Mar 12 2023

Security Risk Assessment Services

Category: Risk Assessment,Security Risk AssessmentDISC @ 11:16 pm

Security risk assessment services are crucial in the cybersecurity industry as they help organizations identify, analyze, and mitigate potential security risks to their systems, networks, and data. Here are some opportunities for providing security risk assessment services within the industry:

  1. Conducting Vulnerability Assessments: As a security risk assessment service provider, DISC can conduct vulnerability assessments to identify potential vulnerabilities in an organization’s systems, networks, and applications. You can then provide recommendations to mitigate these vulnerabilities and enhance the organization’s overall security posture.
  2. Performing Penetration Testing: Penetration testing involves simulating a real-world attack on an organization’s systems and networks to identify weaknesses and vulnerabilities. As a security risk assessment service provider, DISC can perform penetration testing to identify potential security gaps and provide recommendations to improve security.
  3. Risk Management: DISC can help organizations identify and manage risks associated with their information technology systems, data, and operations. This includes assessing potential threats, analyzing the impact of these threats, and developing plans to mitigate them.
  4. Compliance Assessment: DISC can help organizations comply with regulatory requirements by assessing their compliance with industry standards such as ISO 27001, HIPAA, or NIST-CSF. DISC can then provide recommendations to ensure that the organization remains compliant with these standards.
  5. Cloud Security Assessments: As more organizations move their operations to the cloud, there is a growing need for security risk assessment services to assess the security risks associated with cloud-based systems and applications. As a service provider, DISC can assess cloud security risks and provide recommendations to ensure the security of the organization’s cloud-based operations.
  6. Security Audit Services: DISC can provide security audit services to assess the overall security posture of an organization’s systems, networks, and applications. This includes reviewing security policies, processes, and procedures and providing recommendations to improve security.

By providing these services, DISC can help organizations identify potential security risks and develop plans to mitigate them, thereby enhancing their overall security posture.

In what situations would a vCISO Service be appropriate?

Transition plan from ISO 27001 2013 to ISO 27001 2022

We’d love to hear from you! If you have any questions, comments, or feedback, please don’t hesitate to contact us. Our team is here to help and we’re always looking for ways to improve our services. You can reach us by email (, or through our website’s contact form

Contact DISC InfoSec if you need further assistance in your ISO 27001 2022 transition Plan

InfoSec Threats | InfoSec books | InfoSec tools | InfoSec services

Tags: Security Risk Assessment

Feb 26 2023

10 Best selling information security risk management books

Here are some of the best-selling books on information security risk management:

  1. Security Risk Management: Building an Information Security Risk Management Program from the Ground Up” by Evan Wheeler
  2. The Basics of Information Security: Understanding the Fundamentals of InfoSec in Theory and Practice” by Jason Andress and Steven Winterfeld
  3. Security Risk Assessment: Managing Physical and Operational Security” by John M. White
  4. IT Risk: Turning Business Threats into Competitive Advantage” by George Westerman and Richard Hunter
  5. Information Security Risk Management: Understanding ISO 27001” by Alan Calder and Steve Watkins
  6. Risk Management Framework: A Lab-Based Approach to Securing Information Systems” by James Broad and Andrew Green
  7. Cybersecurity and Infrastructure Protection: Background, Policy, and Issues” by Thomas A. Johnson
  8. The Manager’s Guide to Cybersecurity Law: Essentials for Today’s Business” by Tari Schreider
  9. NIST Special Publication 800-30, Risk Management Guide for Information Technology Systems” by National Institute of Standards and Technology
  10. Information Security: Principles and Practices” by Mark Merkow and Jim Breithaupt.

InfoSec Risk Assessment


Tags: Security Risk Assessment, security risk management

Sep 14 2022

Risk Management document templates

Risk Assessment and Risk Treatment Methodology

The purpose of this document is to define the methodology for assessment and treatment of information risks, and to define the acceptable level of risk.

The document is optimized for small and medium-sized organizations – we believe that overly complex and lengthy documents are just overkill for you.

There are 3 appendices related to this document. The appendices are not included in the price of this document and can be purchased separately

Risk Assessment Table

The purpose of this table is to list all information resources, vulnerabilities and threats, and assess the level of risk. The table includes catalogues of vulnerabilities and threats.

The document is optimized for small and medium-sized organizations – we believe that overly complex and lengthy documents are just overkill for you.

