SOC 2 and NIST 800-53

SOC 2 and NIST 800-53

Both SOC 2 and NIST 800-53 play a large role in regulatory compliance. Both aim to protect data in the cloud and are critical in today’s environments to ensure information security. The SOC 2 Framework and NIST 800-53 Publication go hand- in- hand, and adhering to both sets of controls will provide your company with sufficient data protection.

In order to assess our information systems, we first need to take a closer look at both SOC 2 and NIST 800-53.

SOC 2

SOC 2 is a framework created by the American Institute of Certified Public Accountants (AICPA). SOC 2 is one of the most used frameworks in the technology industry and applies to all organizations and enterprises where customer data is stored and processed in the cloud. SOC 2 is unique to each individual organization and can be lined up with specific business practices. SOC 2 also aligns with requirements of today’s cloud environment.

Trust Service Criteria (TSC)

The Trust Service Criteria (TSC) serve as the control areas for managing a reporting on information and systems. The five TSC are as follows:

  1. Security: Protection of resources against unauthorized access. Examples include multifactor authentication and an intrusion detection system.
  2. Availability: The accessibility of system, products, or services as stated in the Service Level Agreement (SLA). An example would be a failover cluster.
  3. Processing integrity: Whether or not a system achieves its purpose. Assessing if the system processing is complete, accurate, timely and authorized.
  4. Confidentiality: The information is restricted to a specified set of persons or organizations, as stated in the agreement. For example, using encryption and network security tools.
  5. Privacy: Personal information is collected, used, retained, disclosed and destroyed in conformity with the commitments in the service organization’s privacy notice, and with criteria set forth in generally accepted privacy principles issued by the AICPA.

Type 1 and Type 2

A SOC 2 Type 1 Audit assesses systems at one point in time. It tests to see whether the system’s design is suitable to meet the relevant trust principles. A SOC 2 Type 2 Audit tests the operational effectiveness of systems over a period of time. Most companies will start with a SOC 2 Type 1 and then follow with an annual SOC 2 Type 2 audit. 

Requirements

The main requirement for SOC 2 is that the organization must develop written policies and procedures that are followed by everyone. The organization must also actively monitor all systems and information, ensuring that there is no unusual activity or access. It is also crucial that the organization sets up automatic alerting for anomalies when accessing data.

NIST 800- 53

NIST 800- 53 is a publication providing comprehensive security controls for federal information systems, published by the National Institute of Standards and Technology (NIST). NIST 800-53 covers steps in Risk Management Framework. It includes 8 control families and over 900 requirements. Organizations may also adhere to controls which apply to them and the security level of the data they store (Low, medium, or high). These controls can be tested during a SOC 2 audit. NIST provides guidance for complying with FISMA.

FISMA

To demonstrate compliance with NIST 800-53, organizations should look to becoming compliant with the Federal Information Security Management Act (FISMA). FISMA is a requirement for federal agencies to develop, document, and implement an information security and protection program.

Some specific goals of FISMA include:

  • Implementing a risk management program
  • Protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction
  • Ensure the integrity, confidentiality and availability of sensitive information

FISMA requires organizations to do the following:

  • Maintain an inventory of information systems.
  • Categorize information and information systems according to risk level.
  • Maintain a system security plan.
  • Implement security controls
  • Conduct risk assessments.
  • Certification and accreditation.
  • Conduct continuous monitoring.

Best practices for FISMA are geared towards federal agencies that protect sensitive data. Best practices and requirements include encrypting everything, keeping up to date with FISMA standards, classifying information as it is created, and maintaining documentation of FISMA compliance efforts.

Compliance with both SOC 2 and NIST 800-53 provide organizations with a number of benefits, especially increasing data security. The main difference between the two is that SOC 2 is part of the System and Organizational Controls (SOC) framework, and NIST 800-53 is a publication. A full mapping of SOC 2 and NIST 800- 53 can be found on the AICPA website.

Security and Privacy Issues with Zoom

Security and Privacy Issues with Zoom

With the increase of employees turning to remote work during the pandemic, companies have been relying on video conferencing platforms, such as Zoom, for regular meetings and communication between employees. According to Check Point, there have been 1,700 new Zoom domains registered since the pandemic began, a quarter of these domains were registered just in the past week. Attackers have noticed the spike in users, which raises concerns for businesses that use Zoom. There have also been an increase in privacy concerns due to the sensitivity of information that is now being transferred over the platform.

