Risk assessments serve as the very core of virtually every cybersecurity regulation, framework, and governance model. Risk assessments help companies catalog the likelihood and impact that cyber, physical, and other threats will exploit weaknesses and vulnerabilities within the environment. The end goal of a risk assessment is to provide an actionable plan for remediating weaknesses and alleviating risk in the future. This is realized by Partners in Regulatory Compliance (PIRC) hand-written, prioritized remediation statements for every area of risk discovered through the risk assessment process.

These assessments serve as a baseline from which organizations can then launch into future planning, policy work, and budgeting. Too often, organizations spend money on technical controls, then wrap policy around those controls, and finally ask a third-party to “grade the paper” via a risk assessment.

PIRC advocates for a change to this methodology. In fact, in our view, the entire order of operations should be flipped. Companies should perform risk assessments first, then use their risk baseline to inform and guide written policy, and then use that policy to direct hardware, software, and other purchasing decisions around risk mitigation controls.

PIRC follows the NIST SP800-30 Guide for Conducting Risk Assessments approach. This methodology was created in 2002 and later revised in 2012 to its current form. It was created through collaborative efforts by a joint task force (JTF). The JTF included members of the DoD, other federal agencies, and the private sector. We follow the NIST standard for risk assessments because it is the de facto standard for performing risk assessments, regardless of regulation, vertical, or location.

The following infographic shows the steps our cybersecurity consultants take during a risk assessment.

Phase 1. Discovery

Historic Information Collection and Review

Our cybersecurity consultants review existing policy, network documentation, and results of any previous risk assessments, penetration testing or other security assessments such as SOC or SSAE audits relevant to the scope of the risk assessment.

Vulnerability Assessment

Our cybersecurity consultants perform vulnerability discovery across the organization. They assess vulnerabilities on the public facing networks and ship a laptop to your organization to perform full internal vulnerability discovery.

Phase 2. Interview

Expert cybersecurity consultant-led, interview-driven discovery will focus on:

Operational and Historical Analysis

An overview of the operational model of the organization, a review of provided historical test or assessment results, and review of any recent information security activities and challenges.

Data Assessment

Definitions of the data used by the organization which is classified as sensitive or critical, and establishing some basic definitions of how this data is used by the organization.  The objective is to provide a detailed summary of where this data moves through the organization’s business processes, documenting associated applications, physical media, paper documents, and third-parties.

Controls Review

The final phase of interview focuses on documenting information security controls, along with any notable control challenges.

Phase 3. Simulation 

Threat Simulation 

This is a collaborative exercise, where information collected is used along with basic threat modeling to discuss and score the likelihood and impact of potential risks facing the organization.

Phase 4. Reporting 

Documentation 

Expert cybersecurity consultants will finalize documentation of details discovered during the risk assessment. Statements of critical risks will be generated based on the information collected during the assessment, and output of the threat simulation exercises. After establishing the most critical risk statements encountered during the engagement, our cybersecurity consultants will create prioritized action plans with recommended action items to address established risk statements.  The output of the risk assessment will be a document that shall include risk statements with scored priorities and recommendations for safeguards where appropriate. This document will serve as a security plan and roadmap for initiatives in the coming year.

Review and Closeout

Your assessment documentation will be provided to you through our secure file sharing utility within 30 days of beginning the documentation phase. 14 days will be allowed to review the final document prior to the final close-out review. Here is where you will take time to thoroughly review the document and note any questions or follow up items. The assigned cybersecurity consultant will schedule a close-out call within 14 days of providing the assessment report. This call will serve as a final review, and be used to address any follow up questions, or identify and make any required modifications to the risk assessment report and information security plans.