or logical grouping of systems. Our system-level risk assessment identifies, estimates and prioritizes risk to an organization’s operations, assets, employees and other organizations.
Our system risk assessment begins with a thorough review of your organization’s mission and its key drivers. We then take a comprehensive look at your system — how your information is used, where it’s transmitted and where it’s stored — and use this intel to determine your system risk profile. As part of our process, we…
- Identify your system assets while determining how they relate to your mission processes. The importance of your assets is also determined based on the value of the information value and/or its sensitivity.
- Perform a threat assessment to determine the threats your system likely faces on a daily basis. Specifically, we look at the motivation, expertise and resources of potential attackers, whether they are internal or external to your organization.
- Conduct a vulnerability assessment to analyze all possible authorized and unauthorized entry points, and uncover potential vulnerabilities — whether they be public domain or more covert methods of attack. We conduct all our vulnerability assessments using the latest tools and technologies, which allows us to dig deeper into your systems without impacting your operations.
- Examine existing countermeasures to determine whether your organization has deployed sufficient defense-in-depth measures to counter likely attacks to the system.
- Perform a risk analysis to determine the impact to your system and information assets in the event that identified vulnerabilities are exploited. The likelihood or probability is also estimated in the context of existing security countermeasures.
- Assign risk ratings so risks can be prioritized according to their impact on the organization should they be realized.
- Develop a risk mitigation plan based on the risk ratings to ensure risks of concern are mitigated in a timely manner. Risks that cannot be fully remediated are subject to continuous monitoring until the risk becomes acceptable to the organization.
Our team is well-versed in many of the risk management methodologies used throughout government and commercial industries. These methodologies and best practices include:
- International Organization for Standardization (ISO) 31000:2009 Risk Management
- Australian/New Zealand Standard (AS/NZS) 4360:2004 Risk Management
- National Institute of Standards and Technology (NIST) Special Publication (SP) 800-39 Managing Information Security Risk
- NIST SP 800-30 Risk Management Guide for Information Technology Systems