Where Cybersecurity Begins

Risk Assessments as a Road Map to a More Secure Organization

Cybersecurity starts with a review or assessment of your overall program or a specific system. A cybersecurity risk assessment establishes a baseline of the current state of your information security controls. By providing a clear understanding of your organization’s risks, it can act as both a catalyst for change and a roadmap to improving your overall security posture. There are several types of risk assessments to consider and vary depending on your organization’s goals and regulatory requirements.

 

Compliance Risk Assessments

This assessment is a review of an overall cybersecurity program or information system using a compliance-control base to determine where risks or vulnerabilities are present. Many organizations face steep penalties or fines for non-compliance with federal, state or industry security regulations. A compliance risk assessment not only helps protect organizations from security threats, but can potentially save your organization thousands of dollars in fines should a breach or incident occur. Types of compliance assessments we provide include HIPAA, GLBA, FISMA, NIST, FTI, CJIS, PCI, and SOX.

 

External Vulnerability Assessments

This assessment is comprised of a scan of all systems that are accessible from the Internet. Most organizations have Internet-facing web pages, login pages for various services, and/or customer-facing applications. Ensuring your external systems are secure can help protect your organization from real-world threats such cross-site scripting, brute-force, or denial of service (DOS) attacks.

 

Internal Vulnerability Assessments

An internal assessment is a scan of all or specifically-identified internal systems. This assessment can help ensure that you have a second line of defense in place should malicious software or users make it onto your network.

 

Penetration Testing

A penetration test (also known as a pen test), is a software attack on an information system that looks for cybersecurity weaknesses, potentially gaining access to the computer’s features and data. Mitigating vulnerabilities found through pen testing can help prevent unauthorized parties from accessing your organization’s systems and data. The vulnerability scan is completed and then the vulnerabilities discovered are tested to see if access can be gained or malicious intent caused.

Note: Pen testing can temporarily cause system outages and should be completed during non-business hours to prevent disruption.

 

Social Engineering Audits

This service is the practice of attempting faux scams on an organization’s employees to ascertain the level of vulnerability to this type of exploit. Social engineering audits can include physical intrusion scenarios, email scenarios and phone scenarios. The purpose of these audits is to determine employee awareness and adherence to security policies and procedures. The social engineering audit can be performed on a random sampling of staff or in some cases all staff. This is an exercise that should be completed each year to gauge the effect of cybersecurity training and awareness efforts. A report is generated to provide information on tips for training and awareness for employees.

 

Enterprise Risk Assessments

This assessment is a comprehensive assessment of some or all the services outlined above, together with a review of your overall cybersecurity program. This assessment includes:

  • A review of your cybersecurity program including policy and governance
  • Establishment of a baseline of your organization’s security controls
  • Review of the system(s) using standards including NIST, HIPAA, PCI, etc.
  • Breach assessment that looks for indicators of a breach and vulnerabilities
  • Technical scanning that includes vulnerability assessment and penetration testing, as required
  • Identification of gaps in security controls
  • Recommendations of mitigations for identified risks
  • A complete report outlining the process, review summary, and recommendations for mitigation of the risks identified.

 

Cerium’s cybersecurity engagement approach is flexible and tailored to specific client needs. In addition, vulnerability scans can also be set up to be completed on a monthly, quarterly, annual, or any other timeline basis depending on your business needs. For each assessment, a review is completed and a report is provided that identifies risks present on each of the systems, along with mitigation recommendations.

Related Articles

A sampling of other articles you may enjoy if you liked this one.

Continuous Malware Monitoring Is Critical for Government Agencies
May 27, 2020

Government agencies are among the most popular targets for cyber attacks. According to a 2019 Senate...

Read More
How to Protect Taxpayer Data and Comply with the FTC Safeguards Rule
Mar 5, 2020

There’s a reason why the IRS sends out alerts every year about new scams that criminals are using ...

Read More
How to Ensure that Your Contact Center Is PCI Compliant
Feb 19, 2020

While ransomware attacks tend to make headlines, payment card data breaches remain a serious threat....

Read More
For Emergency Support call: (877) 423-7486
For other support requests or to access your Cerium 1463° portal click here
Stay in the Know

Stay in the Know

Don't miss out on critical security advisories, industry news, and technology insights from our experts. Sign up today!

You have Successfully Subscribed!