So what exactly is a Security Risk Assessment?

A Security Risk Assessment (or SRA) is an assessment that involves identifying the risks in your company, your technology and your processes to verify that controls are in place to safeguard against security threats. Security risk assessments are typically required by compliance standards, such as PCI-DSS standards for payment card security. They are required by the AICPA as part of a SOC II audit for service organizations and are also requirements for ISO 27001, HITRUST CSF and HIPAA compliance, just to name a few. Because of this, security risk assessments can go by many names, sometimes called a risk assessment, an IT infrastructure risk assessment, a security risk audit, or security audit.

Security Risk Assessments are performed by a security assessor who will evaluate all aspects of your companies systems to identify areas of risk. These may be as simple as a system that allows weak passwords, or could be more complex issues, such as insecure business processes. The assessor will typically review everything from HR policies to firewall configurations while working to identify potential risks.

For example, during the discovery process an assessor will identify all databases containing any sensitive information, an asset. That database is connected to the internet, a vulnerability. In order to protect that asset, you need to have a control in place, in this case it would be a firewall. You have now taken the first step in mitigating risk.

A Security Risk Assessment identifies all your critical assets, vulnerabilities and controls in your company to ensure that all your risks have been properly mitigated.

Why do I need a
Security Risk Assessment?

A Security Risk Assessment is vital in protecting your company from security risks.  Imagine being tasked with remodeling a house, without being told what’s wrong with it first. A security risk assessment provides you with the blueprint of risks that exist in your environment and gives you vital information about how critical each issue is. Knowing where to begin when improving your security allows you to maximize your IT resources and budget, saving you time and money.

Whats the difference between Risk Management and a
Security Risk Assessment?

This is one of the most common questions when people begin to read through security or compliance requirements. The short answer is: a Security Risk Assessment is a point-in-time review of your companies technology, people and processes to identify problems. Risk Management is an ongoing process where you round up all the identified risks in your company and work towards eliminating them.

Security Risk Assessments are deep dive evaluations of your company, or maybe even a specific IT project or even a company department. During the assessment, the goal is to find problems and security holes before the bad guys do. The assessment process should review and test systems and people, looking for weaknesses. As they are found, they are ranked based on how big of a risk they are to the company. The resulting report will identify systems that are working well and properly secured, and those that have issues. A Security Risk Assessment will typically have very specific technical results, such as network scanning results or firewall configuration results.

Risk Management is an ongoing effort to collect all the known problems, and work to find solutions to them. Think of a Risk Management process as a monthly or weekly management meeting. Each week, risks and problems are identified, ranked and then discussed to ensure that nothing is slipping through the cracks. The goal of a Risk Management process is to continually improve the security of a company and work to eliminate all risks as they occur.

What types of systems are involved in a
Security Risk Assessment?

A Security Risk Assessment is a far reaching review of anything that could pose a risk to the security or compliance of the company. Each assessment is tailored to fit the exact purpose and scope requested by the client. Assessments can involve any of the following elements:

Infrastructure

  • Facility Power & Redundancy
  • Backup Power, UPS & Generator Capacity
  • Facility Cooling Capacity & Redundancy
  • Facility Fire Suppression Systems
  • Server Wiring and Cabling
  • Server Rack Infrastructure
  • Facility Physical Security & Tracking Systems
  • Facility Camera & Alarm Systems

Servers & Systems

  • Server Inventory including detected OS’s
  • Server Vulnerability Reports
    Server Resource Utilization
  • Server Backup Processes
  • Redundancy / High Availability Configuration
  • Anti-Virus/Anti-Malware Systems
  • IT Asset Inventory Processes
  • Server Update Processes
  • Identity & Authentication Systems

Network

  • Complete Network Discovery Mapping
  • Discovered Network Inventory List
  • Internal Network Device Vulnerability Scan
  • External Network Device Vulnerability Scan
  • Firewall Vulnerability Scan
  • IDS/IPS Review
  • SPAM Filtering Review
  • Web Filter Device Review
  • Data Loss Prevention Systems Review

Application Scanning

  • Discovery of all internal web applications
  • Discovery of all external web applications
  • Application Vulnerability Assessment
  • Application Server Vulnerability Scanning

Information Security

  • Sensitive Data Inventory
  • Data Classification
  • Data Risk Analysis
  • Data Encryption Review
  • Access Authorization Procedures Access Controls

Policies

  • Comprehensive IT Policy Review
  • Disaster Recovery Plan Review
  • Business Continuity Plan Review
  • Device and Media Control Policy Review
  • Software Development Procedure Review
  • Security Incident Procedure Review
  • Log Monitoring Process Review
  • Workforce Security Policy Review
  • Workforce “Hire and Fire” Policy Review
  • Risk Management Process Review

So How do you perform a
Security Risk Assessment?

A Security Risk Assessment typically covers all aspects of a company from IT to Operations to HR and Accounting. An assessment is a labor intensive process, although each assessment is unique to match the company and scope, they typically take 30-60+ days and contain the phases outlined below:

Initial Discussion

Adsero schedules a conference call to discuss your company, your procedures and what your goals are during the Risk Assessment process. 

Onsite Discovery

Next our team of experts will spend time at your facility to perform an onsite review of your technology and processes. 

Analysis

Adsero Security’s analysts then take the information gathered during the onsite visit and begin identifying risks and controls you may have in place already.

The Report

Once all the analysis is complete, you will receive a complete Risk Assessment report that outlines all your assets, vulnerabilities and risks. The report includes recommendations on how to improve your overall security and compliance.

Comments are closed.