Our Security Risk assessment methodology is based on client needs. We use common databases developed by NIST (National Vulnerability database) and following frameworks and guidelines:
- US National Institute of Standards and Technology’s (NIST) Special Publication (SP) 800-53, Recommended Security Controls for Federal Information Systems and Organizations. NIST SP 800-53 identifies 198 security practices that are divided into 18 families and three classes. Each of these security practices has been mapped to ISO 27001. SP 800-53 defines three security baselines that provide a starting point for determining the security controls that should be implemented for low-impact, moderate-impact and high-impact IT systems. These baselines could serve as the basis for a risk-based security standard for various categories and subcategories of assets
- OWASP website penetration testing framework
- ISACA audit guidelines IS Auditing Procedure P8 Security Assessment—Penetration Testing and Vulnerability Analysis, (P8) which provides scope and procedureguidance related to cybersecurity assessments
- Assessment phases are typically conducted utilizing the Tenable Network Security Nessus vulnerability scanning tool (Nessus) combined with other assessment procedures. Nessus utilizes the Common Vulnerability Scoring System (CVSS) to facilitate risk assessment. A risk assessment requires a qualitative analysis of vulnerabilities within a network. The Forum of Incident Response and Security Teams (FIRST) created CVSS to normalize the methodology of analyzing risk. CVSS provides an open framework for communicating the characteristics and impacts of IT vulnerabilities. CVSS consists of three metric groups: base, temporal and environmental.