This document is an appendix. The main document is not included in the price of this document and can be purchased separately

Risk Treatment Table

The purpose of this table is to determine options for the treatment of risks and appropriate controls for unacceptable risks. This table includes a catalogue of options for treatment of risks as well as a catalogue of 114 controls prescribed by ISO 27001.

The document is optimized for small and medium-sized organizations – we believe that overly complex and lengthy documents are just overkill for you.

This document is an appendix. The main document is not included in the price of this document and can be purchased separately

Risk Assessment and Treatment Report

The purpose of this document is to give a detailed overview of the process and documents used during risk assessment and treatment.

The document is optimized for small and medium-sized organizations – we believe that overly complex and lengthy documents are just overkill for you.

This document is an appendix. The main document is not included in the price of this document and can be purchased separately

Statement of Applicability

The purpose of this document is to define which controls are appropriate to be implemented in the organization, what are the objectives of these controls, how they are implemented, as well as to approve residual risks and formally approve the implementation of the said controls.

The document is optimized for small and medium-sized organizations – we believe that overly complex and lengthy documents are just overkill for you.

Risk Treatment Plan

The purpose of this document is to determine precisely who is responsible for the implementation of controls, in which time frame, with what budget, etc.

The document is optimized for small and medium-sized organizations – we believe that overly complex and lengthy documents are just overkill for you.

Toolkit below contains all the documents above

Tags: Risk Assessment, Security Risk Assessment

Jan 27 2021

ISO Self Assessment Tools

Category: ISO 27k,Security ToolsDISC @ 3:49 pm

ISO Self assessment tools list includes but not limited to Privacy, ISO 27001, ISO 9001 and ISO 14001 & ISO/IEC 27701 2019 Standard and Toolkit

Tags: CPRA, Gap assessment tool, Information Privacy, ISO 14001, iso 27001, ISO 27001 2013 Gap Assessment, ISO 27701 Gap Analysis Tool, iso 9001, iso assessment, Security Risk Assessment

Jun 29 2016

5 Must Read Books to Jumpstart Your Career in Risk Management

Category: Risk Assessment,Security Risk AssessmentDISC @ 11:30 am

FAIR Institute blog by Isaiah McGowan

Read Books to Jumpstart Your Career in Risk Management

What are the must have resources for people new to operational and cyber risk? This list outlines what books I would recommend to new analyst or manager.

They’re not ranked by which book is best. Instead, I list them in the recommended reading order. Let’s take a look at the list.

hubbard_failure_of_risk_management_cover.jpg#1 – The Failure of Risk Management: Why It’s Broken and How to Fix It (Douglas Hubbard)

In The Failure of Risk Management, Hubbard highlights flaws in the common approaches to risk management. His solutions are as simple as they are elegant. (Spoiler alert: the answer is quantitative risk analysis). The Failure of Risk Management shows up as #1 because it sets the tone for the others in the list. First, understand the problems. With the common problems in mind you can identify them on a regular basis. The next book provides approaches to modeling the problem.

fair-book-cover.jpg#2 – Measuring and Managing Information Risk: A FAIR Approach (Jack Jones & Jack Freund)
In Measuring and Managing Information Risk, the authors communicate a high volume of foundational knowledge. The authors outline the FAIR-based approach to measuring and managing risk. They tackle critical concepts often overlooked or taken for granted by risk practitioners.

With that foundation in place, they move on to the FAIR approach to risk analysis. Finally, they lay out foundational concepts for risk management.

This book is not an advanced perspective on analyzing or managing risk. Instead, it provides a systemic solution to our problems.

Books #1 and #2 lay the foundation to understand the common risk management and analysis problems. They also provide approaches for solving those problems. The next two books are critical to improving the execution of these approaches.

Superforecasting_cover.jpg#3 – Superforecasting: The Art and Science of Prediction (Phillip Tetlock & Dan Gardner)

We require Superforecasting. Risk analysis is always about forecasting future loss (frequency and magnitude). As practitioners, it is critical to learn the problems with forecasting. Knowing is half the battle. Superforecasting takes the audience through the battlefield by offering a process for improvement.

If there is one book you could read out of order, it is Superforecasting. Yet, it shows up at #3 because it will hammer home forecasting as a skill once the other books open your eyes.

