The methodology that Integrity IT uses to perform the security risk assessment (SRA) is based on risk assessment concepts and processes described in NIST[1] SP 800-30 Revision 1.

Overview of the Risk Assessment process:

• Identify and document all Personally Identifiable Information (PII) repositories
• Identify and document potential threats and vulnerabilities to each repository
• Assess current security measures
• Determine the likeliness of threat occurrence
• Determine the potential impact of threat occurrence
• Determine the level of risk
• Determine additional security measures needed to lower the level of risk
• Document the findings of the Risk Analysis

Interview and Data Gathering

Working with the Business Owner and key leadership (ex. Operation and IT Management), the Integrity IT Security Team identifies and documents existing IT configurations and security operations, along with a high-level review of Policy and Procedure.  Physical security and processes are observed during a site visit.  This initial interview and walk-through requires about 90 minutes of your time to identify Technical[2], Administrative[3] and Physical[4] aspects of Security.

Vulnerability Scan

Based on parameters defined by your business, Integrity IT performs a one-time Vulnerability Scan of your external (public-facing IP addresses) and your internal IP addresses.

Analysis of Findings

The Integrity IT Security Team will perform an analysis of the information gathered.

Deliverables

Present / Review findings with your team.

Reports

The output will include a series of actionable reports that identify gaps in your current IT Security Controls along with a prioritized list of specific recommendations based on the value of the IT asset and the level of risk identified.

Security Posture Improvement Roadmap

Based on the Analysis, we will create a detailed work plan to easily track your remediation / mitigation progress.  We work with your team to determine priorities based on the analysis, your risk tolerance, business priorities, and resources to create a roadmap that is the best investment for your business.

Policy and Procedures based on NIST Guidelines

Integrity IT provides security policy templates based on NIST guidelines which your business can customize and adopt into practice if desired. Examples include: Employee Termination Procedures, Data Backup Procedures and Disaster Recovery Procedures

PII-Protect Training Portal Roll-out to your staff (1yr subscription)

This web-based Security Training portal includes self-paced, up-to-date videos and slides.  There is also a testing component to help ensure participation and ongoing tips delivered by email.

Options Available

Mitigation Assistance 

Integrity IT has the solutions and expertise to address IT Security Risk.  Your IT team can leverage Integrity IT as a partner in a project or with a solution that may be a fit ongoing.

Beyond a one-time Security Risk Analysis

Integrity IT’s security division offers Managed Security Services that provide ongoing protection, monitoring, alerting and incident response.  These services can help you to continue your path to a more secure IT environment.

Let us know if you want to learn more about Business Security Assessments.

Talk with an Expert about a Best Practice SRA

First Name *

Last Name *

Company *

Email *

Phone

Keep this field blank

Request Your Free SRA Consult Now

[1] The National Institute of Standards and Technology is a measurement standards laboratory, and a non-regulatory agency of the United States Department of Commerce.  With a world-class measurement and testing laboratory encompassing a wide range of areas of computer science, mathematics, statistics, and systems engineering, NIST’s cybersecurity program supports its overall mission to promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and related technology through research and development in ways that enhance economic security and improve our quality of life.  https://www.nist.gov/topics/cybersecurity

[2] Technical Safeguards

• Access controls to restrict access to sensitive or protected data to authorized personnel only
• Audit controls to monitor activity on systems containing sensitive or protected data, such as an electronic health record systems and databases
• Integrity controls to prevent improper data alteration or destruction
• Transmission security measures to protect data when transmitted over an electronic network

[3] Administrative Safeguards

• Security management processes to identify and analyze risks to sensitive or protected data and implementing security measures to reduce risks
• Staff training to ensure knowledge of and compliance with your policies and procedures
• Information access management to limit access to sensitive or protected electronic data
• Contingency plan to respond to emergencies or restore lost data

[4] Physical Safeguards

• Facility access controls, such as locks and alarms, to ensure only authorized personnel have access into facilities that house systems and data
• Workstation security measures, such as cable locks and computer monitor privacy filters, to guard against theft and restrict access to authorized users
• Workstation use policies to ensure proper access to and use of workstations