Assessment Methodology
All organizations are subject and vulnerable to threats. Risks to critical information assets may be intentional or negligent, they may come from seasoned criminals or careless employees, they may cause minor inconveniences or extended service disruption, and they may result in severe financial penalties, loss of public trust and damage to the firm’s reputation.
Identifying security risks is the single-most important step an organization can take to ensure the confidentiality, integrity and availability of critical assets. It is also an important component for achieving regulatory, commercial and organizational compliance.
The TEKRiSQ risk assessment process identifies, prioritizes, and suggests immediate actionable items across the enterprise. Our process is specifically designed for the SMB marketplace realizing that our customers are not experts in cybersecurity and are primarily concerned with running their day to day business. The TEKRiSQ process is designed to provide immediate actionable items, very quickly, and without giving our customers a “homework assignment”.
The TEKRiSQ founders have spent many years in the cybersecurity business, from designing simple risk management assessments to commercial sales of costly NIST-type audits costing as much as $500,000 taking months to complete. This process is fine for large companies, such as telecom carriers, but fails miserably in the SMB marketplace.
The TEKRiSQ Cyber Risk Assessment uses key security controls adapted from NIST SP 800-53 framework. Our goals and objectives are as follows;
- Identify security risks & vulnerabilities, both from outside>in and inside>out.
- Identify weaknesses in Client’s information security program and deviations from established standards
- Develop a prioritized, actionable plan for risk remediation based on the results of qualitative risk assessment and Client risk tolerance
- Establish and initiate the Risk Management process
- Elevate awareness and understanding of Risk Management functions and benefits
All of the above goals and objectives must be completed quickly, affordably, and suitable for the SMB marketplace.
The TEKRiSQ Security Risk Assessment process leverages the NIST 800-53 framework in the following key areas:
- Access Control [NIST SP 800-53 Section 1] – Controls related to network, application, system, and wireless access, account creation and termination, account auditing, and segregation of duties.
- Awareness and Training [NIST SP 800-53 Section 2] – Controls related to information security awareness and training ownership, content, attendance, monitoring and compliance.
- Audit and Accountability [NIST SP 800-53 Section 3] – Controls related to user activity monitoring and auditing.
- Configuration Management [NIST SP 800-53 Section 5] – Controls related to change and configuration management, baseline configurations, change request life cycle, and authorized or approved software management.
- Contingency Planning [NIST SP 800-53 Section 6] – Controls related to business continuity planning, testing, and training.
- Identification and Authentication [NIST SP 800-53 Section 7] – Controls related to the identification and authentication of internal and external users.
- Incident Response [NIST SP 800-53 Section 8] – Controls related to incident response plan development, testing, and training.
- Maintenance [NIST SP 800-53 Section 9] – Controls related to system maintenance, personnel, and contracting.
- Media Protection [NIST SP 800-53 Section 10] – Controls related to physical media.
- System and Information Integrity [NIST SP 800-53 Section 17] – Controls related to security monitoring and alerting, as well as antivirus and antispam security.
From these areas, the TEKRiSQ platform generates a list of key recommendations and actions related to people, process, and technology.