Risk

Print

Determining IT security risk can be difficult with a constantly changing IT environment, lack of resources, and complex risk analysis methodologies.  Even worse, regulatory agencies and compliance requirements state that companies must maintain a risk program and regularly perform risk assessments.  For example:

  • PCI 12.1.2: Includes an annual process that identifies threats, and vulnerabilities, and results in a formal risk assessment
  • NCUA: IT 748 Compliance: Requires a documented Risk Assessment Process IT Policy Checklist  and Information Security Program with Risk Assessments
  • COBIT PO 9.4: Assesses on a recurrent basis the likelihood and impact of all identified risks, using qualitative and quantitative methods. basis
  • SOX: Requires companies to have an Risk Assessment Framework and Methodology
  • ISO 27001 A.14.1.2 - Business continuity and risk assessment: Events that can cause interruptions to business processes shall be identified, along with the probability and impact of such interruptions and their consequences for information security.

Allgress solves these challenges by leveraging existing security data from technical vulnerability scanners, IT audits, and security assessments to generate a NIST based risk assessment.

risk screen shot

Allgress shows trends in your risk. You can adjust the bubble to correspond with metrics that are important to your organization: revenue, number of patients, products sold: the choice is yours.

The Allgress solution provides:

  1. Efficiency: Most companies already have vulnerability data, IT audits, and security assessments, and Allgress can leverage the work that has been done to generate risk assessments quickly and without additional significant labor resources.
  2. Reporting & Analysis: Risk assessment reports can be generated and customized based on organizational business units, OS platform, or any other grouping that makes sense to your business.  Additionally, compensating controls and other risk mitigating factors can be manually modified when needed.
  3. Trending: Show the reduction of risk over a period of time—orexplain why risk has increased as a result of the reduction of IT security resources.
  4. What-if Scenarios: Align IT security strategy with business objectives by creating what-if scenarios. Is there a new initiative to enter new markets?  Is security prepared to protect those investments and new customers?  Are new mergers and acquisitions increasing risk?  What resources does security need to manage risk—and where should those resources be deployed?