Risk assessment is the process of determining risk to organizational operations and assets, individuals, other organizations, and the Nation resulting from the operation and use of information systems, and ultimately deciding whether these risks are acceptable. Following the collection of system characterization information, the process of assessing risk begins by determining system-specific threats based on the system operations, configuration, information, and geographical location.
Web applications are a critical resource for organizations. These systems have access to and store highly sensitive personally identifiable information. Payment and other financial data can also be impacted through compromises of some of these systems. As a result of their importance, it is absolutely essential that strong security controls are implemented in order to reduce the likelihood and impact of attacks. It is also important to continue raising the level of difficulty for attackers to penetrate these systems. Our testing methodology is designed to identify security flaws as well as areas where there may be a more effective and scalable way to implement a security control.
RADcube has extensive experience conducting risk assessments and writing risk assessment reports for Federal government agencies.
Risk assessment methodology includes five principal steps:
- Characterize the system, including its boundaries and components.
- Identify threats to the system.
- Identify system vulnerabilities and existing safeguards.
- Assess the risk to the system (risk = likelihood x impact).
- Determine risk mitigation strategies.
After security testing, Our risk assessment team documents the results in the Risk Assessment Report where risks are identified, prioritized, and estimated based on the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-30, Risk Management Guide for Information Technology Systems. This report describes the threats and vulnerabilities, measures the risks, and determines the impact of any exploited vulnerabilities. This report is useful to senior management and system owners in understanding a system’s security posture and overall risk level, as well as any residual risks, so that they can allocate the necessary resources to correct or reduce potential damages.
IT security audit
A company’s networks are its means of communication and information sharing. However, by virtue of “sharing,” information security comes under attack every day. Information security is not only compromised by individuals outside the company, but those inside as well. As information is shared via email, attachments, and network drives dangers imposed by allowing access is heightened. To minimize these dangers, companies need to be aware of unauthorized access and take steps to correct/protect their resources.
The purpose of an internal audit is to provide operations management with an independent review of the adequacy and effectiveness of the operations’ internal controls.
RADcube IT security audit services include reviews of:
- Authentication and access controls
- Network security
- Host security
- User equipment security (e.g., workstation, laptop, handheld)
- Personnel security
- Physical security
- Application security
- Software development and acquisition
- Business continuity – security
- Service provider oversight – security
- Data security
- Security monitoring
IT security audit results are provided in an extensive report containing:
- Executive summary
- Remediation action plan
- Detailed audit results
- Control descriptions and verification procedures
- Supporting documentation