The assessment service is customized to your organization. The goal is to document cybersecurity issues with a business risk lens. That enables business leaders to make informed decisions based upon the organization's risk tolerance.
Scenarios for Conducting an Assessment
● It has been years since an assessment has been conducted
● The CISO has resigned. What is the current state of security?
● The new CISO wants a benchmark assessment
Assessment Options (Select a Level)
Development of an information security program should begin with a reputable baseline such as the NIST Cybersecurity Framework. A framework communicates the minimum controls required to protect an organization. It is also necessary to include control requirements from applicable laws, regulations and contractual obligations. Compliance with external requirements is also a minimalistic approach when designing a program.
Maturity Level 2: Common Controls
Control frameworks provide mid-level guidance and are not intended to be prescriptive. That is by design. This level of maturity addresses common security safeguards that are not specified in the control framework. It is necessary to identify and implement them.
Gap analysis: Deploy safeguards based on proven methodologies such as the 20 CIS Controls.
● Penetration testing
● Web application firewall
Controls in this category are viewed by many as necessary and common sense in a cybersecurity context. Some may view this level as filling gaps in the control framework, basic due diligence.
Maturity Level 3: Risk Management
It is necessary to tailor controls to the organization and to adapt to changes in the threat landscape. Threat Landscape and Controls Analysis is conducted within this level of assessment, starting with the inherent risk of the organization. Potential adversaries are described, with techniques for compromising data and coverage of the cybercrime ecosystem. Potential for impact is detailed while citing reputable sources. The organization’s risk tolerance is referenced for context. The organization's assets are listed, with a pivot into cybersecurity protection boundaries, control framework and risk assessments. Fair and balanced analysis is conducted by documenting risk mitigation and recent accomplishments in that domain. Residual risk is detailed with recommendations for new processes and controls. A summary statement addresses the organization’s risk culture, with recognition for conducting risk analysis.
The assessment evaluates risk governance and whether a risk register process is in place. Cybersecurity entries should be reserved for issues that pose significant risk to the organization (risk mitigate or risk accept). Register entries should be discussed in meetings with IT and senior executives. Risk governance routines should include periodic meetings.
Maturity Level 4: Strong Risk Management
At this level the organization begins to demonstrate ownership of the cybersecurity program from an operational risk perspective. When management communicates low risk tolerance, that is synonymous with a commitment to strong risk management.
Examples of strong risk management include:
● The cybersecurity program maintains controls specific to line of business products, services and assets
● An operational risk management function maintains a risk scenarios inventory and conducts quantitative risk analysis
● Incident response and business continuity exercises are conducted annually to include senior executives, lines of business leaders, information technology, legal, public relations and critical suppliers
This level of assessment also includes evaluation of Insider Threat and Fraud Prevention controls.
Fees and Payment
The engagement begins once the Statement of Work and Contract are signed and upon receipt of the first of three equal payments.
SOW and Contract Execution
First Assessment Interview
Delivery of Draft Report
The assessment service does not include vulnerability scanning, penetration testing or other methods of deep technical inspection.
- IT Security Manager at a company in the Aerospace and Defense field
The Assessor hosts a scoping call as the first step in the process. We gather details to help ensure smooth and comprehensive execution of the assessment. The Assessor needs to be aware of assets, data categories, core products and services. S/he will ask for details required for the assessment such as key personnel, site locations and reliance on third parties.
Stage 2: Assessment Preparation
Customization of the assessment is the next phase. The Assessor creates work papers to prepare for assessment activity. Assessment techniques include staff interviews, observation of controls and documentation review. Work papers are also used to document in-place controls and assessment findings.
The Assessor prepares a list of job titles/roles for meetings. A list of requested documentation is also included.
The Assessor works with a Single Point of Contact (SPOC) identified by the client. The SPOC schedules availability of client personnel and service providers for the on-site phase of the assessment.
Stage 3: Assessment Activity
The Assessor arrives on location on the agreed upon start date. The SPOC provides a site tour, including external perimeter, office space, computer room and other areas in scope for the assessment. The SPOC also facilitates meetings with key personnel. The Assessor conducts interviews, collects documentation and observes in-place controls while on-site. The on-site assessment typically lasts 4-8 business days.
NOTE: Given the COVID-19 pandemic, the client may opt to cancel the on-site portion of the assessment. In that event, assessment interviews will be conducted remotely. It would be appropriate to evaluate physical security controls via a tour conducted over cell phone video.
Stage 4: Report Preparation
The Assessor begins to prepare the assessment report remotely. The SPOC supports requests for follow-up questions and documentation requests. A draft assessment report is provided to the SPOC. The final report includes an executive summary with a high-level overview of assessment findings. Findings are identified by risk severity, with recommendations to remediate issues where appropriate.
The assessment process typically takes 4-8 weeks due to the phases detailed above and reliance on client personnel.
● Line of Business
● Mergers and Acquisitions
● Third Party Risk Management
● Fraud Prevention
● Process Design
● Security Operations Center
● Application Security
● Infrastructure Security
● Insider Threat
This service offering description provides an overview for informational purposes only. The Statement of Work and the Master Services Agreement are the official documents for each assessment engagement.