IT Risk Assessment

A comprehensive and thorough IT risk assessment is the key starting point and driver of the information security program and process.  Through this process the company is able to validate the effectiveness of current practices and identify areas that need attention.  It allows management to decide which risks are acceptable and which need further mitigation.  It also provides a framework for for ongoing monitoring of risk controls and ensures that as new processes, technologies, and solutions are implemented, that IT risk management becomes part of the integration process. 

IT risk management should be an ongoing business process and the risk assessment process is the foundation of a strong IT security and risk management program.  There are two strategic approaches that Network Vigilance utilizes to provide assessments.

  • Comprehensive Assessments - A comprehensive based (Top-Down) security assessment approach provides a complete picture of IT risk for the organization with a high level of confidence due to the assessment breadth and scope. It typically covers most or all areas within the organization that contribute to risk posture. Additionally "Top-Down" assessments focus on the extent to which policies and procedures promote a secure computing environment by examining the procedural framework that corporate security rests upon and also the depth to which these policies and procedures are understood and implmented within the organization.
  • Risk Based Assessments - A Risk Based (Bottom-Up) security Assessment focuses on only select areas that are of known or suspected to be weak. The primary difference in this approach is that it tends to be more narrow in scope, less expensive, and can be accomplished faster. The primary drawback is that it can represent a more limited view of the organization and not be reflective of what the entire security posture may actually be.  "Bottom-Up" assessments focus on the effectiveness of specific implmentations of systems, technologies, processes, and/or security counter-measures.

Primary Objectives

There are several primary objectives of an IT Risk assessment and that are provided by Network Vigilance as part of the consulting engagement.  They are outlined as follows:

  • Review of current security measures to protect the integrity, confidentiality, and availability of customer and other high value information.
  • Assess whether adequate protections or countermeasures exist to guard against anticipated threats or hazards to the security or integrity of company information.
  • Assess the level or risk to the organization with regard to any unauthorized access or use of such information that could result in substantial harm or inconvenience to any customer.
  • Recommend solutions, controls, or countermeasures with which the organization can use to protect the assets of the organization from an IT system related threat.


There are typically 6 phases to a project which include the following:

  1. Scope Definition and Development
  2. Data Collection (Site Survey, Test Plan Development, Toolkit Determination)
  3. Interviews, Investigation, & Testing
  4. Information Review, Analysis, & Risk Formulation
  5. Draft Report (submitted to client for feedback before final presentation)
  6. Final Report & Presentation to Client


Our deliverable format includes the following components:

  • Risk Value or Rating (High, Medium, Low or numeric risk value)
  • Observations made or conclusions drawn from data
  • Recommendations with references to Best Practices where applicable
  • Mention of Safeguards or Mitigating Controls and their effectiveness as observed
  • Graphs & Charts as needed, & within the executive summary
  • Copies of the interviews with staff members
  • Final Presentation to Executive/Senior Management with Q&A Session


© 2013 Security On-Demand, Inc. All rights reserved