© 2019 RSM US LLP. All rights reserved.
Cybersecurity Risk Assessment Services
A risk assessment is a formal process to identify the vulnerabilities and threats that could affect the security of a company, and the controls the company has in place to mitigate the impact. Our risk assessment conforms to the methodology found within NIST Special Publications 800-37, 800-30, 800-53 and 800-171 and is designed to provide an evaluation of information security risks in a form that can be used by executives for efficient decision-making.
Who Needs This
A risk assessment can benefit organizations of any size, no matter the maturity level of their security program. For smaller organizations, it can be a road map toward efficient program building. But with growth comes increased risk, so don’t let your company be caught off guard. Additionally, risk assessments are required by many regulations, such as SOX, PCI and HIPAA.
RSM’s risk assessment methodology aligns with NIST and involves the steps shown below.
We use our risk equation to provide clients with a representation of their security risk, which is a byproduct of the following:
- A threat of some type, such as a malicious hack or a piece of malware that can leverage an attack vector to target an organization’s assets and sensitive data
- A vulnerability where absence of controls in systems, applications or other assets creates exposures that a threat can exploit
- Controls diminish the ability of a threat to exploit a given vulnerability
An evaluation of the elements above results in an overall risk level and a list of residual risks that are categorized by their severity.
Risk identification is based in part on an understanding of the assets that may be affected, including lines of business; critical systems and applications; types of data; and people, processes and technology that interact with that data. A threat represents any vector that an attacker could use to cause a negative impact on in-scope assets. To determine a threat score, RSM uses a qualitative score combination of 10 attack vectors:
- Internet access
- Social engineering
- Public area access
- Lack of network segmentation
- Third-party access
- Lost/stolen devices
- Shared access
- Lack of physical isolation
- Peripheral devices
- Wireless access
Controls are implemented to limit the impact of an attack vector or threat on an organization. By definition, the absence of a control is a vulnerability that a threat can exploit. We use a framework that is based upon NIST SP 800-53 and the Payment Card Industry Data Security Standard to assess the effectiveness of controls within the following 16 domains:
1. Access control
2. Awareness and training
3. Audit and accountability
4. Configuration management
5. Identification and authentication
6. IR/BC/Crisis communications
8. Data protection
9. Personnel security
10. Physical protection
11. Risk assessment
12. Security assessment
13. System and communications protection
14. System and information integrity
15. Organization and governance
16. Application security
Using our detailed approach to information security risk assessment services, you will have a full understanding of the overall security risks to your organization.
Call to action
Our dedicated staff is here to help ensure your business has a plan to understand and manage your risk. Contact RSM today to help you get started.