Cyber Security Risk Assessment
Information Gathering Phase
Active and Passive monitoring and analysis are done via multiple levels. This includes network scanning and monitoring. User and resource analysis on multiple Operating System and Applications. Both technical and non-technical information is used to determine the current stance of the organisation along with the compliance requirements.
Technical Information is the data points that are collected using active and passive scans on the network environment. Applications, Database Management Systems (DBMS), Access Control Systems, Identity and Access Management, and other resources.
Company Policies, Standards, Procedures, Guideline and Baselines forms a bulk of the Non-Technical Information. External Compliance and Governance are also considered, for example PCI-DSS when card transactions are involved.
Data Flow Analysis
Using network configuration on switches or physical network TAPs, bulk data is captured at elected locations or the core. This is used as part of a deep-dive analysis to determine what type of traffic as well as the risk that the traffic may pose when unauthorized access and disclosure occurs.
Using all these attributes, a holistic view or the Enterprise is created and the Persistent Attack Vectors can be measured. Once this is done, effective and efficient compensating controls can be implemented to create a ‘secure-environment’ which management defines the acceptable risk factor.
→ Real-time discovery
→ Real-time analysis
→ Knowledge Transfer
→ Cost-Effective Recommendations
Using a continuous discovery with vulnerability assessment addressing the issues that are a real-impact using data classification and Business Impact Analysis (BIA)
Depending on the size of the environment, the Cyber Security Risk Analysis can be broken down into multiple phases for reporting and milestone checkpoints. Although there are distinct Phases, it does not mean that a preceding Phase will be closed as it is a continuous process. A following phase will be initiated when adequate data points have been gathered.
→ Technical and Non-Technical Discovery
→ Risk Analysis and Vulnerability Assessment
→ Implementation of Compensating Control
→ Management Acceptance
Feedback is to management with technical staff involved to ensure that there is adequate knowledge transfer. It is critical that Cyber Security Risks are communicated and company resources, such as a person or a department, is assigned the risk to manage.
For more detail, submit a information request under contacts or email email@example.com requesting additional information.