1: Risk Identification
During this phase, we evaluate and validate controls to identify vulnerabilities in the information systems, networks, and data of your organization. We document implemented controls that mitigate the potential risks related to identified vulnerabilities, provide a preliminary scoring for levels of compliance, and an external vulnerability scan report.
2: Risk Analysis
In this phase, we evaluate vulnerabilities in terms of the risks they pose to information and systems in scope for the engagement. We develop acceptable risk criteria, assess the likelihoods and impacts of potential threats, and create a formal risk register. At the close of this phase, we provide an executive summary presentation and a detailed risk register that includes a templated Plan of Action and Milestones (POAM).
3: Risk Treatment
In this phase, we populate the initial POAM for your organization and provide recommendations for remediating risk to an acceptable level. The output of this phase will provide your organization with a roadmap to establish an effective information security program or fulfill contractual obligations
4: Risk Management
In this phase, we assist your organization in managing its program and identifying new risks. We establish scheduled counseling sessions to provide oversight with risk management activities and identify ongoing risk register procedures and POAM oversight functions that will help your organization maintain compliance and improve security over time. We provide guidance for the ongoing operation of a formal risk management program that includes reviewing the POAM status, identifying and documenting new risk to the organization, performing ongoing information security program assurance checkpoints, providing risk register updates, providing industry compliance and security insights, and developing reports for upper management and the ISMG.