Information Security Risk Assessment
A strategic technology security assessment focuses directly on your organization’s information security needs.
This kind of assessment is more important now than ever. Despite your best efforts, there’s a real chance that some of the organization’s information is going to be compromised. There are plenty of news stories about leaked emails, lost laptops and stolen smart phones, all of which caused previously private information to be made public.
Is your organization prepared to deal with this possibility? Do you have plans to minimize the chances of such information exposure? Most organizations don’t know the extent of sensitive information spread throughout the organization, haven’t implemented comprehensive controls to secure the information, and don’t know what they would do if information was made public. Preparation now can mean peace of mind later.
What are the benefits?
The organization gets a comprehensive view of its complete information security posture, rather than being influenced by events or the clamor of different security vendors. It prioritizes remediation measures and justifies their cost.
The plan is also a demonstration of how the organization has adopted best practices for information security. This can have economic impacts for the organization, for instance if donor confidence is affected by such a demonstration. The plan can also be used to demonstrate aspects of regulatory compliance.
Finally, the planning process helps sustain a dialogue with executive management about how information is shared and stored, so that information security concerns can be raised, addressed and given the priority they deserve.
Strategic Security Planning helps an organization understand the potential impacts of compromised information security, whether it affects confidentiality, data integrity, or availability. It also prioritizes actions to address weaknesses in an organization’s information security.
How does it work?
CGNET first works with your organization to document what information, devices and applications exist that could be considered sensitive, where they exist, and how they are currently secured. Once this inventory of sensitive information assets has been developed, CGNET works with your organization to understand the severity of each class of security breach. For instance, disclosure of some kinds of information could have a financial impact, while others could have a reputational impact. Temporarily shutting down the organization’s operations, as with a denial-of-service attack, will affect some organizations more than others.
CGNET then calculates the likelihood of each kind of breach occurring and combines this with the severity ratings to develop an information security risk matrix. By plotting each information asset on the matrix, controls to mitigate each risk can be prioritized.
CGNET then compares the security practices that are in place with industry standard controls, determining what improvements should be made, in terms of the priorities of the risk matrix. Finally, the improvements are put onto a roadmap, to provide a comprehensive plan.
What do I get?
CGNET produces a report that addresses the following questions:
- What information assets exist, where are they located, and how are they currently protected?
- What is the kind (financial, reputational) and amount of risk for each asset?
- How does the organization’s current security posture compare, risk by risk, with industry standards and best practices?
- What should be done to close the gap between current and best performance, given the organization’s particular needs and resources, including technology, policies and procedures
- How should new and improved security controls be implemented over time?
What Does It Cost?
The cost for developing a Strategic Information Security Risk Assessment depends on the scope of the effort and the resulting time required. Usually, the cost in the $10,000 to $30,000 range.