IT Risk and Security Assessments can help implement smart security spending by identifying those areas where your resources can have the most impact. Risk and Security Assessments will validate the things that you already do well and provide guidance for continuous security improvements.
- Identify vulnerable systems and data
- Determine the likelihood that threats will exploit your systems
- Identify areas where training is could improve your security posture
- Highlight possible regulatory or compliance issues
- Provide recommendations to remediate risks
- Develop prioritized action plan to reduce overall risk levels
- Reduction of threats to systems and data resulting in lower overall risk levels
- Increased confidence in the confidentiality, integrity and availability of your data letting you sleep better at night
- Fewer business interruptions
- Identification of gaps in Best Practices
- Avoidance of compliance penalties and fines
- Validation and improvements to your Security Program or initial development of your Security Program
- Development of a Security Roadmap with resource requirements
- Development and implementation of security metrics
We begin the process by first identifying the system boundaries to determine the project focus. Next, with the help of industry standards and best practices, we work with you to identify the controls that are important for your organization as part of your security program.
Controls are then evaluated through on-site interviews, evaluations of existing documentation, site inspections, personal observation, and examination. Upon completion, a gap analysis is performed to identify vulnerabilities, we determine what threats can exploit those vulnerabilities, and analyze each of those threats to determine their likelihood. This likely threats with the ability to exploit vulnerabilities in your organizations that will have an adverse impact determine the risks.
We prepare a Gap Analysis Report where each risk is appropriately documented.for evaluation by the client to determine if the risk is acceptable. If so, the risk is documented for periodic review. If not, the risk is highlighted and prioritized for remediation. The end product is a formalized report that will show the results at a high level and provide a detailed roadmap for remediation.
Client Success Stories
A large western city with a population of 270,000. The City IT Department consists of 72 staff members and is well respected among peer departments within the City. As cyber security has become a growing concern, the CIO identified it as a strategic initiative and determined the need for a baseline assessment of the current state security environment.
Innovative IT (iiT) was asked to conduct an on-site programmatic assessment of the City’s information technology environment and cyber security controls and make appropriate recommendations.
The assessment was completed using the following approach:
- Developed a listing of appropriate and relevant cyber security controls based on industry best practices
- Evaluated controls and their effectiveness based on provided documentation, interviews, observations, onsite inspections, and some limited testing
- Reported on the state of compliance for PCI, HIPAA, and CJIS
- Determined risk based on:
- The implementation level of the controls prioritized according to the likelihood of attackers using those methods to gain access to a system;
- Current trends in the threat landscape that dictate the need for increased attention in certain areas due to attacks being conducted with new technologies and/or methods;
- An industry assessment to determine if the City’s public profile was likely to draw the attention of attackers.
iiT identified potential risks to the business operations of the City that could result from vulnerabilities present in the information technology environment. Based on this evaluation, a Security Program Roadmap was developed, and a funding plan was prepared and approved by the City to support the program.
As follow-ups to this project, iiT was asked to perform an IT staff skills assessment and two years later, a cyber security assessment refresh to evaluate progress on the Security Program Roadmap.