Enterprise risk assessment is the first step in understanding your risk profile. At the beginning of each engagement, we take the time to understand your mission and the key drivers for your organization. Whether you deliver product or services, we hone in on how your information is used, where it is transmitted and where it’s stored. Using our information-centric approach, we then perform the following steps to determine your enterprise risk profile:
- Identify your assets while determining how they relate to your mission processes. The importance of your assets is also determined.
- Perform a threat assessment to identify the threats your organization faces on a daily basis. Specifically, we look at the motivation, expertise and resources of potential attackers, whether they are internal or external.
- Conduct a vulnerability assessment using the latest technologies to uncover all possible entries into your systems and network.
- Examine existing countermeasures to determine whether your organization has deployed sufficient defense-in-depth measures to counter attacks.
- Perform a risk analysis to distinguish the consequence or impact exploited vulnerabilities could have on to your assets. The likelihood or probability is also estimated in the context of existing security countermeasures.
- Assign risk ratings in order to prioritize risk according to their impact on the organization.
- Develop a risk mitigation plan based on the risk ratings to ensure risks are mitigated in a timely manner. Risks that cannot be fully remediated are subject to continuous monitoring until the risk becomes acceptable to the organization.
Our team is well versed in many of the risk management methodologies used throughout government and commercial industries. These policies include:
- International Organization for Standardization (ISO) 31000:2009 Risk Management
- Australian/New Zealand Standard (AS/NZS) 4360:2004 Risk Management
- National Institute of Standards and Technology (NIST) Special Publication (SP) 800-39 Managing Information Security Risk
- NIST SP 800-30 Risk Management Guide for Information Technology Systems