Cybersecurity Risk Assessment and Analysis

Being Aware is Being Prepared

Regular risk assessments are a fundamental part of any substantive risk management process. They help you arrive at an acceptable level of risk while drawing attention to any required control measures. If you don’t assess your risks, they cannot be properly managed, and business is left exposed. The risk assessment process is continual, and should be reviewed regularly to ensure your findings are still relevant. A successful risk assessment process is one that helps you cost-effectively reduce risks and is aligned with your business goals. Sage can help you conduct risk assessments on any application, function, or process.

Information Technology Infrastructure Risk Assessment

The IT Infrastructure Risk Assessment looks at the design, configuration, and operational processes that are critical to your information technology infrastructure. We identify the inherent risks (operational, reputational, strategic, compliance, transactional), of probable threats, assess current protections, and determine residual risk levels. If our assessment determines your IT infrastructure is at undue risk, we will recommend specific mitigation strategies.

Risk Assessment Benefits

  • Identifies and characterizes each functional information asset and the supporting infrastructure.
  • Identifies probable threats and related inherent risk.
  • Documents current mitigating and compensating (internal and external) controls.
  • Calculates the residual risk based upon likelihood and impact of a vulnerability being exploited by an identified threat.
  • Provides prioritized, actionable recommendations to reduce the residual risk and enhance security at the organization.

Sage's Collaborative Approach

The Sage approach to assessing risk is to concentrate on the functionality, the flow of information, and the underlying technology of the defined area. Our methodology is based upon NIST 800-30 Guidance and adapted by us to meet any applicable regulatory or compliance standards. We employ a multi-step process to determine risk level, and if required, appropriate remediation recommendations. Our risk assessment is designed to evaluate the current level of risk, as well.

  1. Define the process and service components, and determine viable threats related to the delivery of associated products and services.

  2. Measure the organizational impact if the threat were to be exercised.

  3. Determine the relationship between the significant threats and relevant categories of threat prevention, mitigation, detection, or compensating controls.

  4. Evaluate the adequacy of the controls in each category. The assessment does not include audit or testing of controls.

  5. Determine how likely the threat is to occur, taking into account the control environment.

  6. Calculate the risk level using the quantitative methodology defined in the National Institute of Standards & Technology (NIST) Special Publication 800-30. The NIST methodology considers potential impact and likelihood of occurrence.

  7. Align the threat control categories and NIST risk calculations with the following defined risk categories:
    • Strategic risk related to adverse business decisions, or the failure to implement appropriate business decisions in a manner that is consistent with the institution’s strategic goals.
    • Reputational risk related to negative public opinion.
    • Operational risk related to loss resulting from inadequate or failed internal processes, people, and systems, or from external events.
    • Transactional risk related to problems with service or product delivery.
    • Compliance risk related to violations of laws, rules, or regulations, or from noncompliance with internal policies, procedures, or business standards.
  8. Document the residual risk to the organization per risk category, as defined above.

  9. Document risk reduction and security enhancement recommendations.

Reports and Deliverables

The report consists of an Executive Synopsis which provides an accurate picture of the risks associated with the system, application, function, or process included within the engagement. All supporting findings and control details are provided along with any applicable recommendations to reduce risk and/or enhance the security posture of your organization.

Sections include:

  • Executive Synopsis
  • Section 1: Findings and Recommendations (including management responses, as appropriate)
  • Section 2: Risk Assessment Calculations
  • Section 3: Control Detail by Category

This report can serve as a foundational document for annual updates, as well as a template for future assessments.

No one is immune to cyber-attacks

Are you struggling to find the time to effectively monitor your network for potential threats? Let nDiscovery do the detective work for you! We translate generic threat data into specific actionable intelligence – cutting through the noise so you can focus on what is truly important.

Learn More About nDiscovery