SecureState uses its iRisk Equation to provide clients with a quantified representation of their true security risk. Security risk is calculated by identifying the vulnerabilities in some system, application, or other organization asset; the threats which could exploit these vulnerabilities; and controls that are in place and verified to reduce the risk of vulnerabilities being exploited by threats.
Vulnerabilities will be determined based on data from previous assessments, including PCI ASV scans, internal vulnerability scans, internal & external penetration tests, physical security assessments and web application security assessments. SecureState will review the available data to identify vulnerabilities and fully score them using the CVSSv2 rating system. SecureState can perform additional assessments to gather this data as part of an additional statement of work.
Threats are identified during threat whiteboard sessions with representatives across the client’s organization. These threats can include viruses or worm outbreaks, external compromises (hacker), internal compromises(malicious employee), lost or stolen equipment, power outages, and natural disasters, such as flooding or earthquakes.
Finally, the client's existing controls will be identified and evaluated to provide a true picture of their residual risk, such as gaps where new controls may need to be implemented or existing controls may need to be strengthened. SecureState’s INFOSEC Control assessment rates an organization on control maturity using Carnegie Mellon’s CMMI model across fifteen security domains. Based on the analysis of vulnerabilities, threats, and controls, SecureState will produce a list of residual risks categorized by severity. Our compliance and defensive experts can then work the client to build a remediation roadmap including not only tactical fixes, but also strategic direction to improve the overall security program.