A significant increase in targeted attacks on information assets – not only in the military and government but also the financial services, retail, and healthcare industries – makes a proactive and agile approach to managing risk an imperative for achieving security.
QinetiQ helps customers get a true measure of risk by identifying and understanding the cyber threats to their information assets, the physical environment they exist in, the people that manage and use them, and the customer information which resides on them.
Our security risk management service involves:
Risk assessment – determining risks by analysing the threats, vulnerabilities and impacts specific to an organisation, and weighting them in importance. Our consultants look at processes, security architecture, IS/IT applications and networks, day-to-day operations, asset management and data protection issues.
Risk management – developing cost effective mitigation, controls and countermeasures to protect information and processes from inadvertent error and malicious attacks. We align these with the customer’s priorities, and benchmark them against industry standards.
QinetiQ’s risk assessment service provides a comprehensive, detailed profile of which risks are most likely to be realised – enabling an organisation to employ mitigation strategies where the chance of exploitation is highest.
As well as revealing where vulnerabilities exist, the process uncovers who might have the motivation and capability to exploit them – for instance, cyber criminals, employees with low morale or terrorists – how they would do it, and why.
Our consultants build up a picture of the client organisation from the perspective of an attacker, looking at critical processes, information flows and the technology that supports business operations. They also examine connectivity between third parties, suppliers and global operations.
The QinetiQ risk assessment process gathers essential knowledge on:
Information security risks. We use risk modelling and management tools including DBSy ™ and CRAMM, while our consultants hold CLAS, CHECK, CISSP and similar qualifications.
Business continuity risks. We advise on and prepare continuity plans and facilitate exercises to minimise downtime by supporting staff in managing and recovering from interruptions.
Physical risks. We assess risks to infrastructures, buildings and systems, including structural design, perimeter protection and secure access.
Human risks. We assess and manage risks from people and the way they work – for instance, through non-compliance with regulation.
Operations and gap analysis. We identify shortcomings in IT systems and operating procedures against recognised standards, and recommend potential improvements.