Kimmons Investigative Services, in working with Mitch Price, can deliver global experience and expertise in security risk assessment. This includes extensive consulting and work in security risk assessment with government and private sector entities.
The process begins with a comprehensive overview of foreseeable and reasonable risk, including physical and cyber security. Mitigation strategies follow, with proposed solutions that take into account the organization’s risk tolerance. A cost benefit analysis is prepared and presented. Our services can include collaboration with corporate insurance underwriters in security risk assessment associated with terrorism, maritime piracy, kidnap and ransom, and cyber security.
Each entity and situation presents unique challenges and opportunities, but the basic steps in security risk assessment apply in most while being modified for the client’s needs.
Systems Utilized in Security Risk Assessment
As needed in each client’s unique situation and risk profile, these systems can be used to complete the assessment process.
Facility Analysis – The physical security of the organization’s facilities, buildings, parking areas, and other infrastructure to assess physical risks. This includes physical locks, cameras, alarm systems, and power supply and backups.
Network Evaluation – There are many components involved in the network supporting the operations of an organization. Each mission critical item is examined for performance and security including wireless networks, firewalls, and other network equipment.
Server Analysis – The organization’s server(s) are mission critical and are carefully examined for server redundancy, authorization, authentification, and malware protection.
Company Policy and Data Security – The organization’s security policies and how data is secured are critical and carefully analyzed. All policies and organization manuals are examined to assess risk associated with the handling of data and proprietary information. How data is encrypted and access is granted are carefully analyzed.
Steps Involved in Security Risk Assessment
Some or all of these steps can be a part of the security risk assessment process, and they are incorporated and/or modified to fit the specific needs of the client.
Determine the Scope of the Security Risk Assessment – The larger the organization the more important it is to first determine the scope of the security risk assessment. In some cases the security risk assessment does not encompass the whole organization. It could involve branches or locations, new enterprises or undertakings, or the addition of services not previously offered. When the scope of the assessment is determined, all organization personnel and third parties involved should be on board for the process.
Identification of Vulnerabilities and Threats – Threats can be either interal or external as well as accidental or intentional. These would be threats that can damage the facilities, operations, or proprietary property of the organization. Vulnerabilities are situations or flaws in the operations, facilities, or data storage that would open the organization up to internal or external threats.
Risks and Their Potential Impact Analysis – Once risks are identified, the ways in which they can impact the organization are determined as well as the potential damage to the organization or its processes. In this step, previous data about similar risks and their impact on other government or private sector entities and the prevalence of the risks/threats helps in determining necessary actions.
Risk Prioritization – In this stage of the security risk assessment, each potential risk or threat is prioritized through a determination of the possible damage to the organization. Once risks are prioritized, action can be taken, usually in one of three ways:
- Avoiding the risk – for low risk threats, avoiding any mitigation actions is acceptable if desired.
- Transferring the risk – for higher risk threats, but those that would be difficult or impossible to mitigate, taking out specialized insurance or by hiring security or third party control are viable options.
- Mitigation of the risk – significant risks should be mitigated through internal control actions or hiring of specialized help. By placing the proper controls and/or taking other measures, the threat from a risk can be mitigated. However, it is important to note that there can be situations when some risk is missed or is not fully addressable.
- Risk Documentation – Throughout the process, detailed records and notes should document risks, evaluations, and actions taken. This record should document all risks, dates analyzed or evaluated, and the actions taken or recommended. Reports should document the timeline, actions, and results. When internal actions are required, records should indicate the parties responsible for action.
Conclusion
Security Risk Assessment grows in importance as technological advancements make threats and intrusion more likely and more difficult to detect or avoid. Feel free to contact us using the form below for more information or with your questions. Either Mitch or Rob will contact you shortly.