Risk Assessment

Rapid, Actionable Risk Data

Where are the holes in your security operation? Which carry the greatest risks to your organization? If you are not certain of these answers, you need to be. Our rapid risk assessments bring clarity to the confusing landscape of enterprise security. 

Fast

Our innovative asset classification technique accelerates the risk assessment process. Enterprise-wide assessments take us just weeks.

Technical

Our rapid risk assessments include control strength assessments such as penetration testing, vulnerability scanning, and configuration analysis.

Collaborative

Anitian emphasizes face-to-face interviews with stakeholders for data collection. We avoid the use of surveys as they often produce unreliable data.

Clear

Simple, plain English reports clarify risk reduction activities, while concise recommendations fuel rapid decision-making among leadership.

Risk Assessment Services

Rapid Risk Assessment: Overview
A great security program is built upon a foundation of risk management. But what happens if your risk data is inaccurate or outdated? Modern information technology moves fast – so fast that traditional risk assessment practices cannot keep up.   Introducing RiskNow® Rapid Risk Assessment from Anitian. RiskNow® takes the best concepts from traditional risk assessment frameworks, like NIST, and accelerates them for today’s volatile cloud and hybrid environments. With RiskNow®, you can cut through the complexity and pinpoint the real threats you face, right now. Furthermore, RiskNow® puts risk management into language leaders can quickly understand and use. RiskNow® is the future of risk management. You can start using it today to transform your information security program. RiskNow® Rapid Risk Assessments, like all of Anitian’s services, are available as part of an Anitian Beyond subscription. Risk Now risk assessment techniques are also integrated into all our services including Penetration Testing, Application Security, and Sherlock Managed Detection and Response.
RAPID RISK ASSESSMENT
Whether it is a single app or an entire enterprise, Anitian’s RiskNow® Rapid Risk Assessment approach delivers the intelligence you need in a fraction of the time.   Your RiskNow® Rapid Risk Assessment includes:
  • Formal project management with Anitian’s exclusive Vision Client Engagement Portal
  • Establishment of scope and context for risk
  •  Interactive and collaborative discussions with technical custodians and business process owners
  • Integrated technical testing, such as penetration testing, configuration assessment, and code review
  • Production of a holistic framework that fuses empirical data and qualitative analysis
  • Development of a Business Risk Intelligence Report (BRIR) that communicates complex concepts in simple business language
  • Inclusion in the BRIR of an action plan that defines practical remediation steps in alignment with the technical, operational, and financial realities of your business
  •  Executive briefings and implementation assistance.
THIRD PARTY RISK ASSESSMENT

Third party vendors represent one of the most significant risks businesses face. Anitian’s RiskNow® Rapid Risk Assessment can provide independent validation of the cybersecurity of your vendors. We use a unique trust model, which focuses on how much trust you should extend to your vendors. 

FFIEC RISK ASSESSMENT

Each year, financial institutions are required to complete a risk assessment to comply with FFIEC guidelines. Anitian’s FFIEC Rapid Risk Assessment ensures compliance with these requirements. Additionally, Anitian can ensure theInherent Risk Profile and Cybersecurity Maturity reports are completed in a holistic, practical manner.

PCI RISK ASSESSMENT

The RiskNow® PCI Risk Assessment not only assures compliance with PCI DSS Requirement 12.2, but also arms you with vital threat intelligence, so you can build a secure and compliant environment.

SECURITY CONTROLS STRENGTH ASSESSMENT

Are your controls working? How do you know? An Anitian Security Control Strength Assessment puts your security to the test. This service helps you optimize your security controls to maximize your defenses. And since Anitian has hands-on technology expertise, we can help you configure your NGFW, SIEM, or any controls as well.

 

We perform intense technical testing of the effectiveness and strength of your security controls and their related policies. The end result is empirical evidence you can trust to make informed, data-driven decisions about the security of your environment. This test can include controls you manage directly, or controls under the administration of a managed security provider.

