Security Risk Assessment
Eagle consultants bring years of experience in assessing information security risk across multiple sectors, including health providers, government, and other industries.
Our Security Risk Assessment protocol is tailored to client objectives, as well as the size, scale, and type of organization. It can explore controls of various security standards (e.g. NIST, ISO 27001/2, CIS) and incorporate a review of controls required by various regulatory requirements (e.g. HIPAA, SOX).
Eagle can perform the Assessment using the FAIR risk assessment methodology or the NIST SP 800-30 methodology, which is required for federal agencies. The Factor Analysis of Information Risk methodology, or FAIR, is recommended by Eagle and is the only international standard quantitative model for information security and operational risks. Using the FAIR methodology, Eagle can develop accurate, quantitative forecasts of risk based on probabilities of potential security failures and estimates of potential financial losses to the organization.
“Gary has always been very helpful and easy to communicate with. I appreciate all the help and guidance he has given me on a recent project. Another company has recently contacted me for a reference, and I gave a high rating.”
The security risk assessment is a very broad study that explores not only technical controls, but also seeks to understand key business processes, the organization’s finances, and existing risk management safeguards such as cyber-liability coverage. Understanding these facts about the organization is essential for identifying the appropriate controls to evaluate. In our analysis, we identify:
- what could go wrong,
- what the organization is doing to prevent these failures,
- what the probability is that a bad event will occur,
- what the losses would be if the bad event occurred, and
- recommendations to reduce risk.
A critical element of our process is the calculation of potential financial impacts that could come from various security failures. We also estimate other impacts, such as reputation damage. For many organizations, the biggest impacts are a result of reputation damage, which can manifest in lost sales, or in the case of government agencies, reduced funding from loss of voter confidence. These impacts are presented in a format that is appropriate to the nature of the organization.
The study explores the presence or absence of controls that are in place to prevent security failures. Eagle also reviews any cyber-liability coverage that may be in place to manage these risks. The report will show decision makers any gaps in insurance coverage and provide recommendations on improvements in controls to reduce the likelihood and/or impact of failures.
Eagle can perform the Risk Assessment using a control and/or regulatory framework of the customer’s choice. Control frameworks can include the Center for Internet Security, NIST, ISO 27002, or the Trust Criteria. Regulatory frameworks can include HIPAA, SOX, CMMC, or other.
“Mike is very professional and knowledgeable. Would highly recommend him to colleagues!”
After identifying key participants from the client, a discovery request will be sent. This request will include copies of security policies, insurance information, lists of relevant third parties, details on software applications and data sets, an inventory of IT assets, recent vulnerability scan results, penetration test results, and other relevant artifacts.
Validation and Testing
The discovery request will be supplemented by one or more interviews with technical staff, system owners, management, and/or any third-party support staff. Any previously-completed security tests, such as penetration tests, network vulnerability scans, or application security reviews, will be reviewed. As an option with this process, Eagle can include one or more of these security tests as part of the engagement.
If included in the scope of the Assessment, a walk-through of all facilities, or a representative sample of facilities, can be conducted to evaluate physical security controls.
All data gathered will be documented. Itemization of applicable controls will specify the effectiveness of the control implementation. Risk estimates and calculations will be made. These can include qualitative estimates (e.g. “low”, “medium” or “high” if the client elects the NIST SP 800-30 method), or, for clients who elect the use of the FAIR method, a quantitative calculation of forecast risk using statistical analysis and Monte Carlo simulation. A final written report is provided in a format consistent with client objectives and regulatory requirements. An executive summary is included that details the top findings for key decision makers.
“Very efficient and timely. I’m extremely satisfied with your services.”