Organizations like financial institutions, healthcare providers, government agencies, insurance companies and other companies that must adhere to strict compliance standards have a responsibility to implement a formal risk assessment process to identify and evaluate the risks that threaten their institution.

The risk assessment should encompass provisions that address both internal and external threats and should answer the following questions:

 

IT Security Compliance regulations and guidelines (GLBA, FFIEC, FDIC, OCC, OTS) require an organization to conduct regular Risk Assessments in order to identify reasonably foreseeable risks that - if left unchecked - could lead to service interruption or unauthorized disclosure, misuse, alteration, or destruction of confidential information.

In June 2011, the FFIEC updated it's guidelines concerning risk assessments for financial institutions that offer online transactions. The revised guidance redefined the overall scope of risk assessments, mandating they be expanded to include considerations for emerging threats, updated when new information becomes available, and reviewed or performed at least every 12 months.

 

TraceSecurity's methodology provides the most thorough, objective, and easy to read information security risk assessment available.

Our risk assessments follow standard methodologies designed to meet all regulatory requirements and best practice guidelines, including the new standards for information security assessments set forth in the recently revised FFIEC Guidance.

During IT Risk Assessment process, our experts closely scrutinize the organization's controls, vulnerabilities, threat vectors, asset information, and loss expectancies. Each individual risk is then analyzed and compared against other identified risks, enabling the organization to prioritize remediation efforts and preempt losses with the most exposure.

TraceSecurity's risk assessment methodology also offers other advantages for our customers in highly regulated industries like banks, credit unions, healthcare, government, education, energy and even retail environments.

These advantages include:

 

The entire process is captured and managed through TraceSecurity's RiskManager which automates the process and provides a foundation for future Risk Assessments.

RiskManager is an extension the TraceSecurity ComplianceManager platform, the first cloud based platform to integrate all the vital information and tasks necessary to maintain security compliance into a centralized interface, allowing organizations to streamline security compliance procedures and simplify the processes involved with IT risk management.

 

Some of the services in TraceSecurity's Information Security Risk Assessment are:

Data gathering (Based on interviews and documentation)
• Identify Key Personnel
• Identify and Collect Key Documentation

Based on the data gathered, the Analyst performs:


Asset Group Analysis
• Asset Group Mission Factor Weighting Classification
• Asset Group Sensitivity Classification based on Confidentiality, Integrity, and Availability
Threat Analysis

• Threat Mapping
• Probability Analysis
• Impact Analysis
• Risk Assignment
Control Analysis

• Control Mapping
• Implementation Analysis
Risk Analysis
Reporting
Report Briefing

 

The Risk Assessment results are provided in an extensive report containing:

Project Overview
Risk Assessment Methodology
Executive Summary
Detailed Risk Analysis by Asset Group
Control Group Summary
Information Security Policy Analysis
Recommended Action Plan
Appendix

 

Overview of RiskManager

TraceSecurity's RiskManager is used to analyze an organization’s vulnerabilities, threats, asset information, controls and loss expectancies. It assists in the analysis process and enables the user to assess critical focus areas to determine the overall level of risk. Plus, the entire risk assessment process is captured and managed through the software which automates the process and provides a foundation for future risk assessments.

RiskManager allows the institution to manage their processes locally with TraceSecurity providing technical support and enhancing their efforts with additional services. This method helps the organization facilitate an continuous risk management program without straining internal resources or incurring high vendor costs each time a risk assessment is needed.

Key Features of TraceSecurity's RiskManager

Cloud-based; always available, on-demand
Automates the risk assessment process
Creates a standard, repeatable process
Preconfigured templates streamline the creation of assessments
Based upon industry standard risk assessment approaches including OCTAVE and NIST
Built-on robust framework of threats, assets & controls
• Fifteen unique threat types
• Over 100 security controls
• Predefined asset information
• Predefined severity levels for threats, controls and vulnerabilities
Parameters for threats, asset groups and controls fully customizable
Detailed reporting capabilities including charts & graphs
Scalable framework
Multi-user access
Integrated regulation information to aid in compliance
Continuously updated with new threats and controls

RiskManager saves time and money by automating the steps of the risk management process:

Asset group analysis. Identifies core assets and assigns a level of criticality to each asset in the areas of CIA.

Threat analysis. Identifies all relevant threats, evaluates each threat to determine which assets are affected, then assigns a level of criticality to each asset in the areas of CIA.

Control analysis. Identifies safeguards that can be used to protect each asset, assigns values to each control in terms of how it protects against specified threats.

Risk assessment reporting. Automatically associates and calculates data to produce a detailed risk assessment report.

 

Career Center | Privacy Policy | Contact Us | info@tracesecurity.com | Toll Free: (877) 275-3009
Copyright © 2012 TraceSecurity, Inc. All rights reserved.