Risk Assessment and Risk-Focused Services

MSI believes that information security programs should be based on risk. If you don’t understand the true nature and level of risk that menaces your information systems, then how can you possibly allocate resources to manage that risk intelligently and economically? With this in mind, MSI offers a variety of flexible risk management services designed to aid our customers in determining and managing the risks they face.

Risk Assessment

Risk assessment entails analyzing the information system in question, determining vulnerabilities and threats to the system, assessing how likely it is that threat actors will exploit those vulnerabilities and determining what the level of impact would be if they did. All these factors together equal “risk”. The scope of a risk assessment is variable and can be limited to a single system or process, or can encompass the entire organization. At MSI we have extensive experience in performing information security risk assessments of all levels for a variety of organizations and businesses. These include financial institutions, government organizations, manufacturers/retail organizations and infrastructure providers. Our risk assessment process is based on NIST and ISO guidance, and includes our proprietary Risk Determination Table that allows the client to view the entire risk picture posed by each threat in an easy to digest, line-across fashion. MSI can also employ alternative risk assessment methodologies, such as OCTAVE, upon request. We can even train your own personnel how to conduct small-scale internal risk assessments; a tool invaluable to management when making risk treatment and provisioning decisions.

MSI risk assessment engagements include our auditor friendly, clear, concise and actionable standard reports. These reports include an executive summary, a technical manager’s report and a technical detail report. All reports include color graphics, mitigation advice and full explanation of the work performed and the findings produced. Customized reporting is also available at an additional charge, along with readouts, briefings and other awareness activities for the report data.

Compliance Assessment

Most of us are already responsible for ensuring that our information system security programs meet regulatory standards such as those found in HIPAA/HITECH, SOX, GLBA, PCI, NERC CIPs, etc. For many years, MSI has kept abreast of, and even helped to influence, the information security regulations and guidelines set forth by government organizations and private industry. We conduct compliance assessments that address each point of such regulatory guidance, and that are tailored specifically to your organizational requirements and level of complexity. These assessments are fully scalable and can cover the entire information security program or can be limited to specific areas of the program such as access controls and provisioning or management controls and oversight. And for organizations that are not currently regulated but that wish to assess their compliance with cutting edge information security guidance, we have our 20 Critical Controls for Effective Cyber Defense compliance assessment. This assessment is constantly updated to keep pace with updates to the guidance, and can be tailored to fit organizations of any size or complexity.

Each MSI compliance assessment engagement includes Compliance Assessment and Executive Summary reports. The compliance assessment report contains a full description of the assessment process, a table containing all of the security points assessed during the engagement, a gap analysis that includes recommendations for remediating organizational variance with guidance and a roadmap designed to help management remediate gaps in a hierarchical manner based on risk, ease of implementation and urgency. The Executive Summary contains a synopsis of the assessment processes, results and remediation recommendations in non-technical language.

Business Impact Analysis

Business Impact Analysis (BIA) helps organizations recognize and prioritize which information, hardware and personnel assets are crucial to the business so that proper planning for contingency situations can be undertaken. In addition, however, this process is also very useful in helping organizations understand what information assets they have and how they move; knowledge that is crucial in designing and implementing an effective and economical information security program. The BIA process can be used by the organization to help construct inventories of software and hardware assets, map data flows and trust relationships, identify single points of failure, construct proper network segmentation and much more. MSI can help your organization conduct a proper BIA by overseeing the process, constructing departmental questionnaires and analyzing results. We can also help ensure that your organization gets the most from their assessment dollars.

Business Continuity and Incident Response Risk Management

Business continuity and incident response (BC and IR) programs are a necessary part of any complete information security program. Many organizations lack these programs or, even if they do have them in place, do not practice or update the programs effectively. What good is a business continuity or incident response plan if it doesn’t work when you need it?

MSI has more than a decade of experience in reviewing and authoring BC and IR policies and processes for various financial institutions, government agencies and private concerns. We can analyze your program for completeness and compliance with regulatory requirements. Or, for organizations that currently lack BC and IR programs, MSI can help author policies and plans that fit your size, complexity and requirements. In addition, MSI can assist your organization in designing and implementing table top BC or IR practice sessions that are as close to real-world incidents as possible. This important process is essential in ensuring that your BC/IR process works as designed and is updated effectively.

For more specific information about our risk management services, please contact your MSI account executive. They will be happy to work with your team to design a customized scope of work to address your specific needs.