Cybersecurity Assessments

An important first step on the path to secure your enterprise

CyberSecurity related assessments vary from overall and strategic to very technical and tactical. They are designed to build upon one another with each providing its own set of information for the others to be more efficient and effective. These assessment tools and procedures also contribute to the overall security philosophy and framework by constantly measuring its efficacy.

Risk Assessments
A risk assessment is high-level, strategic, and considers far more than just security or any specific technology. It is a process that takes into account different possible risks for the business, it's people, assets and infrastructure and their consequences. Risk assessments are conducted to determine which risk poses enough of a danger so as not to be tolerated even if it cannot feasibly be avoided. They also help prioritize prevention efforts in order to allocate resources where they will do the most good.
  • identify critical assets and their value, 
  • identify potential risks to those critical assets, 
  • define the likelihood of a threat to those assets, 
  • identify impact that threat could have on assets, and 
  • identify/recommend countermeasures to reduce and defeat against possible threats. 
Security Assessments

A Security Assessment is considered a more technical, “architectural review" that evaluates the people, processes, and technology as it specifically relates to cybersecurity.

  • Identify technical and IT assets
  • Identify potential threats and vulnerabilities
  • Develop metrics
  • Consider historical breach data
  • Calculate cost
  • Postulate countermeasures and remediation efforts
    Compliance Assessments

    Many industries must adhere to increasingly complex regulatory demands. HIPAA, PCI, NY-DFS, CCPA, GDPR are just a few. These regulations can be extremely complex and touch on more that just technical aspects of a business. Demonstrating evidence and proof of compliance is the burden of the business. To do so, many business must rely on third-parties to reduce the pain of managing compliance initiatives, while also minimizing the associated costs and risks of noncompliance. 

    Penetration Testing
    Penetration Testing (Pen Test) is a highly specific and technical evaluation of weaknesses in systems, security, and countermeasures. 
    • Often a manual process with some automated tools. 
    • Requires highly specialized skills and expertise. Expect a higher price tag.
    • A cheap/lowest-cost Pen Test only results in a false sense of security.
    • Usually done as a snapshot/single event to validate Vulnerability Management (see below). 
    • Should be performed on a reoccurring basis (not recurring) according to overall framework and policies
    • A good Pen Test should do two things: 
    • identify new vulnerabilities, and/or 
    • validate the assumptions about the current cybersecurity posture, thereby providing a feedback loop back into the security program.
    • The Pen Test allows an organization to truly understand how effective their security is from a “hackers perspective”.
    Vulnerability Management
    Vulnerability Management, Vulnerability Assessment, and Vulnerability Scanning are similar and often used synonymously, but to purests there are subtle differences. They are used to specifically evaluate, rank, and patch technical weaknesses on a routine basis (e.g. daily, weekly, monthly, quarterly). 
    • Usually delivered via automated tools and software by a professional provider. 
    • Considered the starting point for a Pen Test. It is NOT a Penetration Test itself (don't let anyone tell you otherwise).
    • With any specific vulnerability, the best solutions will provide greater context, beyond the vulnerability itself, and therefore better threat scoring, reducing false positives and unnecessary panic.



    What is the driver behind seeking any of these assessments? 


    Are you interested in how vulnerable you actually are,
    or are you just trying to “check the box”?


    Have you chosen a cybersecurity framework? 


    If so, how do you measure it’s effectiveness and how often?

    For help finding the right cybersecurity companies, solutions, and professional services reach out to us today. For free initial consultation and to start on the road to a new strategy and framework to protect your business. please contact Cloud 9 Advisers, now.