We meet with key decision-makers to define the scope of the assessment. Some elements that need to be defined are:

Organizational Overview:
Gain a comprehensive understanding of the organization’s structure (for example, number of employees, business units and departments, physical locations), operations (for example, core business processes, supply chain and third-party vendors), and key assets (for example, IT infrastructure, critical assets).

Regulatory Considerations:
We determine whether any applicable regulatory requirements, both industry-specific (for example, SEC, HIPAA, PCI-DSS) and geographical (for example, GDPR, CCPA), need to be considered and factored into the assessment.

Data Classification and Sensitivity:
Understanding how data is classified helps determine the full extent and scope. Our starting point is to identify the different types of data the organization handles (for example, PII, PHI, CHD, financial data), then proceed to identify how this data is collected, stored, and transmitted.

MSP/Internal IT Collaboration:
We work closely with your MSP or internal IT department to gather key information and ensure a thorough and accurate understanding of your organization's IT environment. Some areas of inquiry and request include an up-to-date asset inventory, detailed network and data flow diagrams, data classification, access control and user privileges, and backup and disaster recovery strategy, to name a few.

We conduct in-depth interviews with personnel across the organization, representing a wide range of access levels to systems and data, along with diverse responsibilities and leadership roles. These interviews allow us to analyze risk at a granular level where technology and human behavior intersect, which is crucial for identifying real-world risks that could impact your organization. Some of the elements assessed during the interviews include:
‍
Technical/Endpoint:
   • MFA
   • Disk Encryption
   • Patching and Updates
   • Session Management (e.g., Computer Time-Out/Screen Lock, Auto-Logoff)
   • Security Applications and Tools (e.g., AV, MDR, RMM, Password Manager)

User Behavior:
   • Poor security practices
   • Effectiveness of Training and Awareness
   • Awareness and Adherence to Security Policies
   • Susceptibility to social engineering attacks

Work From Home (WFH) and Travel Security:
   • Management of Confidential Information in Home Environment
   • Home Network Security Configs
   • VPN Usage
   • Public Wi-Fi Usage
   • Physical Security of Devices

Simultaneously, we analyze the deliverables provided by your MSP or IT department, thoroughly reviewing systems, configurations, procedures, and documentation. Once we conclude this in-depth portion of the assessment, we evaluate our findings to determine the magnitude and likelihood of occurrence.

During this step, we evaluate (quantify) the cyber risks that have been identified and analyzed to determine their potential impact on your organization. We then prioritize these risks based on metrics that assess their significance.

A quick and dirty way to calculate the total risk exposure of an event is by considering both the severity of potential consequences (impact) and the probability of their occurrence (likelihood).

Simply put: Risk = Impact × Likelihood

Let's look at how we determine and define the two factors at play:

Likelihood: "How likely is it that this attack will occur?"
The probability that a specific threat will exploit a vulnerability within a given timeframe. This evaluation is informed by historical data, threat intelligence, environmental factors, and the effectiveness of your existing controls.

Impact: "How bad will it be if this attack occurs?"
The severity of the consequences should a threat exploit a vulnerability. We consider potential financial loss, reputational damage, operational disruption, and legal implications.

Calculating the likelihood and impact of an attack is a multifaceted process that requires a blend of data analysis, expert judgment, and continuous monitoring. Since many factors can influence the likelihood or impact of a risk, we must gauge the complexity of how we calculate (quantify) on a case-to-case basis, and tailor our approach accordingly. We also take into account the organization’s risk tolerance or appetite (how much risk they're willing to accept).

Once the risks have been evaluated, we prioritize them based on their potential to cause the most significant harm to the organization. Using prioritization as a guide helps in planning that resources—such as time, money, and personnel—are allocated to address the most critical threats first.

We base prioritization on several factors, including:
   • Business impact
   • Likelihood and ease of exploitation
   • Availability of patches or mitigations
   • Regulatory and compliance requirements

By addressing the most pressing risks and focusing on the 'priority of continuity,' we maximize the effectiveness of your information security risk assessment.

