Risk Assessment Services

How do you manage your Cyber Risk?

Contextual Security Solutions’ Critical Controls Risk Assessment is a technical, administrative and physical assessment of the organization’s people, processes, technologies, and environments.

The Critical Controls Risk Assessment includes a review of a prioritized set of actions that collectively form a defense-in-depth set of best practices that mitigate the most common attacks against systems and networks. The focus of a Critical Controls Risk Assessment is on the five primary functions, Identify, Protect, Detect, Respond, and Recover, that assist in managing cybersecurity risk.

NIST Cybersecurity Framework

The Critical Controls Risk Assessment provides visibility into the organization’s ability to manage and reduce risk through the evaluation of the CSF’s five primary functions (above). Through the execution of the Critical Controls Risk Assessment, the organization will be provided measurable data to highlight which areas or categories should be remediated and/or strengthened to better address their cybersecurity risk. Other benefits are displayed below:

Executive Out-Brief

For every service we offer, a detailed Executive Out-Brief is given to go over the report, highlight and provide context regarding those areas that present the most risk to the organization, and answer any related questions.

Octave Allegro Risk Assessment

This streamlined risk assessment is ideal for organizations who need to efficiently assess the risk associated with those specific information assets critical to their operation. It primarily focuses on how the information assets are used, where they are stored, transported, and processed. As a result, Octave Allegro risk assessments can be, and often are utilized to support adherence to compliance frameworks, such as the PCI Data Security Standard and HIPAA, which require organizations to periodically assess the risks to the sensitive data (e.g. CHD, ePHI, PII, etc.) they store, process or transmit.

ISO 27001 Risk Assessment

The ISO 27001 is a framework for establishing, implementing, maintaining and continually improving your organization's information security program. Our ISO 27001 Risk Assessment is ideal for large organizations with more mature risk management processes. Using our Perigon360 platform, organizations can track their progress and changes in status and maturity level with each requirement year over year.

NIST 800-53 Risk Assessment

Our NIST 800-53 assessments focus on those security and privacy controls that are critical for risk management. The latest revision of the special publication includes privacy and supply chain risk management controls. A NIST 800-53 Risk Assessment is ideal for medium to large organizations across all industries looking to establish or build upon their existing risk management processes.

Contextual Security Solutions has created an annual program for those organizations that must adhere to the New York State Department of Financial Services 23 NYCRR Part 500 Cybersecurity Regulations. Our Base Assessment of Security Elements (B.A.S.E.) NYCRR 500 Program addresses the following key components found in the most recent amendment to the regulation (November 2023):

1) Penetration Testing (500.5): Each covered entity shall conduct, at a minimum, penetration testing of their information systems from both inside and outside the information systems’ boundaries by a qualified internal or external party at least annually; and automated scans of information systems, and a manual review of systems not covered by such scans, for the purpose of discovering, analyzing and reporting vulnerabilities at a frequency determined by the risk assessment, and promptly after any material system changes;

2) Vulnerability Scans (500.5): Each covered entity shall conduct automated scans of information systems, and a manual review of systems not covered by such scans, for the purpose of discovering, analyzing and reporting vulnerabilities at a frequency determined by the risk assessment, and promptly after any material system changes.

3) Risk Assessment (500.9): Each covered entity shall conduct a periodic risk assessment of the covered entity’s information systems. The risk assessment shall be carried out in accordance with written policies and procedures and shall be documented. Such policies and procedures shall include: criteria for the evaluation and categorization of identified cybersecurity risks or threats facing the covered entity; criteria for the assessment of the confidentiality, integrity, security and availability of the covered entity’s information systems and nonpublic information, including the adequacy of existing controls in the context of identified risks; and requirements describing how identified risks will be mitigated or accepted based on the risk assessment and how the cybersecurity program will address the risks.

‍4) Incident Response Plan Testing (500.16): Each covered entity shall periodically, but at a minimum annually, test its: incident response and BCDR plans with all staff and management critical to the response, and shall revise the plan as necessary; and ability to restore its critical data and information systems from backups.

Additional Resources

Timeframes for Covered Entities

Timeframes for Class A Businesses

Timeframes for Small Businesses

If you'd like to learn more about our B.A.S.E. NYCRR 500 Program, please click the "Schedule a Discovery Call" button at the top of this page to schedule a 15-minute call with one of our experienced consultants.

‍