In Zoom conferences, anyone with the right link can enter a teleconference and share a screen, even without a Zoom account. There have been new complaints about users being Zoom- bombed, which is when unwanted guests intrude on video meetings for malicious purposes. Recently, two online classrooms in Massachusetts were interrupted by an anonymous attacker during instruction. During the online classroom meeting, an unidentified person yelled profanity during instruction before shouting the teacher’s home address. Another classroom was disturbed by an intruder who displayed his hate tattoos to all the students and the teacher.

There have been several of these intrusions on online classrooms as well as in business conferences. Users have made several reports of conferences being interrupted by graphic images and threatening language. As a result, many schools and businesses have completely switched to other platforms, such as Microsoft Teams and Google Hangouts.

This is not the first time Zoom had security flaws in their platform. In 2019, security researcher Jonathan Leitschuh found a vulnerability in the Mac Zoom Client. When a user downloaded the Zoom app, Zoom silently installed a hidden web server on the device without the user’s permission. This web server allowed websites to join in on any Zoom call when their video camera was activated, a flaw that also impacted Ringcentral. This web server remained on the device, even if the Zoom app was uninstalled. At the time, there were 750,000 companies using Zoom for business purposes that were put at risk due to this vulnerability. Apple and Zoom have since resolved this issue for Mac users.

Another vulnerability found by Check Point researchers was quickly fixed by Zoom. Zoom calls had a randomly generated ID number between 9 and 11 digits long that allowed users to locate and join a specific call. Check Point researchers were able to predict which were valid meetings and join in on them. Zoom allows video conferences to have hundreds of participants, so it was easy for an attacker to join a call unnoticed. Zoom recently changed the randomly generated numbers into a more “cryptographically strong” one, added more digits to meeting ID numbers, and made requiring passwords default for future meetings.

Allowing vulnerable servers to run on devices makes it easier for attackers to intrude on conferences. While removing the vulnerable web server was a big help, attackers are still able to access meetings over Zoom. Officials warn businesses and individuals about an increase in phishing emails for attackers to enter and exploit networks. These can be especially detrimental to remote workers, as cybersecurity and information security is often weaker at home than in the office. Check Point researchers confirmed that at least 70 of the newly created Zoom domains were being used maliciously, often as phishing websites in order to steal unsuspecting users’ personal information.

Users have also expressed concerns over Zoom’s privacy flaws. Zoom allows hosts to see if participants have been on a different screen for more than 30 seconds. Additionally, for paid subscribers, a host can record the meeting and have access to text files of any active chats that take place during the meeting. The host can then save these files to the cloud where it can be shared and accessed by other authorized users.

Earlier this week, there were questions raised about Zoom sharing customer data with Facebook, even if the users did not have a Facebook account. The Zoom app notified Facebook when the user opened the app, details on the user’s device including where the device is located and phone carrier, and a unique advertiser identifier created by the user’s device. With this information, companies could target a user with specific advertisements. This practice is not new and is fairly common with major applications. Several apps use Facebook’s Software Development Kit (SDK) to implement features on their apps, which ultimately sends information to Facebook. This concern has since been addressed and fixed by Zoom. Zoom now enables users to log in with Facebook via browser, rather than through the Facebook SDK.

The privacy of Zoom calls has particularly raised concerns for parents whose children are now using Zoom for education. However, Zoom claimed that their service for schools complies with federal laws on educational and student privacy.

Many officials are worried that Zoom has not taken any precautions when dealing with the spiked volume of users. The New York Attorney General warns that the existing security practices may not translate well with the volume and sensitivity of data now being transferred through Zoom.

Zoom’s cloud meeting app is now one of the most popular apps being downloaded on iPhones. Here are some tips to protecting your Zoom conferences:

  • Keep conferencing private rather than public and refrain from posting the links to your conferences on social media
  • Keep the screen- sharing feature only to the host
  • Lock meetings when they are in session so no new participants can join
  • Mute participants and disable the file transfer feature when it is not in use
Coronavirus and Ransomware

Coronavirus and Ransomware

According to Health Care Dive, 1,500 health care companies have been hit by a ransomware attack in the past four years. Healthcare companies like hospitals and clinics are often a target for these attacks because they store sensitive information and commonly lack cybersecurity. Ransomware attacks have changed in the past week as the Coronavirus pandemic impacts hospitals and healthcare organizations around the world.

