Where Cybersecurity Begins

Risk Assessments as a Road Map to a More Secure Organization

Cybersecurity starts with a review or assessment of your overall program or a specific system. A cybersecurity risk assessment establishes a baseline of the current state of your information security controls. By providing a clear understanding of your organization’s risks, it can act as both a catalyst for change and a roadmap to improving your overall security posture. There are several types of risk assessments to consider and vary depending on your organization’s goals and regulatory requirements.

 

Compliance Risk Assessments

This assessment is a review of an overall cybersecurity program or information system using a compliance-control base to determine where risks or vulnerabilities are present. Many organizations face steep penalties or fines for non-compliance with federal, state or industry security regulations. A compliance risk assessment not only helps protect organizations from security threats, but can potentially save your organization thousands of dollars in fines should a breach or incident occur. Types of compliance assessments we provide include HIPAA, GLBA, FISMA, NIST, FTI, CJIS, PCI, and SOX.

 

External Vulnerability Assessments

This assessment is comprised of a scan of all systems that are accessible from the Internet. Most organizations have Internet-facing web pages, login pages for various services, and/or customer-facing applications. Ensuring your external systems are secure can help protect your organization from real-world threats such cross-site scripting, brute-force, or denial of service (DOS) attacks.

 

Internal Vulnerability Assessments

An internal assessment is a scan of all or specifically-identified internal systems. This assessment can help ensure that you have a second line of defense in place should malicious software or users make it onto your network.

 

Penetration Testing

A penetration test (also known as a pen test), is a software attack on an information system that looks for cybersecurity weaknesses, potentially gaining access to the computer’s features and data. Mitigating vulnerabilities found through pen testing can help prevent unauthorized parties from accessing your organization’s systems and data. The vulnerability scan is completed and then the vulnerabilities discovered are tested to see if access can be gained or malicious intent caused.

Note: Pen testing can temporarily cause system outages and should be completed during non-business hours to prevent disruption.

 

Social Engineering Audits

This service is the practice of attempting faux scams on an organization’s employees to ascertain the level of vulnerability to this type of exploit. Social engineering audits can include physical intrusion scenarios, email scenarios and phone scenarios. The purpose of these audits is to determine employee awareness and adherence to security policies and procedures. The social engineering audit can be performed on a random sampling of staff or in some cases all staff. This is an exercise that should be completed each year to gauge the effect of cybersecurity training and awareness efforts. A report is generated to provide information on tips for training and awareness for employees.

 

Enterprise Risk Assessments

This assessment is a comprehensive assessment of some or all the services outlined above, together with a review of your overall cybersecurity program. This assessment includes:

  • A review of your cybersecurity program including policy and governance
  • Establishment of a baseline of your organization’s security controls
  • Review of the system(s) using standards including NIST, HIPAA, PCI, etc.
  • Breach assessment that looks for indicators of a breach and vulnerabilities
  • Technical scanning that includes vulnerability assessment and penetration testing, as required
  • Identification of gaps in security controls
  • Recommendations of mitigations for identified risks
  • A complete report outlining the process, review summary, and recommendations for mitigation of the risks identified.

 

Cerium’s cybersecurity engagement approach is flexible and tailored to specific client needs. In addition, vulnerability scans can also be set up to be completed on a monthly, quarterly, annual, or any other timeline basis depending on your business needs. For each assessment, a review is completed and a report is provided that identifies risks present on each of the systems, along with mitigation recommendations.

Related Articles

A sampling of other articles you may enjoy if you liked this one.

Does Your Organization Understand its NIST CSF Target Profile?
Dec 5, 2019

As it turns out, securing the network is hard. A securely optimized network is complex to deliver an...

Read More
Protecting Your Organization From Itself
Dec 3, 2019

IT Departments are under immense pressure to ensure the security of corporate data while still being...

Read More
Why you may need a Toll Fraud Health Check
Oct 31, 2019

You’ve invested a lot into your collaboration and communications solutions, and as today’s syste...

Read More
Stay in the Know

Stay in the Know

Don't miss out on critical security advisories, industry news, and technology insights from our experts. Sign up today!

You have Successfully Subscribed!