Back to Service Library
Service Catalog / / Security Risk Assessments / Network Security Risk Assessment
156NSRA Base

Network Security Risk Assessment

On this page

    Service Overview

    This Network Security Risk Assessment will provide a comprehensive evaluation of Client's network-related cybersecurity risks and result in a prioritized list of top risk items. This Assessment will be conducted by a team of certified security assessors with technical and business knowledge of secure network design practices, information technology, and business practices.

    Objectives

    The objectives of this initiative are as follows:

    • Identify the weaknesses in Client's network security architecture and deviations from best practices
    • Develop a prioritized corrective action plan
    • Establish and initiate the Risk Management process
    • Elevate awareness and understanding of network security functions and benefits

    Methodology

    This Risk Assessment is based on the following regulations and standards:

    • NIST SP 800-30 Risk Management Guide
    • NIST SP 800-53 Security and Privacy Controls for Information Systems
    • NIST Cybersecurity Framework
    • Center for Internet Security (CIS) Critical Security Controls
    • Industry best practices

    This Risk Assessment consists of the following phases:

    • PLANNING - Preparation necessary to conduct an effective assessment, including:
      • Supporting Documentation - The identification of network assets and diagrams to aid in the assessment process;
      • Scope Definition - Identifying the assets and locations that will be the focus of the assessment;
      • Schedule Development - Scheduling, project plan creation and resource identification.
    • ASSESSMENT - Evaluation of cybersecurity controls applied to the assets defined in the Planning phase, including:
      • Interviews - Interviews with Subject Matter Experts, business leaders and other parties with knowledge of Client's cybersecurity controls;
      • Artifact Analysis - Evaluation of configurations, procedures, plans, reports, logs and other artifacts;
      • Risk Analysis - Prioritization of identified risks.

    i. Identify threats and vulnerabilities

    ii. Assess current security measures

    iii. Determine the likelihood of threat occurrence

    iv. Determine the potential impact of threat occurrence

    v. Determine the level of risk

    • DOCUMENTATION - Documentation of all deliverables, including summary and detailed assessment findings.
    • PRESENTATION - Presentation of findings to Client.

    Deliverables

    DeepSeas will produce the following deliverables: 

    1. FINDINGS SUMMARY - DeepSeas will deliver an executive-level findings summary documenting the prioritized top risks (as identified during the risk workshop) and recommendations for remediation. 
    2. FINDINGS DETAILS - DeepSeas will deliver a detailed findings document that identifies pertinent details and scoring for control gaps. 
    3. RISK REGISTER - DeepSeas will deliver a risk register component that documents and organizes top gaps by priority, as identified in the assessment. The risk register is provided to the client as a basis for risk management and mitigation, which is not part of this project. 

    Additionally, DeepSeas will leverage and/or provide the following materials: 

    1. INTERVIEW SCHEDULE TEMPLATE - DeepSeas will provide the Client with a template with an overview of control families and suggested roles to attend the workshop.

    Service Assumptions

     PROJECT-SPECIFIC ASSUMPTIONS 

    1. Gap Assessment requires participation from all technical business units (e.g., system and network administration). Risk Workshop requires participation from key stakeholders. 
    2. The client will include the DeepSeas delivery team on scheduled invites leveraging the client's video conferencing platform. 
    3. DeepSeas requires at least 4 business hours to prepare for Risk Workshop, post-interview sessions. 
    4. All finding reports will be reflective of the point in time assessment, delivered in draft form, and finalized after one finding review meeting with the client. 
    5. Presentation must occur within 30 days post-risk workshop and after delivery of findings summary and presentation by DeepSeas.

    Client Responsibilities

    The client is responsible for the completion of the following tasks, in accordance with agreed-upon timelines established as part of the project plan. 

    1. Client to assign a point of contact (POC) responsible for client coordination and logistics. 
    2. The client is responsible for scheduling and coordination of internal client resources for all project work.  
    3. Client to return completed interview schedule within two (2) weeks of initialization meeting.