Information Security Risk Assessment

The knowledge gained through Pratum’s Information Security Risk Assessment service helps guide organizations in making rational decisions to improve security posture and align risk with acceptable tolerance levels.

Consultant and client reviewing risk assessment recommendations

Why Pratum's Information Security Risk Assessment Service?

We Bring a Business Mindset

We get to know your specific business model and risk appetite before we deliver a single assessment or make any recommendations.

We Ask The Right Questions

As an objective third party, we'll dive deep to cut through internal politics and produce insights for improving your information security policies.

We Provide Clear Next Steps

We identify what you should tackle first as you build a foundation for a best-in-class security program.

Risk Assessment Client Evan Doss, COO of Summit Imaging

Pratum is our expert helping us with what we don’t know we don’t know. It’s not what is required now, but what is going to be required in the future that Pratum helps us understand.

Evan Doss Chief Operating Officer - Summit Imaging

Security Risk Management For Your Specific Business Environment

Risk management is the ongoing process of identifying, assessing and responding to risk. A risk assessment provides the first step in the security cycle of risk management. You'll gain insight into the effectiveness of your security program and get a baseline for subsequent policy and control decisions. With a clear picture of your specific risks, you'll eliminate guesswork and needless spending. At every step, we use a process built to help IT departments identify and evaluate risk while aligning with business objectives. A Pratum risk assessment will:

  • Identify asset vulnerabilities
  • Gather threat and vulnerability information
  • Identify internal and external threats
  • Identify potential business impacts and likelihoods
  • Determine risk
  • Identify and prioritize risk responses

Beyond baselining an organization’s security posture, information security risk assessments are also the first requirement outlined in federal regulations such as Sarbanes-Oxley Act (SOX), Gramm-Leach Bliley Act (GLBA) and Health Insurance Portability and Accountability Act (HIPAA). The Payment Card Industry – Data Security Standards also require merchants of all sizes to perform due diligence in assessing risk in their technology operations.

The Risk Assessment Process

Step 1: Prepare for the Information Security Risk Assessment

We start by understanding what information you want the assessment to produce and what decisions you plan to guide with the results.

Step 2: Conduct the Information Security Risk Assessment

While conducting the assessment, we produce a list of information security risks prioritized by risk level so you can make informed response decisions. We'll analyze threats, vulnerabilities, impacts and likelihood. Pratum's assessment process includes the following key steps outlined by NIST:

Identify Threat Sources

Identify and characterize threat sources of concern, including capability, intent and targeting characteristics for adversarial threats and range of effects for non-adversarial threats.

Identify Threat Events

Identify potential threat events, relevance of events and threat sources that could initiate the events.

Identify Vulnerabilities and Predisposing Conditions

Identify vulnerabilities and predisposing conditions that affect the likelihood that the threat events of concern result in adverse impacts.

Determine Likelihood

Determine the likelihood that threat events of concern result in adverse impacts, considering: (i) the characteristics of the threat sources that could initiate the events; (ii) the vulnerabilities/predisposing conditions identified; and (iii) the organizational susceptibility reflecting the safeguards/countermeasures planned or implemented to impede such events.

Determine Impact

Determine the adverse impacts from threat events of concern considering: (i) the characteristics of the threat sources that could initiate the events; (ii) the vulnerabilities/predisposing conditions identified; and (iii) the susceptibility reflecting the safeguards/countermeasures planned or implemented to impede such events.

Determine Risk

Determine the risk to the organization from threat events of concern considering: (i) the impact that would result from the events; and (ii) the likelihood of the events occurring.

Step 3: Communicate and Share Security Risk Assessment Information

We communicate the assessment results via a risk register that identifies, describes and ranks the risk level of each risk. With this detailed summary, we ensure that leaders across the organization have the appropriate information to guide decisions.

Step 4: Maintain the Assessment

Finally, we help you leverage what you've learned by developing specific next steps to remediate high risks and other concerns identified in the assessment.

Risk Assessment Additional Resources

Risk Assessment Likelihood & Impact
Every organization is unique, so the risks they each face are not the same. In order to make a plan of action to protect your business, you need to first understand where the threats against you are. Read More
IT Management Case Study
A company managing clients’ IT infrastructure can’t afford a breach. That’s why this IT solution provider took recommendations from their colleagues and hired Pratum to conduct a risk assessment. Read More
Make the Most of Endpoint Protection Tools
No matter what size of organization you are, an Information Security Risk Assessment is a great way to get a thorough look at your security posture.
Read More

Interested in risk assessment services?

Request a complimentary quote today.

The information we track while users are on our websites helps us analyze site traffic, optimize site performance, improve our services, and identify new products and services of interest to our users. To learn more please see our Privacy Policy.