Brno University Hospital

On March 13, Brno University Hospital in Brno, Czech Republic was hit by a ransomware attack that led to the cancellation of surgeries and the re-routing of all new patients to nearby St. Anne’s University Hospital. Brno University Hospital is one of the Czech Republic’s biggest COVID-19 testing laboratories. As the origin of the attack remain unknown, the attack was severe enough for the IT team to shut down the entire hospital’s infrastructure. This resulted in the delay of dozens of Coronavirus test results and surgeries.

Security experts warn that hospital staff has no time to worry about cybersecurity during this time. Flavius Plesu, founder and CEO of OutThink, claims that cybercriminals are remorseless and actively target healthcare facilities. Plesu and other professionals believe that prevalence of ransomware attacks will only increase during this crisis. Experts urge healthcare companies to continue providing as much cybersecurity training to their employees as possible.

Champaign- Urbana Public Health District

Just weeks prior to the Brno University Hospital ransomware attack, cybercriminals targeted the Champaign- Urbana Public Health District in Illinois. The ransomware was called Netwalker and it entered the network using a phishing campaign. Attackers have posed as helpful news article companies, healthcare providers, and public health agencies to lure victims into clicking the attachments in the emails that they send. In February, the World Health Organization (WHO) warned individuals about phishing scams related to the Coronavirus.

A Change of Heart?

As we’ve seen cybercriminals exploit healthcare organizations during the pandemic, one ransomware operator has pledged to avoid attacking them. According to BleepingComputer, operators of the Maze Ransomware stated that they will stop “all activity versus all kinds of medical organizations until the stabilization of the situation with the virus”.

Operators of DoppelPaymer Ransomware expressed that they do not normally target hospitals and will continue no to during this time. They added that if the group accidentally attacks a hospital, they will decrypt the victim’s data for free.

However, other operators were not as generous. Operators of the Netwalker Ransomware stated that no one, including them, has a goal to attack hospitals. Although, if they do attack a hospital by accident, the hospital must pay for the decryption.

In the event that a hospital becomes a victim of a Ransomware attack, Emisoft and Coveware have partnered together to offer free ransomware services. Their goal is to allow hospitals to remain operational in the shortest time possible following an attack.

Tips for Ensuring Cyber Safety When Working From Home

Tips for Ensuring Cyber Safety When Working From Home

As organizations shift to remote work during the viral outbreak, employees become vulnerable to cyber attacks if they are working outside of a secure network. This raises concerns for IT Security professionals. Some of these challenges include establishing a secure connection through all employee devices and keeping up to date with security patches and updates. It is crucial for all employees to be aware of security risks when working from home in order to ensure business continuity. Take these steps to securing your company’s data while working remotely.

1. User Education

Employees are often the main target for cyber crime. One crime cyber criminals often engage in to access a company’s network is phishing. A common example of phishing is when an attacker sends out an email to an employee, posing as a legitimate person or organization, and persuades the employee to click the attached link. Employees are often tricked into entering their employee ID and password.

Users should be trained on what a phishing email looks like and who to report to if they receive a suspicious email. Cyber criminals take advantage of employees that work from home, as there is usually less security in one’s home than at the office.

2. Secure Workspace

Ensure that employees are practicing physical machine safety as much as cyber safety. Employees should not work in a public area if they are working with sensitive information and should always lock their computers when unattended. Although working remotely takes place of working in the office, employees should continue to use best practices for physical machine safety.

Employees should also ensure that they are working through a secure connection. Employees should avoid working on public WiFi and should always use a VPN connection if the company has one. IT Security should make certain that VPN patches are up to date.

3. Monitor and Log

As employees will be accessing the company’s network from a number of endpoints, it is important to perform continuous monitoring and logging. The IT Security team should be notified immediately when an untrusted connection is made, and respond quickly to the alert.