Your control strength assessment includes:

  • Formal project management with Anitian’s exclusive Vision Client Engagement Portal
  • Development of a testing schedule in collaboration with your team
  • Asset identification
  • Facilitated discussions with data and system custodians and business process owners, capturing key concerns and issues to assist with threat definition
  • Analysis of the design, use, configuration, and implementation of relevant inscope security controls
  •  Performance of a series of network, system, and application layer security tests on in-scope assets to help frame the threat and risk analysis; this testing follows Anitian’s exclusive Ring.Zero testing methodology.
  • Assessment of risks using Anitian’s RiskNow® approach
  •  Documentation of findings and recommendations in a peer-reviewed report
  • Presentation of results and discussion of recommendations with you and your team
  • Collaboration with your staff on remediation efforts

 

Third Party Risk Assessment: Overview

Great business is built upon trust. When people and organizations trust each other, they work better, faster, and more securely. Trust is built upon a foundation of shared values, goals, and transparency. Anitian believes the best way to manage third party risk, is to manage trust.

Anitian’s exclusive RiskNow® Trust Model is designed to build strong, lasting business relationships that effectively manage risk in a positive, proactive manner. The key to this model is our unique trust framework. When used in conjunction with our other RiskNow® risk assessment techniques, Anitian can provide realistic, accurate, and fair risk intelligence about your critical third party vendors.

THIRD-PARTY RAPID RISK ASSESSMENTS

An independent, fair, and deeply technical risk assessment of your critical third party vendors. Anitian’s unique RiskNow® Trust Model ensures a collaborative, proactive engagement that emphasizes shared goals.   These risk assessments can be performed on a one-time basis, or as part of an annual engagement. Your Third Party Rapid Risk Assessment includes:

 

  • Project Planning: Validate the scope of each third-party engagement. Define the assessment context or “lens” for how assets and each third-party will be analyzed. Establish schedules and rules of engagement. Document these issues in a project plan. Determine appropriate business and IT stakeholders.
  • Request for Information (RFI) Process: develop, disseminate, and review an appropriate set of RFIs for each third-party entity. Responses to these RFI documents will guide the risk assessment process.
  •  Asset Validation: Catalog and validate the relevance of the in-scope third-party assets and sampling strategies.
  •  Stakeholder Interviews: Conduct a series of facilitated discussions with relevant third-party stakeholders. Capture key concerns and issues to assist with threat definition.
  • Ring.Zero Security Testing: If appropriate, Anitian will conduct a series of network, system, and application layer security tests on in-scope assets. Anitian uses the technical results from these tests to corroborate the threats and vulnerabilities. Anitian will determine the relevant sample of systems to test. Testing services may include:
    • Vulnerability Scanning
    • Network and System Penetration Testing
    • Web Application Security Testing
    • Critical Infrastructure and Systems Configuration Analysis
  • Documentation Review: Anitian will conduct a high-level review of Client’s and third-party’s documented policies, procedures, practices, guidelines, data flows, network diagrams, architectural designs or any other relevant documentation. Specific issues Anitian will consider as part of this Risk Assessment include:
    • Clarity and relevance of content
    • Impact of documentation on identified threats and vulnerabilities
    • Alignment with operational and technical realities in the organization
  • Physical Security Review: If appropriate, Anitian will conduct a review of physical security controls of Client’s and / or third party’s data center and offices.
  • Threat Identification: Using data from interviews and security testing, Anitian will define the potential threats that are applicable to the Client’s relationship with each third-party.
  •  Control Maturity Assessment: Anitian will determine what security controls (people, processes, and technologies) are in place and how effective they are at mitigating the identified threats.
  • Risk Assessment: Anitian will establish risk rankings for each threat, based on vulnerabilities present, probability of exploitation, impact on the organization, and the maturity of existing controls. Determine what, if any, residual risk exists if control maturity is improved.
  • Recommendations: Anitian will define enhancements or improvements to Client’s and / or third-party’s controls that can mitigate or eliminate risk.
  • Action Plan: Analyze risk exposure and recommendations to develop a step-bystep Action Plan for reducing risk.
  • Reporting: Complete the Business Risk Intelligence Report and supporting Threat Matrix.
THIRD PARTY RISK ASSESSMENT SERVICE
Ongoing, multi-vendor risk assessment service. Whether you have one or a thousand vendors, Anitian’s unique RiskNow® approach can provide accurate, fair, and technical risk intelligence. Your Third Party Risk Assessment service includes:
  • Detailed scoping and project management using Anitian’s Vision Client Engagement portal
  • Customized requests for information to third party contacts
  • Independent validation of in-scope assets
  • Collaborative interviews with third party contacts
  • Discussions with your team on the value of each business relationship
  • Detailed investigation into the level of access each third party requires
  • Assessment of the levels of trust applicable for each third party
  • Determination of the proper trust level for each third party
  • On-demand technical testing from Anitian’s Ring.Zero Security Testing Labs.Testing includes:
    • Penetration testing
    • Web application testing
    • Code Review
    • Configuration assessment
    • Log review
  • Independent identification of threats
  • Determination of the probability and impact of threats
  • Assessment of any relevant documents, contracts, guidelines, etc.
  • Review of physical security controls (if appropriate)
  • Assessment of risks using Anitian’s RiskNow® approach
  • Documentation of findings and recommendations in a peer-reviewed report
  • As an alternative to (or in addition to) standard reporting, we can submit our data into your existing risk management tools
  • Collaboration with your staff and third party vendor (if appropriate) on remediation efforts
BREACH INTELLIGENCE ASSESSMENT

