A McAfee Foundstone Risk Assessment provides an independent audit of existing risk, introduces strategies to help manage risk, and describes the processes and systems that mitigate risk conditions. Regularly scheduled risk assessments are a fundamental part of complying with federal and state regulations, including GLBA, HIPAA, California Senate Bill (SB) 1386, and PCI DSS. Moreover, a risk assessment is a critical component of an effective security program.
Assessing risk is the foundation for developing risk management strategies within an organization. Foundstone’s methodology identifies assets that support business operations, uncovers vulnerabilities, and pinpoints potential threats to those assets.
A Foundstone Risk Assessment helps your organization:
A Foundstone Risk Assessment identifies assets that are central to business operations, and establishes the value of those assets to the organization. We identify threats that could impact these assets and examine vulnerabilities to determine the likelihood of impact. Foundstone takes a balanced approach to assessing an organization’s risk profile, using interviews, documentation review, and technical analysis to determine risk, rather than relying on self-assessments or questionnaires.
Asset, vulnerability, and threat identification
In this phase, Foundstone interviews business managers and technical staff, and reviews documentation relating to information security and assets, including network topology. A Foundstone Risk Assessment identifies critical operational assets, including data center systems, employee computers, network communications devices and channels, remote work areas such as employees’ home computers, customer data, employee data, and intellectual property. Special emphasis is placed on systems that process, store, manage, and transmit personal data. We examine how the information technology assets are utilized by all types of system users, including administrators, customers, and employees, and then rank each asset based on its value to operations if it were to fail.
Foundstone interviews technical staff to identify potential vulnerabilities, and also employs documentation review and technical analysis (if combined with a vulnerability assessment) to uncover potential weak areas. Vulnerabilities are classified based on severity, which identifies the exposure of an asset. For the purposes of the Risk Assessment, the vulnerability assessment is a high-level review. Vulnerabilities identified through this assessment are candidates for a more detailed, technical assessment conducted by Foundstone.
Using threat modeling, Foundstone builds scenarios that reflect possible events. Each asset is analyzed with its potential cost if impacted, including direct costs from physical destruction or loss, the loss of consumer confidence, failure to meet regulatory requirements, and catastrophic scenarios. The result is a ranking of threats based on prevalence, a measure that indicates if a threat has the capability and motivation to impact an asset.
After Foundstone catalogs assets, vulnerabilities, and threats, it begins the analysis. Risk is present when critical assets, credible threats, and existing vulnerabilities are present. Foundstone focuses on a qualitative risk assessment rather than attempting to assign monetary values to potential losses.
Security road-map planning
Foundstone focuses on strategies that result in the maximum reduction in risk for the minimum security investment. We create a security road map that details Foundstone’s four risk management strategies: mitigation, transfer, avoidance, and acceptance. Strategies are prioritized based on the amount of risk reduction and relative cost. Results are documented in a security road-map action plan that details systemic issues and solutions, based on your organization’s resource constraints and risk goals.
At the conclusion of the engagement, we deliver a comprehensive Risk Assessment technical report, an executive summary, next-step recommendations, and a half-day results workshop and presentation.