Tetlock_expert_judgement_cover.jpg#4 – Expert Political Judgment: How Good Is It? How Can We Know? (Phillip Tetlock)

Yes, another book by Tetlock appears in our list. Published first, tackled second. His work in understanding forecasting is tremendously valuable. Superforecasting builds on the research that resulted in publishing Expert Political Judgment.

Tetlock seeks to improve the reader’s ability to identify and understand errors of judgment. If we improve this skill, we will improve our ability to evaluate expert inputs in risk management.

Thinking_fast_and_slow_cover.jpg#5 – Thinking, Fast and Slow (Daniel Kahneman)

Rounding out the list is Thinking, Fast and Slow. Improving your understanding of thinking in general is the next best step. Take the time to read this book. Peel out nuggets of wisdom before tackling more advanced risk management and analysis concepts.

There it is…

This is my go-to list of 5. I recite it to anyone who has made or will make the leap into risk management and analysis. These books will set the foundation for thinking about risk. They will also push you down a path towards improving your skills beyond your peers.
What books would you have in your top 5? How does your mileage vary?


Tags: information security risk program, risk assessment program, risk management process, Security Risk Assessment

Mar 20 2012

Risk Management and Business Life Cycle

Category: Security Risk AssessmentDISC @ 1:29 pm

  • Risk management is a business process and all the business decisions should have a business development life cycle
  • Risk management is a management responsibility, must be supported by senior management and that concept of Ownership of assets must be established
  • In Pre screening of critical assets, assets sensitivity must be established based on business, legal and contractual values for confidentiality, integrity and availability. this risk analysis process will determine which critical assets needs to go through the risk assessment process
  • Organizaions use risk assessment to determine what threats exist to a specific asset and the associated risk
  • The risk acceptance threshold will provide the organization with the information needed to select effective control measures or safeguards to lower the risks to an acceptable level
  • Risk is a function of the probability that an identified threat will occur and then the impact that threat will have on the asset
  • Risk Assessment should include the followings primary steps:
    * Critical Asset Sensitivity (impact analysis) level affecting business, contractual and legal imapct
    * Threats identified
    * Vulnerabilities related to the threats
    * Probablity of occurance that the specific threat will exploit the given vulnerability
    * Impact of the loss if the specific threat will exploit the given vulnerability
    * Risk level identified
    * Control recommendations based on risk acceptance
    * Results documentation

    How to Complete a Risk Assessment in 5 Days or Less

    Tags: Risk Assessment, Security Risk Assessment, Tom Peltier

    May 13 2011

    Enterprise Risk Management: From Incentives to Controls

    Category: Security Risk AssessmentDISC @ 12:03 pm

    Enterprise Risk Management: From Incentives to Controls

    Enterprise risk management is a complex yet critical issue that all companies must deal with as they head into the twenty-first century. It empowers you to balance risks with rewards as well as people with processes.

    But to master the numerous aspects of enterprise risk management- you must first realize that this approach is not only driven by sound theory but also by sound practice. No one knows this better than risk management expert James Lam.

    In Enterprise Risk Management: From Incentives to Controls- Lam distills twenty years’ worth of experience in this field to give you a clear understanding of both the art and science of enterprise risk management.

    Organized into four comprehensive sections- Enterprise Risk Management offers in-depth insights- practical advice- and real world case studies that explore every aspect of this important field.

    Section I: Risk Management in Context lays a solid foundation for understanding the role of enterprise risk management in todays business environment.

    Section II: The Enterprise Risk Management Framework offers an executive education on the business rationale for integrating risk management processes.

    Section III: Risk Management Applications discusses the applications of risk management in two dimensions – functions and industries.

    Section IV: A Look to the Future rounds out this comprehensive discussion of enterprise risk management by examining emerging topics in risk management with respect to people and technology.

    Failure to properly manage risk continues to plague corporate America from Enron to Long Term Capital Management. Don’t let it hurt your organization. Pick up Enterprise Risk Management and learn how to meet the enterprise-wide risk management challenge head on and succeed.

    Here are the contents of the book.

    Authors: James Lam
    Publisher: John Wiley
    ISBN 10: 0471430005
    ISBN 13: 9780471430001
    Pages: 336
    Format: Hard Cover
    Published Date: 24/06/03

    “I would highly recommend this book to anyone with a serious interest in understanding risk management from a holistic perspective.”