4. Review Company Policy

Policies and procedures should be reviewed by all employees before starting to work remotely. This will provide guidelines when working from home. Some policies to review include:
– Access Control Policy
– Mobile Device Management Policy
– Alerts & Notifications Policy
– Network Security Policy
– Physical Access Control Policy
– Transmission Security Policy

Ryuk Ransomware

Ryuk Ransomware

How to Protect Your Organization from Ransomware Attacks

Ryuk Ransomware is a type of ransomware that targets businesses and corporate environments. Ryuk enters victims’ systems and encrypts their data. The attackers demand payments via Bitcoin cryptocurrency and instructs victims to deposit the ransom into a specific Bitcoin wallet to decrypt their information. A Russian hacker group named Wizard Spider has been responsible for the execution of Ryuk since August 2018. Since Ryuk’s appearance in 2018, threat actors have netted over 708.50 Bitcoins across more than 52 transactions, totaling over $3.7 million.

How does Ryuk work?

The malware enters a system when a victim clicks on a phishing email or clicks a pop up ad with Ryuk embedded in it. A dropper is triggered, which examines the system’s architecture. The dropper then writes an executable that corresponds to the system, which begins the encryption process. Ryuk is preconfigured to inject malicious code into 40 processes and 180 services including antivirus tools, databases, and back ups.

How can I protect my organization from Ryuk?

Ryuk can be detrimental to any business or organization. Although prevention is key, it is important to know what steps to take in the event that your network is compromised.

1. Compose Annual Employee Security Training

Employees are often the weakest link to information security, so it is crucial that they are educated on cyber attack methods and risks. They should be able to identify phishing emails and trained to avoid advertisements and illegitimate websites on their work machine.

2. Implement a Well- Written Disaster Recovery Plan and Business Continuity Plan

In the event that your organization is attacked, you should have procedures in place to continue with business processes. A necessary item to include in these plans are data back- up processes; where the back up data is stored and how to retrieve it. Another important step is prioritizing all your assets that are imperative to business functions.

3. Continuously Update

It is crucial to frequently update your anti- virus software, firewalls, and operating systems to prevent an attacker from exploiting any security holes. Run routine security scans on all machines and perform regular Security Risk Assessments. Additionally, check that your Disaster Recovery Plan is updated frequently and working.

The Importance of IT Security Policies

The Importance of IT Security Policies

IT security policies are necessary in organizations as they define who has responsibility of what information within the company. Policies are the baseline of all procedures and should be maintained regularly.

Why Do Organizations Need Security Policies?

IT security policies outline rules for user and IT personnel behavior. These policies also identify consequences for not adhering to them. Policies are also crucial in ensuring compliance with regulations such as NIST and HIPAA. Policies should define risks within the organization and provide guidelines on how to reduce these risks. They should be modified to fit the company’s need.

Writing an Effective IT Security Policy

  1. Conduct a Security Risk Assessment to identify all your critical assets, vulnerabilities, and controls in your company. Use this assessment to determine ways to reduce or eliminate these risks.
  2. Determine the scope of the policy including who the policy will address and what assets will be covered.
  3. Ensure your policy is written to be easily understood by employees and enforced by management. Employees need to be explicitly aware of the consequences of not complying with the policy. These policies will help with the development of procedures, so it is important to write the policies clearly.
  4. Update your policies at least once a year to keep them up to date with your company’s procedures and security concerns.

Common IT Security Policies:

  • Access Authorization
  • Acceptable Use
  • Breach Notification
  • Change Management
  • Data Backup Plan
  • Employee Screening
  • Employee Training
  • Encryption and Decryption
  • Media Security
  • Network Security
  • Password Management
  • Secure Development
  • Security Incident Response
  • Vendor Management
  • Vulnerability Management

The need for certain IT security policies is dependent on the company data itself. For example, if a company handles customer health data, they should consider implementing a HIPAA Acceptable Use Policy.

Is Your Password Secure?

Is Your Password Secure?

Tips for Creating a Strong Password

Passwords can be an inconvenience to remember, especially when you have dozens of applications and accounts to log into everyday. However, with the increase in phishing and ransomware attacks, passwords can be the main line of defense when securing your data. Once an attacker knows your password, your personal data and your company’s data may be at risk. Employees are often the weakest link of any organization’s information security, so it is important to ensure that you and your employees follow these tips. These steps should be outlined in a strong, detailed password policy.

