Security Risk Assessments

Achieve Compliance with a Security Risk Assessment
Cyber security risk assessments are required by a growing number of laws, regulations and standards — including the HIPAA Security Rule, PCI DSS, Massachusetts 201 CMR 17.00, SOX Audit Standard 5 and FISMA. Why is that?
What is a Risk Assessment? Security risk assessments create a unified set of protection and compliance priorities. By evaluating risk to your critical assets based on the potential impact to the business, risk assessments ensure that executive management and functional departments (IT operations, legal and audit) are in agreement about security and compliance priorities.
HALOCK’s cyber security risk assessment method is based upon Duty of Care Risk Analysis Standard (DoCRA). This method helps organizations determine whether they apply safeguards that appropriately protect others from harm while presenting a reasonable burden to themselves. This method helps establish if an organization has practiced “due care” in implementing their risk strategy.
Learn about our calculated acceptable risk definition and start making security and compliance decisions even before starting your risk assessment.
HALOCK guides clients through a complete risk assessment for cyber security so they can identify what parts of their organizations they must prioritize to address compliance, social responsibility, and security. Based on Duty of Care Risk Analysis (DoCRA), HALOCK’s risk assessment method also conforms to ISO 27005 and NIST 800-30 to ensure that all requirements for risk assessments are fully met.
“The project scoping team did a great job, and exceeded all expectations. We were very satisfied with the project. Thank you!”
– Global Logistics Provider
HALOCK’s security risk assessment services help organizations achieve the following benefits:
- Information security investments are measurably “reasonable and appropriate” as required by regulations and statutes.
- Information, systems, processes, people and facilities that can create risk are identified and assessed.
- Risks are prioritized, in part, by the impact that a threat has on the organization and its responsibilities.
- Information risks are considered in terms of the business mission and objectives, as well as the organization’s responsibilities to its customers — providing a unified view of risk in line with HALOCK’s Purpose Driven Security® approach.
Implement the Appropriate Controls with Risk Treatment
How do you know if your security controls are reasonable? Security risk assessments bring to management’s attention what could go wrong. But those risks remain a liability unless “reasonable and appropriate” security controls are established to protect that information, and those controls remain active. That’s where an effective IT risk treatment plan comes in.
Risk treatment is the process of implementing the appropriate information security controls. Using formalized risk management and cyber threat assesssment processes, HALOCK helps you determine the appropriate level of risk treatment that is consistent with common laws, regulations and standards. In addition, HALOCK’s security engineers work closely with your staff to assist in implementing the appropriate technical solutions to help you achieve your compliance goals.
Remain Compliant with Our Risk Management Process
Compliance is not a point-in-time achievement. It is a duty of care process that operates and evolves over time. To achieve ongoing due diligence, the process of risk management must be applied; this involves monitoring security controls and correcting them when they are ineffective at reducing risk.
HALOCK helps you establish the processes for monitoring and addressing risks to your organization. Our security risk management process ensures that risk owners are accomplishing their assigned tasks, while also providing easily maintained metrics to demonstrate that security and compliance investments are “reasonable and appropriate.” Based on ISO 27001 and NIST 800-30, HALOCK’s cyber security risk assessment and management methods are practical and scalable — and are easily applied in most organizations regardless of size or complexity.
Benefits of HALOCK’s enterprise risk management approach include:
- Facilitates “buy in” across IT, legal, financial and audit functions on what the risks are and where financial investments should be made
- Quantifies risk in terms that senior management collectively defines
- Supports collaboration among senior management to focus on risks that matter to the organization, and alerts management when risks increase to unacceptable levels
- Supports collaboration among audit, operations and compliance functions to ensure that internal oversight is based on commonly defined “reasonable and appropriate” compliance and security goals
- Ensures that risk assessments are addressed and updated on an ongoing basis, rather than by conducting challenging annual assessments
- Drives managers who own risks toward security and compliance behaviors using measurable topics
- Links security and compliance performance to “reasonable and appropriate” metrics
- Demonstrates due care through a “Process Book” that organizes and records regular oversight by management
- Develops metrics for current-state and future-state risk treatment to chart progress over time
Define your reasonable security controls and acceptable responses with a complete cyber security risk assessment from HALOCK. Learn about our comprehensive approach to risk with our Risk Management Program.
Reasonable Security Resources
In Archive360’s Podcast Episode 29: What is “Reasonable Data Security”?, Bill Tolson and Chris Cronin, Partner, Governance and Engineering Practice at HALOCK Security Labs try and define “reasonable data security” – a term that continually appears in every states’ privacy law or proposed legislation.
The Sedona Conference – an influential think tank that advises attorneys, regulators, and judges on challenging technical matters – just released its Commentary on a Reasonable Security Test. The Commentary is the first document of its kind that provides the legal community with a clear definition of a “reasonable” security control. HALOCK’s Chris Cronin was a co-author of Commentary on a Reasonable Security Test. To learn how to apply the test, contact us.
PODCAST: Cybersecurity Where You Are, co-hosts Tony Sager and Sean Atkinson are joined by Chris Cronin, ISO 27001 Auditor and Partner at HALOCK, a leading information security consultancy. Their discussion focuses on “reasonableness” as it relates to cybersecurity risk management.
RIMS: RiskWorld Recording: Reasonable Security & The Questions a Judge Will Ask You After a Data Breach In post-data breach litigation, you must demonstrate due care and reasonable control. Learn what basic questions the court will ask and how the duty of care risk assessment (DoCRA)—based on judicial balancing tests and regulatory definitions of reasonable risk—helps you answer them.
RSA CONFERENCE 2022: A Proven Methodology to Secure the Budget You Need in a Transforming World | Recording of Presentation
2023 Cybersecurity Regulatory and Resources Calendar
A quick overview of the regulatory landscape for 2023. This reference provides links to the law or rules.