Overview

Risk Assessment program is designed to enable agencies to systematically identify, analyse and evaluate the risks by reviewing the control measures. Information Security risks include the possibility of business damage due to loss of confidentiality, integrity and availability of corporate data. AMBC’s risk assessment service provides the basis to build or refine the most appropriate information security program for your organization.

AMBC Inc. IT Security Team will provide the following key activities:

  • Discovery & Enumeration
  • Identification & Classification of Assets
  • Software Asset Management
  • Threat Assessment
  • Risk Formulation
  • Vulnerability Analysis
  • Control Risk Assessment
  • Impact and Likelihood determination
Risk Assessment
Our Process
System Characterization
In assessing risks for an IT system, the first step is to define the scope of the effort. In this step, the boundaries of the IT system are identified, along with the resources and the information that constitute the system. Characterizing an IT system establishes the scope of the risk assessment effort, delineates the operational authorization (or accreditation) boundaries, and provides information (e.g., hardware, software, system connectivity and responsible division or support personnel) essential to defining the risk. The methodology described can be applied to assessments of single or multiple, interrelated systems.
Threat Identification
The potential of the threat source to exercise the specific vulnerability. A vulnerability is the weakness in the system that can be accidentally triggered or intentionally exploited. A threat source does not present a risk when there is no vulnerability that can exercised.
Control Analysis
Analyze the controls that has been implemented or planned for implementation, by the organization to minimize or eliminate the likelihood of threats utilizing the system vulnerability.
Likelihood Determination
To derive an overall likelihood rating that indicates the probability that a potential vulnerability maybe exercised within the construct of the associated threat environment, the following governing factors must be considered:

  • Threat source motivation and capability
  • Nature of the vulnerability
  • Existence and effectiveness of the current controls

Impact Analysis
The next major step in measuring level of risk is by determining the adverse impact resulting from a successful threat exercise on a vulnerability. Before beginning the impact analysis, it is necessary to obtain the following necessary information:

  • System mission (e.g., the processes performed by the IT system)
  • System and data criticality (e.g., the system’s value or importance to an organization)
  • System and data sensitivity

Risk Determination
The purpose of this step is to assess the level of risk to the IT system. The determination of risk for a threat / vulnerability pair can be expressed as a function of:

  • The likelihood of a given threat-source’s attempting to execute a given vulnerability
  • The magnitude of the impact when a threat-source successfully exploits the vulnerability
  • The adequacy of planned or existing security controls for reducing or eliminating risk

To measure risk, a risk scale and a risk-level matrix must be developed.

Control Recommendations
During this step, controls that could mitigate or eliminate the identified risks, as appropriate to organizations operations, are provided. The goal is to reduce the level of risk to the IT system and its data to an acceptable level. The following factors should be considered in recommending controls and alternative solutions to minimize or eliminate identified risks:

  • Effectiveness of recommended options
  • Legislation and regulation
  • Organizational policy
  • Operational impact
  • Safety and reliability

The control recommendations are the results of the risk assessment process and provide input to risk mitigation process, during which the recommended procedural and technical security controls are evaluated, prioritized and implemented.

Results Documentation
Once the risk assessment has been completed (threat-sources and vulnerabilities identified, risks assessed, and recommended controls provided), the results should be documented in an official report or briefing.

A risk assessment report is a management report that will help senior management, the mission owners, make decisions on policy, procedures, budget, and system operational and management changes. We address the threat/vulnerability observations in the risk assessment report.

Benefits
  • Reduce incidents in your workplace
  • Recognize and control hazards
  • Identify IT Security awareness training needs
  • Set risk management standards, based on acceptable safe practice and legal requirements
  • Save costs by proactive measures
  • Optimal productivity
  • Positive image
Deliverables
  • Documentation report on system inventory, listing all system components
  • Security risk matrix
  • Documentations of the system policies and procedures, and details of its operation
  • List of remediation’s for controlling the identified threats and vulnerabilities
  • The level of residual risk that would remain after the recommended changes are implemented
  • System security plan, new system architecture, audit report, or system accreditation
  • Detailed dataflows
  • In-depth analysis of the specific security incidents or violations
  • Risk assessment and mitigation plan report
  • Network vulnerability outline
Are you ready to strengthen your network? Let's Talk Connect with us for your security needs

Contact Us