Technical Security Assessments
Argo’s Technical Security Assessment methodology encompasses the following elements:
- Most Pressing Risk Areas. We will first conduct interviews and collect and examine documents and other data to identify the client’s “Most Pressing Risk Area”:
- Understand your risk environment and security context: Processes and Technology.
- Identify the client’s strengths and challenges in cyber security risk management within the threat environment of its IP related environment.
- Inventory the client’s network security controls and assess the depth and scale of controls implementation using ISO 27001 and 27002. The ISO 27002 control objective topics are listed in the inset box.
- Synthesize data to identify the client’s “Most Pressing Risk Areas” (defined by the most significant combinations of threats, vulnerabilities, and potential impacts). This very important step provides the analytical framework that is central to our unique approach.
- Threat Value Chain. The second element of our process is to map the “Most Pressing Risk Areas” to the threat value chain and identify the essential security controls to address the associated risks. In this way we will identify the needed security controls from an independent “bottom up, first principles” perspective that is focused on the client’s particular business environment.
- Risk Reduction Potential. The third element of our methodology is to map all the ISO 27002 controls to the “Most Pressing Risk Areas” and engage multiple Argo experts independently using a Modified Delphi Method to identify those controls that have the most risk reduction potential across the aggregated risk areas. This ties the controls framework directly to the client’s risk management needs.
- Integration. Elements 2 and 3 each produced sets of recommended controls through independent analyses. In the fourth element we will identify the intersection of these independent sets of controls to identify the ISO 27001 and ISO 27002 controls that should be given the highest priority from the two independent perspectives.
- NIST Cybersecurity Framework Profiles. We will develop the client’s “Current Profile,” as defined by the NIST Cybersecurity Framework (CSF), based on the results of the ISO 27002 controls assessment. The Current Profile portrays the assessment results within the five broad categories of Identify, Protect, Detect, Respond, and Recover. The table below shows how these two frameworks align.
The unique Argo approach has the benefits of (1) a standards-based assessment; and (2) facilitating the cross-industry understanding of results through the use of a NIST-defined framework that is being increasingly accepted in multiple industries.
Utilizing the above described methodology, Argo will develop its client’s “Current Profile,” which is a measure of how well the client is meeting the Framework’s Category and Subcategory outcomes. This comparison of the client’s Current Profile to the ISO 27001 and 27002 control categories provides the basis for Argo’s gap analysis, which then serves as a reference point for developing the client’s Target Profile as a strategic program goal. By using this approach, we advance the adoption of standards-based assessments, which not only raises the bar for security of individual enterprises, but can also lead to better risk management and improved insurability.
© Copyright Argo P@cific