Our risk assessment methodology
Our approach to assessing risk follows industry frameworks accepted by common compliance bodies such as the Health Insurance Portability and Accountability Act (HIPAA), the Office of Civil Rights (OCR), the Payment Card Industry (PCI), the Security Standards Council (SSC), and the Center for Medicare & Medicaid Services (CMS). Our process is outlined below and aligns closely with NIST 800-30.
- Preparation for our security assessment considers the assessment purpose, scope, assumptions or constraints, and approach used.
- Reporting post-assessment includes a detailed report to inform and guide risk decisions, executive briefings, risk memos, or risk dashboards.
- Conducting the security risk assessment includes identifying threat sources, threat events, the impact of possible exploits, actual security risk, and a list of identified risks prioritized by urgency.