It is important that you know what you are asking for…so that it’s not risky.
You have asked for an Assessment. Stakeholders are concerned about security. Is the goal to look to identify your Security Risks, Threats, Consequences or Vulnerabilities? Or all of them? Collectively, there is a formula for that.
Risk = Threats + Consequences + Vulnerability
Do not be taken in by someone who says all assessments are the same. A risk assessment, threat assessment, vulnerability assessment, security audit or even a business impact analysis are not the same as each other.
Square peg, round hole.
A Threat assessment looks to understand what entities may have an interest in creating a security concern or problem for your organization.
A Security Audit is a validation or verification that security measures that are currently in place are actually in place and doing what they intended to do. This audit focuses specifically on the effectiveness of security and determines if a known vulnerability is being addressed. It does not measure risk.
Vulnerability Assessments look to understand both consequences and vulnerabilities. Threats however within a vulnerability assessment are assumed to be at a high level. At the end of a Vulnerability assessment organizations quite often implement increased security measures to address the vulnerabilities and lower the consequences. This happens because the level of threat and the probability of an occurrence from happening is not actually analyzed.
The Consequence focused Business Impact Analysis identifies the most critical of assets to an organization and sets out to build resiliency around these identified assets, most commonly as a business continuity plan. Business Impact Analyses do not address threats or vulnerability.
The Risk Assessment is the most effective means of determining security adequacy as it considers all three elements of risk – threat, vulnerability, and consequence. A Risk assessment should be the methodology of choice if you are seeking to determine your security adequacy and avoid the potential pitfalls of not having all of the information.
But all is not lost. It is okay if your organization needs to only conduct one or several of the assessments mentioned above. There may be cause for you to do one assessment over another, resulting in a more intimate understanding of that particular assessments output.
We can assist your organization in determining which of these assessments is best for you given your organization’s current security risk landscape.
We can Help.
Plan the Work. Work the Plan.