Once the assessment is complete, we create a thorough report on the engagement, ensuring that the results of the risk assessment are thoroughly captured. It is structured to allow different audiences, including executives, IT teams, and regulatory bodies, to easily glean pertinent information, enabling informed decision-making and action. For example, our executive report provides a high-level summary of the assessment, offering non-technical stakeholders, such as board members and executives, a clear overview of the findings.

When requested, we can brief relevant parties to clarify findings, enabling responsible teams to secure necessary resources and proceed with implementing mitigation strategies. Clear communication allows responsible parties within the organization to understand their roles concerning the identified risks.

Here are a few examples of the briefings we hold, the teams involved, and the topics discussed:

Executive Management and Board Members
   • THE WHAT: Executive Summary, Key Findings and Priorities, Strategic Recommendations
   • THE WHY: Strategic Decision-Making, Risk Appetite Alignment

IT and Security Teams
   • THE WHAT: Detailed Risk Analysis, Controls Review, Vulnerability Assessment Scan Review
   • THE WHY: Action and Implementation, Technical Guidance, Task Prioritization

Risk Management and Compliance Teams
   • THE WHAT: Risk Register and Business Impact Analysis (BIA), Compliance Gaps and Recommendations
   • THE WHY: Compliance Assurance, Regulatory Audit Preparation and Readiness

It is important to remember that an information security risk assessment captures only a snapshot in time. Since the vulnerability and threat landscape changes constantly, organizations should conduct assessments regularly and frequently, ideally alongside companion engagements such as vulnerability assessments. This approach helps organizations confirm that they have addressed vulnerabilities identified in previous assessments and enables them to detect new ones as they emerge.

You may notice a shift in verbiage with this step. That is because we must maintain impartiality as an external, unbiased assessor. We can only provide guidance, not perform remediation, to maintain objectivity, avoid conflicts of interest, and uphold regulatory standards.

For that reason, this section is listed as a "half-step" because, although it is an integral component of the risk assessment process, some groups absorb this responsibility themselves and forego the assessor’s counsel and direction.

That said, in the event an organization seeks XIVX to manage this piece of the assessment, these are a few of our offerings:
‍
Risk Treatment Guidance: Before mitigation and monitoring occurs, we can assist in deciding which risks require the appropriate response, or risk treatment.

To do this, we align the risk with an approach:

Accept:
When a risk aligns with the organization’s risk tolerance or the cost of mitigation outweighs the potential impact, the organization may choose to accept it.
NOTE: If a client chooses this option, we will assist in creating a Risk Acceptance Form signed by senior management that specifies the reason for acceptance, the potential impact, and the risk tolerance level.

Mitigate:
Taking action to reduce the likelihood or impact of a risk to a more manageable level so it aligns better with the organization’s risk tolerance.

Transfer:
In some cases, an organization may decide to shift the responsibility of the risk to a third party that would absorb specific functions, or the cost of potential losses via cyber insurance. Transferring doesn’t eliminate the risk but shifts the burden.
NOTE: If a client chooses to transfer risk, we can assist in completing the cyber liability insurance forms and conducting vendor due diligence on potential solution providers.

Avoid:
Eliminating the risk by choosing not to engage in certain activities, processes, or partnerships. Avoidance is often considered when the risk is too high or doesn't align with the organization’s risk appetite.

Mitigation Implementation Guidance: We formulate (or assist in formulating) a strategic plan the remediation team (internal IT/MSP) will take to mitigate the identified risks. This could involve explaining potential solutions, suggesting relevant tools, or helping the client understand industry standards.

Monitoring Implementation Progress: We track the remediation team's progress in executing the mitigation plan and conduct follow-up assessments of the implemented controls to ensure they effectively mitigate the risks. This involves regular check-ins to review implementation efforts and determine the potential need for recalibration of plan or solution guidance. Through this process documentation, or evidence, is generated verifying that remediation actions have been performed and successfully implemented.

Service Provider Coordination: We can coordinate with third-party teams responsible for executing remediation activities by communicating requirements, ensuring the recommendations are clear, and supporting the remediation teams with additional context or clarification.