Back to Service Library
Service Catalog / / Security Risk Assessments / NIST 800-171 Risk Assessment
156N171RA Base

NIST 800-171 Risk Assessment

On this page

    Service Overview

    This Risk Assessment is a comprehensive evaluation of your information security program. The output will provide insights into program strengths/weaknesses and give a clear view of the top cybersecurity risks to the institution. Furthermore, deliverables will define a clear prioritization of risk, recommendations for risk mitigation for the top 10, and define clear next steps with a plan of action.

    A DeepSeas Risk Assessment is a principal step in establishing or revitalizing the risk management function and is a foundational element in many compliance programs. Risk Assessment sets the direction for the Information Security Program and identifies high priority/high-risk items that should be addressed. 

    Objectives

    The objectives of this initiative are as follows: 

    1. Identify and prioritize cybersecurity risks in the environment. 
    2. Support protection of critical assets. 
    3. Support compliance with legal, contractual, and regulatory requirements. 
    4. Quantify top risks so that they are universally understood and easily communicated. 
    5. Develop a prioritized list of top risks and an actionable plan for risk mitigation. 

    Methodology

    This Risk Assessment project consists of the following phases: 

    1. INTERVIEW SCHEDULE 
      1. The client will identify the departments and stakeholders required to attend interview sessions and risk workshop by completing the interview schedule provided by DeepSeas. 
    2. GAP ASSESSMENT 
      1. DeepSeas to conduct interview sessions over the course of two consecutive days (Day 1 & Day 2), per the interview schedule, to Identify program strengths and weaknesses by assessing Client's environment against the selected security standard, as defined in the Scope. 
    3. RISK WORKSHOP  
      1. DeepSeas to conduct a risk workshop on Day 3 with stakeholders & risk owners (department heads, VPs, Directors, C-Suite), as defined in the interview schedule, to evaluate vulnerabilities and quantify risks. 
      2. Each vulnerability/weakness will be assessed on: 
        1. Likelihood of a measurable event occurring from vulnerability exploit, and; 
        2. Potential Impacts from vulnerability exploit. 
      3. Vulnerability/weaknesses will be prioritized based on risk to the organization. 
    4. FINDINGS PRESENTATION 
      1. DeepSeas will deliver an executive-level findings presentation, if selected as part of this scope, to present the prioritized top risks and recommendations. 

    Deliverables

    DeepSeas will produce the following deliverables: 

    1. FINDINGS SUMMARY - DeepSeas will deliver an executive-level findings summary documenting the prioritized top risks (as identified during the risk workshop) and recommendations for remediation. 
    2. FINDINGS DETAILS - DeepSeas will deliver a detailed findings document that identifies pertinent details and scoring for control gaps. 
    3. RISK REGISTER - DeepSeas will deliver a risk register that documents and organizes top gaps by priority, as identified in the assessment. The risk register is provided to the client as a basis for risk management and mitigation, which is not part of this project. 
    4. RISK ASSESSMENT POST ENGAGEMENT MEMO (OPTIONAL) - DeepSeas will provide the Client with an executive-level memo briefly summarizing the engagement, that can be shared with customers. 

    Service Assumptions

    PROJECT-SPECIFIC ASSUMPTIONS 

    1. Gap Assessment requires participation from all client business units (e.g., HR, Finance, Security). Risk Workshop requires participation from key stakeholders and executive management. 
    2. DeepSeas will provide a project memo template (not customized) for use at the discretion of the client detailing high-level objectives of the Risk Assessment. 
    3. The client will include the DeepSeas delivery team on scheduled invites leveraging the client's video conferencing platform. 
    4. DeepSeas requires at least 4 business hours to prepare for Risk Workshop, post-interview sessions. 
    5. All finding reports will be reflective of the point in time assessment, delivered in draft form, and finalized after one finding review meeting with the client. 
    6. Presentation must occur within 30 days post-risk workshop and after delivery of findings summary and presentation by DeepSeas.

    Client Responsibilities

    The client is responsible for the completion of the following tasks, in accordance with agreed-upon timelines established as part of the project plan. 

    1. Client to assign a point of contact (POC) responsible for client coordination and logistics. 
    2. The client is responsible for scheduling and coordination of internal client resources for all project work.  
    3. Client to return completed interview schedule within two (2) weeks of initialization meeting. Delays in pre-requisite tasks may result in shifts in project dates.