NIST 800-171 Risk Assessment Update

This Risk Assessment Update is a comprehensive evaluation of your information security program. The output will provide insights into program strengths / weaknesses and give a clear view of the top cybersecurity risks to the institution. Furthermore, deliverables will define a clear prioritization of risk and recommendations for risk mitigation for the top 10 risks.

A DeepSeas Risk Assessment is a principal step in establishing or revitalize the risk management function and is a foundational element in many compliance programs. Risk Assessment sets the direction for the Information Security Program and identifies high priority/high-risk items that should be addressed.

The objectives of this initiative are as follows: 

1. Identify and prioritize cybersecurity risks in the environment. 
2. Support protection of critical assets. 
3. Support compliance with legal, contractual, and regulatory requirements. 
4. Quantify top risks so that they are universally understood and easily communicated. 
5. Develop a prioritized list of top risks and actionable plan for risk mitigation. 

This Risk Assessment Update project consists of the following phases: 

1. INTERVIEW SCHEDULE 
   1. Client will identify the departments and stakeholders required to attend interview sessions and risk workshop by completing the interview schedule provided by DeepSeas. 
2. GAP ASSESSMENT 
   1. DeepSeas to conduct interview sessions over the course of one day (Day 1), per the interview schedule, to identify program strengths and weaknesses by assessing the Client's environment against the selected security standard, as defined in the Scope. 
3. RISK WORKSHOP  
   1. DeepSeas to conduct a risk workshop on Day 2 with stakeholders & risk owners (department heads, VPs, Directors, C-Suite), as defined in the interview schedule, to evaluate vulnerabilities and quantify risks. 
   2. Each vulnerability/weakness will be assessed on: 
      1. Likelihood of a measurable event occurring from vulnerability exploit, and; 
      2. Potential Impacts from vulnerability exploit. 
   3. Vulnerability/weaknesses will be prioritized based on risk to the organization. 
4. FINDINGS PRESENTATION 
   1. DeepSeas will deliver an executive-level findings presentation, if selected as part of this scope, to present the prioritized top risks and recommendations.

DeepSeas will produce the following deliverables: 

1. FINDINGS SUMMARY - DeepSeas will deliver an executive-level findings summary documenting the prioritized top risks (as identified during the risk workshop) and recommendations for remediation. 
2. FINDINGS DETAILS - DeepSeas will deliver a detailed findings document that identifies pertinent details and scoring for control gaps. 
3. RISK REGISTER - DeepSeas will deliver a risk register that documents and organizes top gaps by priority, as identified in the assessment. The risk register is provided to the client as a basis for risk management and mitigation, which is not part of this project. 
4. RISK ASSESSMENT POST ENGAGEMENT MEMO (OPTIONAL) - DeepSeas will provide Client with an executive-level memo briefly summarizing the engagement, that can be shared with customers.

PROJECT-SPECIFIC ASSUMPTIONS 

1. Gap Assessment requires participation from all client business units (e.g., HR, Finance, Security). Risk Workshop requires participation from key stakeholders and executive management. 
2. DeepSeas will provide a project memo template (not customized) for use at the discretion of the client detailing high level objectives of the Risk Assessment. 
3. Client will include DeepSeas delivery team on scheduled invites leveraging client's video conferencing platform. 
4. DeepSeas requires at least 4 business hours to prepare for Risk Workshop, post interview sessions. 
5. All finding reports will be reflective of the point in time assessment, delivered in draft form and finalized after one finding review meeting with the client. 
6. Presentation must occur within 30 days post-risk workshop, and after delivery of findings summary and presentation by DeepSeas.

Client is responsible for completion of the following tasks, in accordance with agreed upon timelines established as part of the project plan. 

1. Client to assign point of contact (PoC) responsible for client coordination and logistics. 
2. Client is responsible for scheduling and coordination of internal client resources for all project work.  
3. Client to return completed interview schedule within two (2) weeks of initialization meeting.