We are seeing increasingly sophisticated attacks that target not only IT systems but also the operational (/ ). Additionally attackers are utilising differing mechanisms to undertake the attack, and these can often exploit weaknesses in the physical security, employees and sub-contractors.
Our Security Risk Assessment () approach is the ideal mechanism to address this problem by taking a high level look across the business to identify and prioritise the key risks to your information and we have conducted numerous studies across the Defence and CNI markets.
We deliver this service through a set of well-defined steps:-
- Information gathering. Understand the current policies, procedures, IT and assets and key stakeholders. Produce and agree detailed plan for following stages.
- System modelling. This includes not only examining the policy and procedures but also conducting interviews with key staff to help identify vulnerabilities and provides areas to focus on. This will result in an information model that clearly articulates the information flows and dependencies across the organisation.
- Risk assessment and recommendations. Using the information from the previous task we will produce a prioritised risk register, this will be further reviewed to ensure that the risks are real and could be exploited. The finalised risk’s will then have clearly identified mitigation recommendations assigned to them. A final report and presentation will be provided summarising all the activities with clear recommendations for next steps.
The benefit of undertaking ais that by looking across the business we ensure that no obvious weaknesses are ignored, whether they be physical, people, process or technology. It gives a view of the cyber risk across the enterprise that enables the senior management to effectively prioritise downstream investment.