Information Security Risk Assessment
Cyberattacks have become more and more common and there seems to be a clear upward trend from year to year. Therefore, and at the same time, regulatory requirements have intensified accordingly.
Therefore, every organization must prepare itself and reflect to management how prepared it is against these attacks and what it lacks in order to complete its defense system.
An information security risk survey refers to all levels of security within the framework of existing processes and systems in the organization. From addressing physical security to securing infrastructures including operating systems, networks, databases, user management and authorization, backup processes and more.
In other words, the survey examines the level of organizational information security end-to-end both in terms of business and management processes, whether there are information security policies and procedures according to accepted standards in the field. As part of the process, we will map the organization’s critical information assets which, if leaked to an unauthorized party, will cause serious damage to the organization.
In addition, a significant part of the process includes a technological review of the existing systems in the organization, Checking the general architecture of the network, checking central operating systems, examining settings in information security equipment such as firewalls and antivirus systems, checking hardening for servers and representative endpoints, whether there is conformity with standards and regulations, general tests for settings in various communication equipment including Wi Fi and more…
The survey in its essence is broad and deep, both practical and applied, and highlights the existing information security gaps in terms of company structure, organizational culture in terms of information security, employee awareness status, physical security, security governance and more.
The goal of the project is to conduct a survey mapping risk centers and exposures in the field of information security and cyber in the organization in order to reflect an initial map of the company’s cyber risks, including the impact of the risk centers on the risk management process and decision-making in the field of information security.
As part of the project, the main risk centers in the field of information security that exist within the framework of the company’s activity will be mapped, with reference to their direct impact on financial, operational, non-regulatory and image risks.
Work methodology and the executive team
Avalon Security operates according to a work methodology according to which all consultants are trained and operate in the field of mapping and protection of information assets in organizations. Our company provides experts and consultants in the fields of information security and risk management with in-depth familiarity with ISO 27001/27799 information security standards.
The projects are carried out based on the above work methodology and good practices accepted in the world of data protection such as NIST.
We believe that using a methodology that has been tested and successfully implemented in various projects and types of companies is an important layer in the success of the project and its implementation efficiently and effectively. Needless to say, the methodology was built and updated regularly based on various projects carried out by all the company’s information protection experts and consultants and considering their experience with the various challenges that the world of data protection contains and how they cope. The professional team that will be established for the purpose of executing the project will enable its execution with minimal damage during the organization’s ongoing work
- Interviews with the key parties responsible.
- Review of internal organizational documents such as: information security policy documents, procedures dictating the organization’s conduct, and more.
- Mapping critical systems in the organization: questioning and conducting interviews with system managers and relevant entities in the field.
- On-site inspection: The inspection covers all those areas of society where potential risks may arise and are therefore important for risk assessment.
- Production, processing, storage, management, etc.
- Supply facilities, control rooms, media centers, etc.
- Other areas that are essential to the company’s activity, areas prone to risks, concentrated assets, etc.
As part of the survey, the following topics will be addressed in detail:
- Examination of all means of communication belonging to the networks such as servers, endpoints, cellular devices, etc.
- Analysis of communication infrastructures – analysis of WAN lines, LAN and wireless communication in the organization.
- Interviews with key people – interviews with various entities in the organization to obtain different perspectives on information security, prioritization of resources, etc.
- Examination of information security procedures in the organization, both formally and in terms of implementation.
- Examination of the databases according to regulatory requirements, registration with the Ministry of Justice and various regulations as needed.
- Characterization of the information held in the organization, definition of priorities, definition of critical systems, etc.
- An in-depth examination of the existing security measures in the organization, in terms of their architecture, configuration, and analysis of the security failures they leave, all with reference to the characterization of the information and according to its sensitivity according to the needs of the organization.
- Check how users are managed in systems in terms of login permissions, access to resources, and more.
- Checking employees’ awareness of information security issues, training policies in the organization, saving passwords, etc.
- Analysis of how to work with outsourced companies, forms of connection, employment agreements, etc.
At the end of the project, the company will receive a report that will include all the findings collected during the tests, initial recommendations for correcting the failures discovered and reference. The report will be written in great detail and will contain, in addition to the findings, a technological background and methodological details for the tests.
In addition, the first part of the report will be submitted as an executive summary, in which the main points of the report will be detailed for the benefit of personnel who are not familiar with technological concepts. The main findings in the report will be classified according to the level of risk and likelihood of realizing the threats, as well as according to the severity of the harm if it is realized.