SECURITY RISK ASSESSMENT

A security risk assessment identifies, assesses and implements key security controls in applications. It also focuses on preventing application security defects and vulnerabilities. Conducting a risk assessment is an integral part of an organisation’s risk management process.

Carrying out a risk assessment allows an organisation to review an application or system from an attacker’s perspective. It helps organisations to make informed decisions on resource allocation and security control implementation. 

Factors such as size, growth rate, resources, and asset portfolio affect the depth of risk assessment models. Organisations can carry out generalised assessments when experiencing budget or time constraints. However, generalised assessments do not necessarily provide the detailed mappings between assets, associated threats, identified risks, impact, and mitigating controls.

If generalised assessment results do not provide enough of a correlation between these areas, a more in-depth assessment is necessary.

Adapt Cybersecurity can assist you with each of the steps of a successful security risk assessment model, including:

1. Identification -  determining all critical assets of the technology infrastructure. Next, diagnosing sensitive data  that is created, stored, or transmitted by these assets and creating a risk profile for each.
2. Assessment - administering an approach to assess the identified security risks for critical assets. After careful evaluation and assessment, determining how to effectively and efficiently allocate time and resources towards risk mitigation. The assessment approach or methodology will analyse the correlation between assets, threats, vulnerabilities, and mitigating controls.
3. Mitigation - defining a mitigation approach  and enforcing security controls for each risk.
4. Prevention - implementing tools and processes to minimise threats and vulnerabilities from occurring in your organisation's resources.

At Adapt Cybersecurity, we recommend annual assessments of critical assets with a higher impact and likelihood of risks. The assessment process creates and collects a variety of valuable information. A few examples include:

• Creating  an application portfolio for all current applications, tools, and utilities.
• Documenting security requirements, policies, and procedures.
• Establishing  a collection of system architectures, network diagrams, data stored or transmitted by systems, and interactions with external services or vendors.
• Developing  an asset inventory of physical assets (e.g., hardware, network, and      communication components and peripherals).
• Maintaining information on operating systems (e.g., PC and server operating systems).
  • Information about:
    • Data repositories (e.g., database management systems, files, etc.).
    • Current security controls (e.g., authentication systems, access control systems, antivirus, spam controls, network monitoring, firewalls, intrusion detection, and prevention systems).
    • Current baseline operations and security requirements pertaining to compliance        of governing bodies.
    • Assets, threats, and vulnerabilities (including their impacts and likelihood).
    • Previous technical and procedural reviews of applications, policies, network systems, etc.
    • Mapping of mitigating controls for each risk identified for an asset.

Contact us to learn more or arrange a free consultation.