Our Security assessment methodology has been carefully designed to manifest the most accurate and useful security risk assessment process while maintaining practicality and ease of use. By combining the best elements of time-honoured security risk assessment practices, this powerful methodology overcomes the limitations and high costs associated with traditional assessments. The end result is a view of security like none other.

The assessment process should facilitate and enable business objectives, not hinder or prevent innovation. Designing security into a project can enable business strategies that would otherwise be too risky or technically infeasible. Security should strive to be a partner with the project team in identifying security solutions to make the project successful. Finally, integrate the assessment process into your security policies and into existing corporate project planning and project management processes. In this way, security will always be at the forefront of project planning, management and implementation.

The Philosophy Security has always required a mixture of Technical and Executive thought leadership. Traditional assessment solutions that focus on simple vulnerability probing fail to provide the information required to make good security decisions. At the same time, pure Top-Down high level assessment approaches have proven to be of little use in guiding the action of hands-on staff members.

Our methodology and technology have been designed to harmonize Executive Goals & Compliance Requirements with the vital security details. Our policy-driven engine takes input at the highest level of an organization and translates it into a detailed guide for securing individual objects and controls. At the same time, the technical details of risks and controls for individual objects are translated back to the executive level to show where the organization is succeeding and failing to meet its security needs. This entire process works to generate an effective Top to Bottom view of security and compliance within the organization that is meaningful at all levels. The result is an accurate and consistent assessment that provides extremely useful information and reports for all levels of the organization.

The baseline or reference point for any security assessment should be corporate security policies. In order for security assessments to be consistent and credible, the assessment must be based on security policy that is approved and published. Security policy must be deployed so that it’s known and accepted by employees, project managers, and management throughout the corporation. Information Security Policy World states that “the fundamental question is how to deploy the policies - how to deliver them. This is critical, as undelivered or badly delivered policies might as well not exist”.

A security assessment policy should be part of the policy “suite”. An established policy requiring a security assessment for certain types of projects is imperative. Without it, a security assessment will rarely be included in any corporate or business unit project planning activity. Corporate security policy should represent the general risk posture of the institution. Every business is in the business of taking risk - that is, businesses make money by taking risk. The best way to completely eliminate security risk is to simply close up shop - not very practical for implementing your mission statement.

Hence, security policies dictate the level of risk that an organization would consider normal business activity. No two organizations have the same policies because no two take the same risks. Every enterprise must determine what risks are considered standard business activities, and what risks should be avoided or reviewed as policy exceptions that could be approved under special circumstances.

Key Benefits As the security consultants for your organization, we commit to:

1. Provide an Easy-to-Use and Cost Effective approach that can leverage existing Internal Resources to drive a sustained IT security risk management program.
2. Assist in Ongoing Security Compliance Management as related to industry standards such as ISO 27000 or legal requirements such as HIPAA, SOX, GLBA, NERC, and others
3. Produce highly Consistent, Useful and Actionable Results that help to Guide, Justify, and Document your security decisions.
4. Allow your organization to Track and Measure Security Progress over time.
5. Enable a simple, clear, and consistent data gathering process that Promotes Accuracy & Standardization.
6. Provide a Single Repository that can be shared between Information Security, Compliance, Business Continuity, Auditing, and other groups

Purpose Our vision of the goal of the security assessment, (also known as a security audit or security review), is to ensure that necessary security controls are integrated into the design and implementation of client projects. A properly completed security assessment should provide documentation outlining any security gaps between a project design and approved corporate security policies.