Risk Assessment Services mapped to Industry Standards
ITG Consulting Services uses an established and comprehensive approach to supporting its customer’s information security initiatives by conducting risk assessment. Furthermore, our risk assessment procedures & methodology are directly mapped to industry standards and best practices for risk management, including ISO 31000, NIST Risk Management Framework, PMBOK and FMEA.
ITG Consulting Services group consists of skilled risk assessment professionals with experience implementing as well as day-to-day management of information security and management system environments. The team’s expertise allows ITG to strategically train and lead NIST Risk Assessment, ISO 27001 Risk Assessment, and subsequent ISO Risk Assessment requirements for our clients. Our clientele includes Fortune 500 corporations, as well as both small and large government contractors.
Risk Assessment Procedures & Methodology
Our methodology and approach is to identify scope and assessment boundaries and categorize potential hazards, risks, opportunities, and vulnerabilities. We determine what could impact the confidentiality, integrity, or availability of information related to the following key security concerns:
- Strategic mission,
- Business operations,
- Technical architecture and capabilities,
- Personnel,
- Compliance,
- Supplier interface, and
- Physical and environmental infrastructure.
Risk Assessment Procedures
Firstly, ITG works with each one of our customers to conduct an initial assessment – whether it be defined as a NIST Risk Assessment or ISO 27001 Risk Assessment initiative – on the business impact and likelihood of security failures to define risk level(s). Our team’s assessment approach focuses on:
- The probability of exploitation and compromise,
- Impact to the organization and its assets, and
- Ability to detect potential threats and/or risks.
These key areas determine an organization’s ability to respond to a security event, which plays a significant role in reducing the impact.
Secondly, based on our NIST Risk Assessment and/or ISO 27001 Risk Assessment approach and analysis practice, the Consulting Services group works directly with each customer to assign risk priority, identify and evaluate options for treatment, and the application of appropriate controls to eliminate or mitigate the risk. We work with our customer to:
- Assign risk ownership and priority,
- Develop treatment and mitigation actions (steps to prevent the risk or circumstance from occurring), and/or
- Develop contingency plans for risks that meet certain thresholds (actions to minimize the effect of the risk or circumstance if it does occur).
Thirdly, after completion of the risk assessment and prioritization initiative, the Consulting Services team continues to support stakeholders’ and their involvement. Our approach focuses on:
- Reporting
- Treatment
- Response implementation
Finally, the Consulting Services group continues to work with our customers in the management of identified risks through monitoring, communication, and documentation. Mitigation plans and treatment plans are implemented, as appropriate, to control and manage risks effectively. Consequently, ITG customizes the recommended response plans based on risk priority, industry type, information classification, and the level of risk tolerance of each customer. Additionally, we assess compliance requirements and how effective and to what degree risk treatment reduces the risk, taking into consideration the financial and resource commitments necessary to minimize the risk level.