The document discusses five types of assessments that are important for comprehensive risk management: risk assessment, security controls assessment, compliance assessment, vulnerability assessment, and penetration testing. It provides an overview of why each assessment is conducted, how it is conducted, and the expected outcome. Comprehensive risk management involves identifying threats and risks, understanding existing security controls, ensuring compliance with standards, identifying vulnerabilities, and testing the effectiveness of controls against attacks.

1. ASSESS ALL THE THINGS
Achieving comprehensive risk management through five distinct assessments
Jerod Brennen, InfoSec Geek

2. FIVE ASSESSMENTTYPES
 Risk Assessment
 Security Controls Assessment
 Compliance Assessment
 Vulnerability Assessment
 PenetrationTest
Comprehensive
Risk
Management
Risk
Assessment
Security
Controls
Assessment
Compliance
Assessment
Vulnerability
Assessment
Penetration
Test

3. RISK ASSESSMENT
 Why do we do it?
 Identify threats, vulnerabilities,
likelihood, and impact
 Prioritize risks so we can prioritize
control implementation ($)
 How do we do it?
 Research attacks against similar
institutions
 Research attacks against our own
organization
 What’s the end result?
 Prioritized lists of relevant risks
Comprehensive
Risk
Management
Risk
Assessment
Security
Controls
Assessment
Compliance
Assessment
Vulnerability
Assessment
Penetration
Test

4. SECURITY CONTROLS ASSESSMENT
 Why do we do it?
 Identify the security controls we
already have in place
 Understand where we might have gaps,
based on identified risks
 How do we do it?
 Select (or define) a framework
 Document control coverage and/or
strength
 What’s the end result?
 Prioritized lists of control gaps
Comprehensive
Risk
Management
Risk
Assessment
Security
Controls
Assessment
Compliance
Assessment
Vulnerability
Assessment
Penetration
Test

5. COMPLIANCE ASSESSMENT
 Why do we do it?
 External requirements by
standard/regulatory bodies
 Cost of doing business
 How do we do it?
 Identify relevant standards and/or
regulations
 Document control coverage and/or
strength
 What’s the end result?
 Documented attestations of
compliance
Comprehensive
Risk
Management
Risk
Assessment
Security
Controls
Assessment
Compliance
Assessment
Vulnerability
Assessment
Penetration
Test

6. VULNERABILITY ASSESSMENT
 Why do we do it?
 Validate that security controls are
appropriately implemented/maintained
 Identify attack vectors most likely to be
successfully compromised
 How do we do it?
 Automated vulnerability scans (host,
application, etc.)
 Manual analysis (phishing simulations)
 What’s the end result?
 Documented list of (exploitable)
weaknesses
Comprehensive
Risk
Management
Risk
Assessment
Security
Controls
Assessment
Compliance
Assessment
Vulnerability
Assessment
Penetration
Test

7. PENETRATIONTEST
 Why do we do it?
 Emulate attack scenarios identified
during the risk assessment
 Validate the effectiveness of
implemented controls
 How do we do it?
 Automated exploit attempts (pen
testing platform)
 Manual exploit attempts (internal red
team, external pen testers)
 What’s the end result?
 Refined list of exposures most likely to
result in a comrpomise
Comprehensive
Risk
Management
Risk
Assessment
Security
Controls
Assessment
Compliance
Assessment
Vulnerability
Assessment
Penetration
Test

8. COMPREHENSIVE RISK MANAGEMENT
 We’ve identified the most likely
threats to our people, our data, and
our operations
 We know which security controls we
already have in place
 We’ve documented evidence required
by external entities
 We know where we’re most exposed
 We know whether or not our controls
are likely to withstand actual attacks
Comprehensive
Risk
Management
Risk
Assessment
Security
Controls
Assessment
Compliance
Assessment
Vulnerability
Assessment
Penetration
Test