Our Breach Intelligence Assessment service is a comprehensive, multidimensional, scientific analysis of your environment for the evidence of compromise or advanced persistent threats (APTs). Our team hunts through your environment for evidence of a breach. When we find one (or more), we provide actionable remediation steps.

We perform a comprehensive assessment of your environment to determine if a breach has happened or is currently in progress.

Your Sherlock Breach Intelligence Assessment includes:

  • Deployment of a commercial behavioral analytics listener in your environment that gathers data for a defined set of time (typically 20-30 days)
  • Performance of a regimen of scientifically controlled tests on your environment, such as:
    • Network and system penetration tests
    • Web application penetration tests
    • Code review of critical applications
    • Configuration analysis of critical infrastructure components
    • Malware, ransomware, and indicators of compromise (Ioc) hunts
  • A review of up to 90 days of log data from SIEM, NGFW, endpoint security, and web gateways
  • Facilitated interviews with technical points of contact to understand how your environment is managed
  • Normalization, analysis, and contextualization of your data with the latest threat intelligence
  • A hunt through all of the collected data to find indicators of compromise, evidence of malware, or areas of extreme risk
  • Production of a comprehensive report that pinpoints breaches already in progress or about to happen
  • Collaboration with your team to fix any issues and correct vulnerabilities
HIPAA RISK ASSESSMENT

Healthcare is under attack. Every day a new threat emerges targeting health providers or data. Keep pace with this volatile landscape with Anitian’s exclusive HIPAA Rapid Risk Assessment. This service provides actionable threat intelligence in a fraction of the time of traditional risk assessment methodologies.

Anitian’s HIPAA Rapid Risk Assessment can fulfill the HIPAA Meaningful Use risk assessment requirements and is aligned with the NIST 800-66 control framework.

This assessment covers your security controls, disaster recovery, business continuity, and application environments.

  • Formal project management with Anitian’s exclusive Vision Client Engagement Portal
  • Establishment of scope and context for risk 
  • Establishment of exact locations and usage of PHI
  • Interactive and collaborative discussions with technical custodians and business process owners
  • Technical testing of in-scope assets using Anitian’s Ring.Zero security testing labs
  • Unification of interview and technical data into a common framework
  • Establishment of a probability and impact scale and time frame
  • Assessment of risks using Anitian’s RiskNow® approach
  • Documentation of findings and recommendations in a peer-reviewed report
  • Presentation of results and discussion of recommendations with you and your team
  • Collaboration with your staff on remediation efforts
DEVOPS RISK ASSESSMENT

DEVOPS RISK ASSESSMENT A risk assessment focused on your software development practices and operations. This risk assessment is ideal for organizations acquiring a new DevOps team or practice.

