Actionable insight into your overall security posture.
The importance of secure IT infrastructure becomes clearer and more urgent with every news item about a major hack of some public and private sector organization. However, for most organizations it is hard to get an understanding of the current level of security (or ‘security posture’).
UL’s Security & Risk Assessments form part of a layered approach to the overall examination of the security posture of an organization. This layered approach is based on the SANS model for security assessments, and also includes our testing and validation services.
In collaboration with you, we determine the exact needs, objectives and the parameters for the assessment. We can be flexible in our scope, performing a security & risk assessment on an entire organization, an office site, or a part of your IT infrastructure, such as certain back-end systems, network servers, business applications etc.
Based on an initially defined scope, UL will improve an understanding of the current security situation, needs and objectives, through interviews and documentation review. UL will identify and enumerate in detail the business assets related to technology, people, and processes.
UL will examine existing security requirements and controls. This will provide further information on the organization’s current security posture. UL will examine this including through a focus on security core domains such as asset management, access control, configuration and change management, etc.
Threat risk modeling allows an organization to identify and mitigate potential security issues early on, when they are relatively easy and cost-effective to resolve. Threat risk modeling used by UL depends on the scope and the organization being assessed. Examples of frameworks used are DREAD, STRIDE, CVSS, OCTAVE and Trike.
UL takes the security needs, objectives and business assets from the previous steps, and linked to those through a model identify relevant threats, and then determine risk levels and relating them to the business assets, systems and processes involved. The result is an overview of threat risks (probability and impact) with levels high, medium, low and none: some of these threat risks may be transferred, avoided or accepted.
In the last step, all output from previous steps is combined to identify the existing security gaps. These may be due to assets or risks being overlooked, a lack of security capabilities to provide for meaningful security controls, operational limitations, or mismanagement such as misconfiguration. We present our risk findings and gap analysis in a technical assessment report.