Information Risk Assessment
Despite your best efforts, there’s a real chance that some of the organization’s information is going to be compromised. Is your organization prepared to deal with this possibility? An Information Risk Assessment helps an organization understand the potential impacts of compromised information security, whether it affects confidentiality, data integrity, or availability. It also prioritizes actions to address weaknesses in an organization’s information security. Preparation now can mean peace of mind later!
- Information Asset Inventory: CGNET first works with your organization to document what information, devices and applications exist that could be considered sensitive, where they exist, and how they are currently secured.
- Risk Classification: Once this inventory of sensitive information assets has been developed, CGNET works with your organization to understand the severity of each class of security breach. For instance, disclosure of some kinds of information could have a financial impact, while others could have a reputational impact.
- Information Security Risk Matrix: CGNET then calculates the likelihood of each kind of breach occurring and combines this with the severity ratings to develop an information security risk matrix. By plotting each information asset on the matrix, controls to mitigate each risk can be prioritized.
- Security Comparison: CGNET then compares the security practices that are in place with industry standard controls, determining what improvements have to be made, in terms of the priorities of the risk matrix. The improvements are put onto a temporal roadmap, to provide a comprehensive plan.
What do I get?
CGNET produces a detailed report that includes the results of the completed assessment described above as well as a written
- Strategy to close the gap between current and best performance, including technology, policies and procedures, and
- Plan for the future: How should new and improved security controls be implemented over time?
What are the benefits?
The organization gets a comprehensive view of its complete information security posture, rather than being influenced by events or the clamor of different security vendors. It prioritizes remediation measures and justifies their cost.
It is also a demonstration of how the organization has adopted best practices for information security which can improve donor confidence and demonstrate regulatory compliance.
Finally, the planning process helps sustain a dialogue with executive management about how information is shared and stored, so that information security concerns can be raised, addressed and given the priority they deserve.