1. Use a longer password with a mix of letters, numbers, and symbols.

Making passwords more complex can hinder the possibility of an attacker guessing the password. Using an easy password such as NYClover can be strengthened by adding numbers and symbols. For example, the password N3wY0rkC!tyL0v3r is more secure.

2. Never use a word or phrase that is easy to guess or contains personal information.

Using personal information such as your middle name or birthday can be risky, especially when it is found on your social media. Using full words or phrases in your passwords may also make them easy to guess. See the list of 1000 most used passwords and avoid using them.

3. DO NOT use the same password for all your accounts.

Using the same password for all your accounts can be dangerous. By doing so, an attacker may be able to access all of your accounts with just one password.

4. Never write down your passwords on paper.

Writing down your passwords can make you a target for shoulder surfing. Passwords managers, such as LastPass, should be used to remember your passwords and should also have a strong master password.

5. Use Multifactor Authentication (MFA).

Using MFA can help secure your account just incase your password is compromised. MFA can be a one time code sent to your phone or email. Google allows users to set up MFA manually.

6. Change your passwords consistently.

Passwords should be changed on a regular basis, just in case your current password gets compromised. Many applications require users to change passwords after 90 days or X increment, while others may just recommend changing your password after a certain period of time. Best practice is to change your password on a consistent basis, preferably 90 days or less.

How to Prevent Phishing Attacks Against Your Organization

How to Prevent Phishing Attacks Against Your Organization

What is a Phishing Attack?

In recent news, several large companies including Microsoft and Facebook have been affected by phishing attacks. Phishing is a type of cybercrime that happens when an attacker poses as a legitimate company or website in order to divulge sensitive information from the victim. This can be the victim’s social security number, credit card number, or login credentials. Phishing attacks can take place over the phone, instant messaging, or email. Phishing differs from other cybercrimes as it requires human interaction; attackers target end- users rather than the actual computer systems. These attacks can be damaging to a company; however, they can be prevented.

How Does a Phishing Attack Work?

A common example of phishing occurs when a company employee receives an email prompting them to change their company password. This email usually includes a link that brings the victim to a legitimate looking website. Here, the victim inputs their credentials. The attacker now has the victim’s login information and access to the company network. After gaining access to the company network, the attacker may be able retrieve confidential information to hold as Ransomware or find other security holes to exploit.

How Can I Prevent a Phishing Attack?

1. Use Web and Email Filters

Applying web and email filters can help filter out spam content from legitimate content. See examples of web filters.

2. Compose New Hire and Annual Security Training for Employees

Many times, attackers can bypass web or email filters, so it is vital to provide comprehensive security trainings to employees. Educate employees on the different methods attackers may use and the consequences phishing attacks may have on the company. Send a fake phishing email to employees to familiarize them with illegitimate emails and webpages. Train them on ways to identify a phishing email. Also, have a well- written Acceptable Use Policy and Security Awareness Policy.

3. Stay Updated

It is crucial to frequently update your anti- virus software, firewalls, and operating systems to prevent an attacker from exploiting any security holes. Run routine security scans on all machines and perform regular Security Risk Assessments. Additionally, check that your Disaster Recovery Plan is updated frequently and working.

4. Review Company Website and Information

Phishing attacks require the attacker to research the company such as employee names and contact information. Attackers may also look into the vendors the company uses such as types of machines and operating systems. Ensure that accessibility to employee and vendor information is limited.

5. Be In the Know

Be aware of new cybercrime cases and vulnerabilities in the news, blogs, and security bulletins. Often, security cannot keep up with attacks, so it is important to be alert of new types of attacks. Websites such as The Cyber Wire post daily security briefings.

Prevention is Key

Recovering from cybercrime can be rigorous and exhausting, so having preventive measures in place is the most practical solution. By combining technical controls with security awareness, you can mitigate the risk of a phishing attack against your company.

How to Prevent Ransomware Attacks Against Your City Network

So what is a Ransomware attack?

You may have read in the news lately about a new and growing threat to municipal computer networks, ransomware attacks. These attacks can be crippling, and can shut down entire cities for weeks or even months. They can have devastating consequences and can cost hundreds of thousands of dollars in ransom just to get a city’s network back online. The good news is, these types of municipal malware attacks are preventable.