    Tags: Enterprise Risk Management, Risk Assessment, Security Risk Assessment, security risk assessment process

    Feb 16 2010

    Security risk assessment process and countermeasures

    Category: Security Risk AssessmentDISC @ 4:01 pm

    The Security Risk Assessment Handbook: A Complete Guide for Performing Security Risk Assessments

    The following are the common steps that should be taken to perform a security risk assessment. These are just basic common steps which should not be followed as is but modified based on organization assessment scope and business requirements.

    • Identify the business needs of the assessment and align your requirements with business needs.
    • Assess the existing security policies, standards, guidelines and procedures for adequacy and completeness.
    • Review and analyze the existing assets threats and vulnerabilities
    • Analyze the impacts and likelihood of threats and vulnerabilities on assets
    • Assess physical controls to network and security infrastructure
    • Assess the procedural configuration review of network and security infrastructure based on existing policies and procedures
    • Review logical access and physical access and other authentication mechanism
    • Review the level of security awareness based on current policies and procedures
    • Review the security controls in service level agreement from vendors and contractors
    • At the end of review develop a practical recommendations to address the identified gaps in security controls

    To address the existing gaps in infrastructure we have to select the appropriate countermeasures to address the vulnerability or thwart a threat of attack. Four types of techniques are used by countermeasures:

    Deterrent controls reduce the likelihood of an attack. Blocking phishing sites at ISP is an example of deterrent control
    Preventive controls reduce exposure. Firewall is an example of preventive control
    Corrective controls reduce the impact of successful attacks. Antivirus is an example of corrective control
    Detective controls discover attacks and trigger preventive or corrective controls. IDSs and SIEM systems are example of detective control.

    Tags: authentication, countermeasure, Firewall, phishing, Risk Assessment, security controls, Security policy, security review, Security Risk Assessment, security risk assessment process

    Sep 01 2009

    Audit of security control and scoping

    Category: Risk Assessment,Security ComplianceDISC @ 3:53 pm


    Information Technology Control and Audit

    The audit is utilized as a tool to check compliance control based on standards such as ISO 27002 or NIST 800-53 etc. Some other terms which are not sometime rigorous audit have been used to asses controls are gap analysis, benchmarking and control review.

    Scoping sets the boundaries of the audit, where dependencies are marked and exclusions are sorted out.

    The consultant/team lead that has a thorough understanding of security risk management ought to carry out these reviews. The quality of the work depends on correct scoping, fieldwork assignment, and appropriately reporting the findings to management.

    Team lead should have a clear understanding of audit scope before the initial briefing to client. Basically what exactly the client wants and who are the target audiences in the final report and presentation. Clear understanding of the scope includes making sure that the whole organization is included in the audit or just part of it. Before starting an audit, the auditor should have a complete list of assets included in the scope. Sort the assets list into different group of infrastructure which could be handed over to technical consultant for validation of the controls. At this point team lead should point out to technical consultant, the minimum number of assets which are required to be validated to satisfy sampling requirement.

    Scope of final report/presentation should be clear regarding the list of non-compliance, prioritized recommendation or action plans which needs to be included in the report. During presentation of the findings, and to keep C level folks interested in the presentation, presenter needs to relate the findings to business risk and avoid using security acronym.

    Scoping will take into account the length of the time available for field work, analysis, reporting and size and competence of the team to perform a successful audit. Especially if limited time is available for field work, the competence of the team matter to cover various infrastructure, to validate and document the controls effectively.

    Tags: assessment profile, assessment scope, iso 27002, NIST 800-53, security audit, security control, security review, Security Risk Assessment

    Mar 04 2009

    HIPAA accountability and security program

    Category: hipaa,Security Risk AssessmentDISC @ 7:34 pm

    Logo of the United States Department of Health...
    Last year the department of Health and Human Services (HHS) started penalizing healthcare organizations for security breaches and lack of security program. Healthcare stimulus bill says that HHS will post a breach of healthcare organization on their website. In both cases the intent is clear that HHS want to hold healthcare organizations accountable for security lapses.

    World Privacy Forum (WPF) states in recent report that medical identity theft is on the rise and it leaves false information in medical records that can torment victims’ medical lives for years. Medical identity theft mostly carried out by insiders with legitimate access to medical and insurance billing. Patient medical files, and addresses can be changed to reflect phony medical care, and insurance payments are forwarded to different address.

