Risk Assessments as a Road Map to a More Secure Organization
Cybersecurity starts with a review or assessment of your overall program or a specific system. A cybersecurity risk assessment establishes a baseline of the current state of your information security controls. By providing a clear understanding of your organization’s risks, it can act as both a catalyst for change and a roadmap to improving your overall security posture. There are several types of risk assessments to consider and vary depending on your organization’s goals and regulatory requirements.
Compliance Risk Assessments
This assessment is a review of an overall cybersecurity program or information system using a compliance-control base to determine where risks or vulnerabilities are present. Many organizations face steep penalties or fines for non-compliance with federal, state or industry security regulations. A compliance risk assessment not only helps protect organizations from security threats, but can potentially save your organization thousands of dollars in fines should a breach or incident occur. Types of compliance assessments we provide include HIPAA, GLBA, FISMA, NIST, FTI, CJIS, PCI, and SOX.
External Vulnerability Assessments
This assessment is comprised of a scan of all systems that are accessible from the Internet. Most organizations have Internet-facing web pages, login pages for various services, and/or customer-facing applications. Ensuring your external systems are secure can help protect your organization from real-world threats such cross-site scripting, brute-force, or denial of service (DOS) attacks.
Internal Vulnerability Assessments
An internal assessment is a scan of all or specifically-identified internal systems. This assessment can help ensure that you have a second line of defense in place should malicious software or users make it onto your network.
A penetration test (also known as a pen test), is a software attack on an information system that looks for cybersecurity weaknesses, potentially gaining access to the computer’s features and data. Mitigating vulnerabilities found through pen testing can help prevent unauthorized parties from accessing your organization’s systems and data. The vulnerability scan is completed and then the vulnerabilities discovered are tested to see if access can be gained or malicious intent caused.
Note: Pen testing can temporarily cause system outages and should be completed during non-business hours to prevent disruption.
Social Engineering Audits
This service is the practice of attempting faux scams on an organization’s employees to ascertain the level of vulnerability to this type of exploit. Social engineering audits can include physical intrusion scenarios, email scenarios and phone scenarios. The purpose of these audits is to determine employee awareness and adherence to security policies and procedures. The social engineering audit can be performed on a random sampling of staff or in some cases all staff. This is an exercise that should be completed each year to gauge the effect of cybersecurity training and awareness efforts. A report is generated to provide information on tips for training and awareness for employees.
Enterprise Risk Assessments
This assessment is a comprehensive assessment of some or all the services outlined above, together with a review of your overall cybersecurity program. This assessment includes:
- A review of your cybersecurity program including policy and governance
- Establishment of a baseline of your organization’s security controls
- Review of the system(s) using standards including NIST, HIPAA, PCI, etc.
- Breach assessment that looks for indicators of a breach and vulnerabilities
- Technical scanning that includes vulnerability assessment and penetration testing, as required
- Identification of gaps in security controls
- Recommendations of mitigations for identified risks
- A complete report outlining the process, review summary, and recommendations for mitigation of the risks identified.
Cerium’s cybersecurity engagement approach is flexible and tailored to specific client needs. In addition, vulnerability scans can also be set up to be completed on a monthly, quarterly, annual, or any other timeline basis depending on your business needs. For each assessment, a review is completed and a report is provided that identifies risks present on each of the systems, along with mitigation recommendations.