Hows does a Ransomware Attack Work?

A ransomware attack, such as Cryptolocker or Triple Threat (which combines Emotet, TrickBot and Ryuk) work by gaining a foothold somewhere your network, usually through a phishing campaign to city employees, or by gaining access to the network through out of date software. Once they are in the network, they spread from machine to machine and server to server to infect as many machines as possible. Once they have infected a large enough number of machines, they activate and begin encrypting all the data stored on every computer. One the data is encrypted, users will be given the ransom demands on their computer screens. Ransom demands can range from $75,000 in bitcoins, as in the Baltimore attacks, or range into the hundreds of thousands, as in the $600,000 Riveria Beach attack ransom.

How do I prevent a Ransomware Attack?

Preventing a ransomware attack is always your best option, potentially saving your city hundreds of thousands of dollars is losses. Luckily preventing a ransomware attack is doable. Here are 4 basic steps you should take to prevent ransomware attacks on your municipal network:

1) Update, update, update

Most malware attacks take advantage of out of date software and operating systems with security holes. Make sure your entire network, all servers and end user desktops and laptops are updated with the most current version of Windows or MacOS and that automatic updates are enabled. Monthly updated are critical to your security.

2) Use Anti-virus / Anti-malware software on everything

A strong antivirus software is one of the best defenses against ransomware attacks. Ensure that every server, desktop and laptop in your network has an up-to-date copy of some antivirus software running on it. Make sure that automatic definition updates are enabled and that the machine is being being protected with realtime protection or with daily scans.

3) Ensure your Disaster Recovery Plan is in place, and working

Recovering from an attack after the fact, without paying the ransom, is near impossible, unless you have a well planned, tested and functioning Disaster Recovery Plan. That means ensuring that all your servers and data are backed up on a daily basis and stored offsite. A good rule of thumb is the 3-2-1 backup rule. Always have 3 copies of your data, 2 of them should be on different types of storage and 1 of them should be offsite. With a solid Disaster Recovery Plan, recovery from a ransomware attack can be a simple as cleaning your servers and restoring your data.

4) Know your network and software

Do you know what is currently on your network? Do you know if your machines are updated? How well is your anti-virus software working? Knowing exactly how well protected your network is can be the difference between ransomware taking over your network and staying safe. Perform regular Security Risk Assessments to ensure you are properly protecting your network and data from attacks.

An Ounce of Prevention is Worth A Pound of Cure

Preventing ransomware in your cities network is defiantly one place where this old adage holds true. Taking four the basic steps outline above to protect your municipal network will go a long way to preventing ransomware attacks. Recovering from a ransomware attack can be a nightmare, so plan ahead, practice good IT hygiene, and you can significantly lessen the risk of a municipal ransomware attack.

So what exactly is a Security Risk Assessment?

So what exactly is a Security Risk Assessment?

A Security Risk Assessment (or SRA) is an assessment that involves identifying the risks in your company, your technology and your processes to verify that controls are in place to safeguard against security threats. Security risk assessments are typically required by compliance standards, such as PCI-DSS standards for payment card security. They are required by the AICPA as part of a SOC II audit for service organizations and are also requirements for ISO 27001, HITRUST CSF and HIPAA compliance, just to name a few. Because of this, security risk assessments can go by many names, sometimes called a risk assessment, an IT infrastructure risk assessment, a security risk audit, or security audit.

Security Risk Assessments are performed by a security assessor who will evaluate all aspects of your companies systems to identify areas of risk. These may be as simple as a system that allows weak passwords, or could be more complex issues, such as insecure business processes. The assessor will typically review everything from HR policies to firewall configurations while working to identify potential risks.

For example, during the discovery process an assessor will identify all databases containing any sensitive information, an asset. That database is connected to the internet, a vulnerability. In order to protect that asset, you need to have a control in place, in this case it would be a firewall. You have now taken the first step in mitigating risk.

A Security Risk Assessment identifies all your critical assets, vulnerabilities and controls in your company to ensure that all your risks have been properly mitigated.

Why do I need a
Security Risk Assessment?

