© 2019 RSM US LLP. All rights reserved.
Information Security Risk Assessment
A risk assessment scrutinizes the threats, attack vectors, vulnerabilities and controls that may affect your data and assets, as a first step in addressing risks.
Understanding risk helps organizations make more informed business decisions. These risks include threats, attack vectors, vulnerabilities and controls that may affect your sensitive data and critical assets.
An information security risk assessment helps executives determine what risk they are willing to accept, versus what risk should be mitigated through security improvements that will generate the most return on investment. The risk assessment scrutinizes the implementation, effectiveness and governance of information security controls. Furthermore, this assessment meets or exceeds risk requirements for several compliance frameworks, including Payment Card Industry (PCI), Health Insurance Portability and Accountability Act of 1996 (HIPAA) and Health Information Trust Alliance (HITRUST). RSM’s methodology uses a customized control set based on the National Institute of Standards and Technology (NIST) Special Publication 800-30, Guide for Conducting Risk Assessments. Many of these controls also map to other frameworks, such as HIPAA and PCI.
Mapping control deﬁciencies back to likely attack vectors in your industry highlights the most pertinent areas to improve and helps identify speciﬁc security risks. Our approach includes benchmarking your current controls against those of your industry and companies of a similar size and complexity. This assessment results in a prioritized analysis of risks and exposures that guides you from your current state to a desired future state that can better protect your organization.