The 6 step business threat assessment methodology
We start by learning how your business works.
We work with C-level executives and management boards and understand their objectives, constraints and timelines. Before looking for exploits and hacks.
Using a fixed price, fixed delivery model, our consulting engagements are usually completed within 1 to 3 months for a medical device security and compliance project and 6-12 months if the software needs to re-factored with appropriate security countermeasures.
We team with client management to focus on reducing system risk with practical methods and technology in the best possible schedule. Our capability to properly evaluate risk comes from our 6 step systems approach and rich experience in developing entire systems: front-end GUI, back end processing, data modeling, systems integration, server engineering, information security, billing, network management, IT applications integration and secure transaction using rich Web 2.0 applications.
Step 1 Set scope – At the first meeting with the project sponsor, we set scope of business unit, operational functions, product(s), schedule, participants and desired result – for example HIPAA compliance.
Step 2 Identify business assets – We decompose the business unit into operational data and business processes and functions at risk.
Step 3 Identify software components – We map business application functions to assets and decompose to software at risk.
Step 4 Classify vulnerabilities– We estimate probability of occurrence and assess severity, for example: Is the vulnerability exploitable remotely? How hard (or how long) will it take to mitigate the vulnerability? What is the potential for collateral damage or developing into a cascade attack?
Step 5 Build the threat model – We build a threat model using PTA (Practical Threat Analysis). We valuate assets, identify threats that exploit vulnerabilities and estimate levels of damage to assets.
Step 6 Build the risk mitigation plan – We calculate Value at Risk using the quantitative threat model, specify security countermeasures and build a cost-effective, prioritized risk mitigation plan. We work with the sponsor to get management buy-in for the plan.