processes and examines how the information security systems provide a sufficiently high-quality response in protecting them.
The survey begins with an investigation, during which we meet several officials in the organization and learn about its various systems and critical threat scenarios.
Next, we conduct a strict technological review, during which we test all information security systems, Active Directory, cloud servers, the network topology and the information security architecture.
Finally, we submit a comprehensive report, which includes details of the identified threats and a list of security gaps ranked according to their severity level.
Who would be likely candidates for risk assessment surveys?
- Companies that wish to get a professional analysis of relevant cyber threats.
- CISOs seeking external surveyors to thoroughly review their information security systems and provide specific recommendations.
What are the benefits of a risk assessment survey?
- A professional and objective risk assessment would provide a quality examination of the systems and detailed professional instructions.
- Compliance with the requirements of customers, regulations (privacy protection, GDPR) and cyber insurance companies.
- The current computing environment is much more complex than ever before. In addition to the systems in the On-Premise environment, there are also VPC – Virtual Private Clouds that companies use. A risk assessment survey requires an accurate analysis of information security topology and provides practical, professional insights.
What are the highlights of the test?
The tests are conducted in accordance with the NIST + SANS methodologies, constituting the international standard in the field and include an examination of the following subjects and more.
- Separation of different networks and environments.
- The management policies of users and permissions in the organization.
- The organization’s authentication processes and its password policy.
- The logging mechanism for sensitive operations in the organizational infrastructure.
- Policy and implementation of a monitoring and alert mechanism for sensitive operations in the organizational infrastructure.
- Checking how information security systems (EDR, NAC, firewall, mail) are configured and checking their effectiveness.
- Backup and recovery policy of servers and infrastructures.
- The company’s DR program.
- The servers’ level of hardening.
- Remote connection methods to the internal network.
A risk assessment must be performed by a cyber consulting company. Do not settle for questionnaires! Demand a specialist who can review all the configurations and provide insights and comments. Whoever conducts risk assessments in the cyber world must have a deep understanding, so verify that this is the main occupation of the company you choose.