Risk Analysis in RI

A Risk Analysis is often confused with Vulnerability Management and Penetration Testing. A risk analysis doesn’t require any scanning tools or applications – it’s a discipline that analyzes a specific vulnerability (such as a line item from a penetration test) and attempts to ascertain the risk – including financial, reputational, business continuity, regulatory and others –  to the company if the vulnerability were to be exploited.

Many factors are considered when performing a risk analysis: asset, vulnerability, threat and impact to the company. An example of this would be an analyst trying to find the risk to the company of a server that is vulnerable to a specific bug.

The analyst would first look at the vulnerable server, where it is on the network infrastructure and the type of data it stores. A server sitting on an internal network without outside connectivity, storing no data but vulnerable to Heartbleed has a much different risk posture than a customer-facing web server that stores credit card data. A vulnerability scan does not make these distinctions. Next, the analyst examines threats that are likely to exploit the vulnerability, such as organized crime or insiders, and builds a profile of capabilities, motivations and objectives. Last, the impact to the company is ascertained – specifically, what bad thing would happen to the firm is someone acquired cardholder data?

A risk analysis will have a final risk rating with mitigating controls that can further reduce the risk. Business managers can then take the risk statement and mitigating controls and decide whether to implement them.

Locations

Corporate Headquarters
58 Waterman Avenue - North Providence RI 02911

MA Office
26 Cedar Lane - Seekonk MA 02771

Toll Free: (888) 219-5296
Local: (401) 231-8130

Operating Live 24∙7∙365