Risk Assessment

Risk Assessments provide an organization with a global view of its information security risks and a framework which can easily be aligned with most Enterprise Risk Programs.

SecureState's Risk Assessments conform to the methodology found within the NIST standard and are designed to provide a qualitative assessment of information security risks across an organization. The results can be used to begin aligning security efforts with those within Enterprise Risk Management (ERM).


Risk managment has been generating a lot of buzz across the industry as organizations are recognizing the cost benefits of a risk-based approach to security. A Risk Assessment is a formal process used by organizations to identify vulnerabilities and threats that could negatively impact the security of confidential or otherwise valuable information. SecureState's experts can identify, analyze, and document the security risks that may affect our clients. The goal of a Risk Assessment is to create a simple, clear document that can be used as a vehicle for continuous improvement, optimized allocation of resources, and to meet increasing compliance requirements. Many regulations and standards require an annual enterprise risk assessment based on industry standard methodology and SecureState's iRisk assessment helps our clients fulfill that obligation.


SecureState consultants have experience with a wide variety of Risk Assessment methodologies including FAIR, OCTAVE, ISO, and NIST. Our team of experts perform custom vulnerability research and align ratings with the CVSS vulnerability rating system. Our consultants have years of experience performing HIPAA, PCI, and many other control assessments. SecureState has assisted numerous clients in performing threat assessments, and pulling together threat, vulnerability, and control data to identify a client’s residual risk.

Approach and Methodology

SecureState uses its iRisk Equation to provide clients with a quantified representation of their true security risk. Security risk is calculated by identifying the vulnerabilities in some system, application, or other organization asset; the threats which could exploit these vulnerabilities; and controls that are in place and verified to reduce the risk of vulnerabilities being exploited by threats.

Vulnerabilities will be determined based on data from previous assessments, including PCI ASV scans, internal vulnerability scans, internal & external penetration tests, physical security assessments and web application security assessments. SecureState will review the available data to identify vulnerabilities and fully score them using the CVSSv2 rating system. SecureState can perform additional assessments to gather this data as part of an additional statement of work.

Threats are identified during threat whiteboard sessions with representatives across the client’s organization. These threats can include viruses or worm outbreaks, external compromises (hacker), internal compromises(malicious employee), lost or stolen equipment, power outages, and natural disasters, such as flooding or earthquakes.

Finally, the client's existing controls will be identified and evaluated to provide a true picture of their residual risk, such as gaps where new controls may need to be implemented or existing controls may need to be strengthened. SecureState’s INFOSEC Control assessment rates an organization on control maturity using Carnegie Mellon’s CMMI model across fifteen security domains. Based on the analysis of vulnerabilities, threats, and controls, SecureState will produce a list of residual risks categorized by severity. Our compliance and defensive experts can then work the client to build a remediation roadmap including not only tactical fixes, but also strategic direction to improve the overall security program.

Risk Assessment Process
Get Started!