Risk Assessment Services

Cybersecurity Framework (CSF), NIST 800-53, ISO 27001, OCTAVE

Bolstering your Information Security Program through Risk Analysis

Risk Assessment, through the evaluation of security best practices, is a key component in helping organizations identify and reduce cybersecurity risk. In addition to the technologies in use, Risk Assessments take into account an organization's people, policies and procedures, and environments as it relates to risk management. Lastly, a Risk Assessment can be an excellent tool for communicating between both internal and external stakeholders about cybersecurity.

Meeting your Risk Assessment needs

At Contextual Security Solutions, we know one size does not fit all. That's why we offer a variety of Risk Assessment options to cater to your specific needs and industry. Whether you're an organization responsible for critical infrastructure, a retail company looking to address PCI DSS 4.0 requirement 12.3 (Risks to the cardholder data environment are formally identified, evaluated and managed), or a healthcare provider looking to satisfy Security Rule section §164.308(a)(1)(ii)(A) (Security Management Process --Risk Analysis), we are here to help. Our team of security and compliance consultants can assist you in identifying the best and most efficient approach to meet your Risk Assessment needs.

"Contextual Security Solutions is a valued business partner; they are an essential extension of our IT team. From security assessments to incident response, they act quickly with expertise to exceed our expectations"

IT Manager

Midsized Business

Critical Controls Risk Assessment

How do you manage your Cyber Risk?

Contextual Security Solutions’ Critical Controls Risk Assessment is a technical, administrative and physical assessment of the organization’s people, processes, technologies, and environments.

The Critical Controls Risk Assessment includes a review of a prioritized set of actions that collectively form a defense-in-depth set of best practices that mitigate the most common attacks against systems and networks. The focus of a Critical Controls Risk Assessment is on the five primary functions, Identify, Protect, Detect, Respond, and Recover, that assist in managing cybersecurity risk.

NIST Cybersecurity Framework

The Critical Controls Risk Assessment provides visibility into the organization’s ability to manage and reduce risk through the evaluation of the CSF’s five primary functions (above). Through the execution of the Critical Controls Risk Assessment, the organization will be provided measurable data to highlight which areas or categories should be remediated and/or strengthened to better address their cybersecurity risk. Other benefits are displayed below:

Executive Out-Brief

For every service we offer, a detailed Executive Out-Brief is given to go over the report, highlight and provide context regarding those areas that present the most risk to the organization, and answer any related questions.

Other Risk Assessment Services

Octave Allegro Risk Assessment

This streamlined risk assessment is ideal for organizations who need to efficiently assess the risk associated with those specific information assets critical to their operation. It primarily focuses on how the information assets are used, where they are stored, transported, and processed. As a result, Octave Allegro risk assessments can be, and often are utilized to support adherence to compliance frameworks, such as the PCI Data Security Standard and HIPAA, which require organizations to periodically assess the risks to the sensitive data (e.g. CHD, ePHI, PII, etc.) they store, process or transmit.

ISO 27001 Risk Assessment

The ISO 27001 is a framework for establishing, implementing, maintaining and continually improving your organization's information security program. Our ISO 27001 Risk Assessment is ideal for large organizations with more mature risk management processes. Using our Perigon360 platform, organizations can track their progress and changes in status and maturity level with each requirement year over year.

NIST 800-53 Risk Assessment

Our NIST 800-53 assessments focus on those security and privacy controls that are critical for risk management. The latest revision of the special publication includes privacy and supply chain risk management controls. A NIST 800-53 Risk Assessment is ideal for medium to large organizations across all industries looking to establish or build upon their existing risk management processes.

New York DFS 23 NYCRR 500

Contextual Security Solutions has created an annual program for those organizations that must adhere to the New York State Department of Financial Services 23 NYCRR Part 500 Cybersecurity Regulations. Our Base Assessment of Security Elements (B.A.S.E.) NYCRR 500 Program addresses the following key components found in the most recent amendment to the regulation (November 2023):

1) Penetration Testing (500.5): Each covered entity shall conduct, at a minimum, penetration testing of their information systems from both inside and outside the information systems’ boundaries by a qualified internal or external party at least annually; and automated scans of information systems, and a manual review of systems not covered by such scans, for the purpose of discovering, analyzing and reporting vulnerabilities at a frequency determined by the risk assessment, and promptly after any material system changes;

2) Vulnerability Scans (500.5): Each covered entity shall conduct automated scans of information systems, and a manual review of systems not covered by such scans, for the purpose of discovering, analyzing and reporting vulnerabilities at a frequency determined by the risk assessment, and promptly after any material system changes.

3) Risk Assessment (500.9): Each covered entity shall conduct a periodic risk assessment of the covered entity’s information systems. The risk assessment shall be carried out in accordance with written policies and procedures and shall be documented. Such policies and procedures shall include: criteria for the evaluation and categorization of identified cybersecurity risks or threats facing the covered entity; criteria for the assessment of the confidentiality, integrity, security and availability of the covered entity’s information systems and nonpublic information, including the adequacy of existing controls in the context of identified risks; and requirements describing how identified risks will be mitigated or accepted based on the risk assessment and how the cybersecurity program will address the risks.

4) Incident Response Plan Testing (500.16): Each covered entity shall periodically, but at a minimum annually, test its: incident response and BCDR plans with all staff and management critical to the response, and shall revise the plan as necessary; and ability to restore its critical data and information systems from backups.

Additional Resources

Timeframes for Covered Entities

Timeframes for Class A Businesses

Timeframes for Small Businesses

If you'd like to learn more about our B.A.S.E. NYCRR 500 Program, please click the "Schedule a Discovery Call" button at the top of this page to schedule a 15-minute call with one of our experienced consultants.

Get an Actionable Blueprint for Your Compliance & Cyber Security