Information Security Assessments

Do you ever wonder how secure your environment really is?

An information security assessment tells you the current state of your information security controls, where you have gaps, and how to get to an acceptable level of control.

Often information security assessments are mistakenly referred to as IT or network security assessments. True information security assessments incorporate not only technical (IT/Network/Application) security, but also physical security and policy/procedure analysis.



Click here for our Assessment Methodology

Overview of the FRSecure assessment process

Choose a standard

If you haven't chosen a standard on which to build your security program, we'll work with you to choose one that fits your business.

Most FRSecure information security assessments are based on ISO standard 27002 (17799). Occasionally they may be based on another standard, such as NIST.

Compare your existing information security controls against the chosen information security framework

Security areas we focus on in an FRSecure assessment:



* Don't need a full assessment? Each area can be assessed independently.

Where there are gaps, assign metrics

Metrics are assigned to each control and aggregated to create a "Risk Rating". The metrics used are:

• Level of Effectiveness ("LOE") - a measure of control quality and maturity,
  
• Likelihood of an adverse event or threat, and
  
• The potential Impact suffered by the organization
  

Example controls for each area:




Process and Deliverables
On a high-level, the assessment process is comprised of five steps:

• Planning and Coordination – planning timelines, resource constraints, and activities.
• Information gathering – a combination or remote and onsite information gathering used to justify risk findings and ratings.
• Organization and comparison – pairing thousands of pages of information into manageable “chunks” and comparing against well-known industry standards/practices*.
• Analysis and quantification – analysis of control gaps (coverage, quality, functionality, etc.) and quantification of associated risks
• Translation and communication – translation of risks into grading, risk prioritization, generate recommendations, and produce reports.

*Information gathered during the assessment is compared against well-known industry standards such as those found in ISO 27002 (17799:2005), NIST, and others.

The primary purpose of the assessment deliverables is to communicate the findings and recommendations to relevant parties.


Deliverables include:

• Information Security Assessment Executive Summary Report – a high-level overview of the assessment process, findings, and recommendations.
• Information Security Assessment Full Report – an in-depth report that details the assessment process, all findings, all recommendations, and action plan.

Our analysis and reporting is second to none. Sample deliverables are available upon request so that you can see the difference for yourself.

Click here for our Assessment Methodology


Contact us for our full methodology or to request a quote.