  •  Formal project management with Anitian’s exclusive Vision Client Engagement Portal
  • Establishment of scope and context for risk
  • Interactive and collaborative discussions with developers and business process owners
  • Technical testing of applications, which can include code review
  • Assessment of DevOps practices and controls
  • Unifies interview and technical data into a common framework
  •  Documents threats and qualifies rankings
  • Assesses risk using Anitian’s RiskNow® approach
  •  Findings and recommendations documented in a peer-reviewed report
  • Presentation of results and discussion of recommendations with you and your team
  • Collaboration with your staff on remediation efforts

A risk assessment focused on your software development practices and operations. This assessment is ideal for organizations acquiring a new DevOps team or practice. We conduct this assessment using our proprietary RiskNow® approach, with an emphasis on assessing your DevOps practices and controls in the context of your environment as a whole.

APPLICATION RISK ASSESSMENT

APPLICATION RISK ASSESSMENT A risk assessment focused on a specific application or function. This service is ideal for organizations deploying a new application or considering acquiring an application from an external source.  

  • Formal project management with Anitian’s exclusive Vision Client Engagement Portal
  • Establishment scope and context for risk
  • Interactive and collaborative discussions with developers and business process owners
  • Technical testing of applications, which can include code review
  • Unifies interview and technical data into a common framework
  • Documents threats and qualifies rankings
  • Assesses risk using Anitian’s RiskNow® approach
  • Findings and recommendations documented in a peer-reviewed report
  • Results presented and recommendations discussed with you and your team
  • Collaboration with your staff on remediation efforts
Overview: FFIEC RISK ASSESSMENT

Risk assessments are an integral part of any financial institution. The FFIEC requires several annual assessments. Anitian’s RiskNow® Rapid Risk Assessment can provide you with not only the data you need for FFIEC compliance, but also actionable threat intelligence to refine and optimize your security program.

FFIEC RAPID RISK ASSESSMENT

This assessment covers your security controls, disaster recovery, business continuity, and application environments. The data from this assessment can be used to complete the FFIEC Inherent Risk Profile.   The FFIEC Rapid Risk Assessment includes:

  • Formal project management with Anitian’s exclusive Vision Client Engagement Portal
  • Establishment of scope and context for risk
  • Interactive and collaborative discussions with technical custodians and business process owner
  • Technical testing of in-scope assets
  • Unification of interview and technical data into a common framework
  • Establishment of probability and impact scale and time frame
  • Assessment of risk using Anitian’ RiskNow® approach
  •  Documentation of findings and recommendations in a peer-reviewed report
  • Presentation of results and discussion of recommendations with you and your team
  • Collaboration with your staff on remediation efforts
FFIEC INHERENT RISK ASSESSMENT

An objective, practical analysis of your cybersecurity risks to complete the FFIEC Inherent Risk Profile.   The FFIEC Inherent Risk Assessment includes:

  • Formal project management with Anitian’s exclusive Vision Client Engagement Portal
  • Establishment of scope and context for risk assessment
  • Interactive and collaborative discussions with technical custodians and business process owners
  • Review of configuration of security controls
  • Unification of interview and technical data into a common framework
  • Determination of relevant threats, probability, and impact scores
  • Assessment of risk using Anitian’s RiskNow® approach
  • Documentation of findings and recommendations in a peer-reviewed report
  • Complete FFIEC Inherent Risk Profiles using the Cybersecurity Assessment Tool
  • Presentation of results and discussion of recommendations with you and your team

Learning Resources

Presentation

Security as
Code

b

Paper

Communicating Risk
to Leadership

eBook

The Case for Security
in the Cloud

Contact

Share This