A Security Risk Assessment is vital in protecting your company from security risks.  Imagine being tasked with remodeling a house, without being told what’s wrong with it first. A security risk assessment provides you with the blueprint of risks that exist in your environment and gives you vital information about how critical each issue is. Knowing where to begin when improving your security allows you to maximize your IT resources and budget, saving you time and money.

Whats the difference between Risk Management and a
Security Risk Assessment?

This is one of the most common questions when people begin to read through security or compliance requirements. The short answer is: a Security Risk Assessment is a point-in-time review of your companies technology, people and processes to identify problems. Risk Management is an ongoing process where you round up all the identified risks in your company and work towards eliminating them.

Security Risk Assessments are deep dive evaluations of your company, or maybe even a specific IT project or even a company department. During the assessment, the goal is to find problems and security holes before the bad guys do. The assessment process should review and test systems and people, looking for weaknesses. As they are found, they are ranked based on how big of a risk they are to the company. The resulting report will identify systems that are working well and properly secured, and those that have issues. A Security Risk Assessment will typically have very specific technical results, such as network scanning results or firewall configuration results.

Risk Management is an ongoing effort to collect all the known problems, and work to find solutions to them. Think of a Risk Management process as a monthly or weekly management meeting. Each week, risks and problems are identified, ranked and then discussed to ensure that nothing is slipping through the cracks. The goal of a Risk Management process is to continually improve the security of a company and work to eliminate all risks as they occur.

What types of systems are involved in a
Security Risk Assessment?

A Security Risk Assessment is a far reaching review of anything that could pose a risk to the security or compliance of the company. Each assessment is tailored to fit the exact purpose and scope requested by the client. Assessments can involve any of the following elements:

Infrastructure

  • Facility Power & Redundancy
  • Backup Power, UPS & Generator Capacity
  • Facility Cooling Capacity & Redundancy
  • Facility Fire Suppression Systems
  • Server Wiring and Cabling
  • Server Rack Infrastructure
  • Facility Physical Security & Tracking Systems
  • Facility Camera & Alarm Systems

Servers & Systems

  • Server Inventory including detected OS’s
  • Server Vulnerability Reports
    Server Resource Utilization
  • Server Backup Processes
  • Redundancy / High Availability Configuration
  • Anti-Virus/Anti-Malware Systems
  • IT Asset Inventory Processes
  • Server Update Processes
  • Identity & Authentication Systems

Network

  • Complete Network Discovery Mapping
  • Discovered Network Inventory List
  • Internal Network Device Vulnerability Scan
  • External Network Device Vulnerability Scan
  • Firewall Vulnerability Scan
  • IDS/IPS Review
  • SPAM Filtering Review
  • Web Filter Device Review
  • Data Loss Prevention Systems Review

Application Scanning

  • Discovery of all internal web applications
  • Discovery of all external web applications
  • Application Vulnerability Assessment
  • Application Server Vulnerability Scanning

Information Security

  • Sensitive Data Inventory
  • Data Classification
  • Data Risk Analysis
  • Data Encryption Review
  • Access Authorization Procedures Access Controls

Policies

  • Comprehensive IT Policy Review
  • Disaster Recovery Plan Review
  • Business Continuity Plan Review
  • Device and Media Control Policy Review
  • Software Development Procedure Review
  • Security Incident Procedure Review
  • Log Monitoring Process Review
  • Workforce Security Policy Review
  • Workforce “Hire and Fire” Policy Review
  • Risk Management Process Review

So How do you perform a
Security Risk Assessment?

A Security Risk Assessment typically covers all aspects of a company from IT to Operations to HR and Accounting. An assessment is a labor intensive process, although each assessment is unique to match the company and scope, they typically take 30-60+ days and contain the phases outlined below:

Initial Discussion

Adsero schedules a conference call to discuss your company, your procedures and what your goals are during the Risk Assessment process. 

Onsite Discovery

Next our team of experts will spend time at your facility to perform an onsite review of your technology and processes. 

Analysis

Adsero Security’s analysts then take the information gathered during the onsite visit and begin identifying risks and controls you may have in place already.

The Report

Once all the analysis is complete, you will receive a complete Risk Assessment report that outlines all your assets, vulnerabilities and risks. The report includes recommendations on how to improve your overall security and compliance.