Our compliance readiness service includes a business wide asset enumeration and evaluation in terms of confidentiality, integrity and availability followed by a threat and impact analysis. The risk assessment is then evaluated based on the vulnerabilities and business impact over each company asset and presented in a quantitative manner that the management can acknowledge and control.

The risk assessment of any business consists of the following steps:

• Asset Evaluation - Each physical and digital asset of the company is assigned a value for its confidentiality, integrity and availability. A general range of 1-3 is used where 1-Low, 2-Medium and 3-High for each of the 3 areas of security. This gives each asset a value of 3-9 depending on its value to the business.

• Vulnerability Assessment - The vulnerability rating is defined for each asset using various network and vulnerability scanners that allow us to determine the vulnerabilities in the network protocols, systems and applications in use. This assessment is done both from external and internal perspective to cover the various attack scenarios.

• Impact & Probability - Following simulation scenarios for the various threats on each of the assets, an impact rating is assigned showing the severity of the effects on the business. The probability rating can be based on the statistical business history and future market trends and predictions.

• Risk - Through a quantitative risk based approach we can now calculate the risk value for each of the business assets. This is done by defining risk as:

Once the risks have been calculated, the company has to define an acceptable risk value and see where controls / mitigation procedures are needed to reduce the risk to acceptable levels across the board. This risk assessment process is a long, in-depth analysis that takes around 2 months for an average sized organization. The deliverables include a complete asset register, vulnerability assessment report and a business-wide risk assessment matrix.

After completing the risk assessment it is important to implement quality policies and procedures for a controlled business environment. The policies and procedures are the design of security controls in an organization and are much more important than they seem at first glance. The simplest way to create quality policies and procedures is to take an ISO 27001 Information Security Policy template and perform a gap analysis of which controls are currently operational in the business and which have to be designed and implemented.

The policy has to cover the 11 areas defined in the ISO27001 standard and to address the supporting business controls and procedures for a secure business processing:

Many successful projects across Europe, North America, UK, Africa and Australia, provide a proven professional track record and guarantee the high quality of our services. Some of our past projects have been described below as client cases from our portfolio.

NetSafety was founded in 2009, in Sofia, Bulgaria, since when we have developed into an international consulting practice, with a global client portfolio. Our firm's reputation is built on integrity, professional business conduct and a high quality of service in everything we do.

Simply call us to schedule a meeting and discuss your business needs.

NetSafety Ltd.
Risk Management Consulting

E-mail:
team@netsafety.eu

Contact:
(+359) 88 9387598

Office location:
Sofia, Bulgaria