    HHS has given ample warning and time to healthcare organization to get their house in order. Healthcare stimulus bill which require digitizing healthcare records will demand even more stringent security program from healthcare organizations. Time is of the essence for healthcare organizations to start their security strategy planing now to implement their security program before HHS come knocking at their door.

    Risk Management Process:

    Like other compliance initiatives, HIPAA also require organizations to build a security risk management program to manage their daily risks. The process of risk management consists of risk assessment (analyzing the risks), design/select control, implement control, test control, maintain/ monitor control. At high level, risk management is accomplished by balancing risk exposure against mitigation costs and implementing appropriate countermeasures and controls.


    Risk assessment states the security posture of an organization at a given point in time. Therefore organization should conduct risk assessment of their assets on a regular basis. Risk assessment looks at the impact and likelihood of threat/ vulnerability pair to assess the risk. What is the likelihood of a threat to exploit a given vulnerability and what will be the impact of the threat if the given vulnerability is exploited. If either likelihood/impact is low, the overall risk is low.

    Performing vulnerability assessment of critical assets on monthly basis is highly recommend to find out new vulnerabilities and making sure the hardened systems configuration have not changed. Also any changes introduced to a system will require checking the necessary system configurations are intact.

    A Five-step Roadmap to HIPAA Security Compliance

    Related videos by youtube

    Reblog this post [with Zemanta]

    Tags: Health care, Health Insurance Portability and Accountability Act, Identity Theft, Risk management, Security, Security Risk Assessment, United States Department of Health and Human Services

    Feb 25 2009

    Small business and assessment of IT risks

    Category: Security Risk AssessmentDISC @ 5:02 pm

    Network and Information Security Agency
    According to a study released by European Union ENISA, Small-to-Medium-Sized (SME) enterprises require extra guidance in assessment of IT security risks of their assets.

    Agency also established that in the first implementation it is improbable that SME can utilize a risk assessment & risk management approach without external assistance and simplified information security approach was extremely useful for security awareness on the part of business to improve their information security management approach. One of the main drivers that have pushed ENISA towards a simplified Risk Assessment and Management approach was the idea that SMEs need simple, flexible, efficient and cost-effective security solutions.

    Regarding the entire process applied for the life-cycle of the simplified approach, ENISA has applied the Plan-Do-Check-Act model:
    o PLAN: creation of a simplified Risk Assessment & Risk Management approach for SMEs
    o DO: run pilots in different contexts inside EU
    o CHECK: get feedback from pilots and aggregate and analyze it
    o ACT: review and improve the simplified approach starting from the feedback
    It is expected that through repetitions of the above life-cycle a proper maturity of the simplified ENISA method will be achieved.
    Diagram: Overview of the phases of the ENISA simplified approach
    ENISA simplified and standardized approach for risk assessment for SMEs is designed for untrained users and organization with small IT infrastructure. Security of SMEs is crucial for European economy, since they represent 99% of all enterprises in EU and around 65 million jobs, said ENISA said.

    ENISA report and findings

    As economic slowdown is looming ahead in US economy, it makes sense to adopt a lifecycle approach which is simplified, standardized in managing and securing the SMEs data. SME is the core engine of US economy as well; taking a standard based approach for data protection will not only serve to increase awareness and secure businesses but will also satisfy various compliance needs. Complexity is an enemy of security and SME most of the time don’t have inside expertise to tackle organizations information security needs. The main idea is to build a simple, flexible and cost efficient risk assessment and risk management program for non-expert users and management with relatively less complex IT infrastructure which fits the needs of all SME. This program will serve as an IT risk assessment tool; fulfill the needs of several regulations and serves as a great security awareness tool as well. As business needs change, risk assessment and risk management process can be improved utilizing Deming PDCA model. Start with a base model program and improve the process to tailor your business needs down the road.

    Another methodology which is worth mentioning here for simplified risk assessment approach for SME is Facilitated Risk Analysis and Assessment Process (FRAAP) created by Tom Peltier which can be utilized to identify and quantify threats to IT infrastructure. Tom also teaches a class how to complete a risk assessment in 5 days or less utilizing FRAAP and his book on “Information security risk analysis” where he explains his FRAAP methodology.

    Computer Security

    Reblog this post [with Zemanta]

    Tags: Business, Computer security, Consultants, European Network and Information Security Agency, European Union, information security risk analysis, Risk management, Security, Security Risk Assessment, Small and medium enterprises, SME