This document discusses a holistic approach to cyber risk management. It recommends conducting regular vulnerability assessments to understand risks and identify security gaps. Once vulnerabilities are found, assets should be protected according to the organization's risk tolerance by implementing security measures like access control and user training. Continuous monitoring is also important since threats change over time. The holistic approach involves people, processes, and technology, not just technology alone.

1. A Holistic Approach to
CyberRisk Management

2. N I S T C y b e r S e c u r i t y H i g h L e v e l F u n c t i o n s
A Holistic Approach to CyberRisk
Management
Companies are faced with many risks and threats
while conducting their day-to-day business. One
must understand that risk cannot be eliminated, but
risk can be managed to an acceptable level.
To manage risks, a company needs to know what
the risks are and how each affects the organization
as well as its strategic objectives. A one size-fits-all
strategy does not apply to risk; each organization has
their own risk tolerance threshold.
According to Symantec Corporation’s Internet Securi-
ty Threat Report 2014, “US companies paid $188 per
breached record over a period of two years. If the data
breach was caused by a malicious attack, then the
number rose to $277 per breached record over two
years. These expenses covered detection, escalation,
notification and after-the-fact response, such as offer-
ing data monitoring services to affected customers.”
SMART DEVINE’s CyberRisk Management Service
(CMS) provides a holistic approach to manage cyber-
security risks faced by most organizations, and incor-
porates the NIST (National Institute of Standard and
Technology) cybersecurity framework as the guide-
line. NIST lists five functions which are basic security
activities organized at their highest level. Under each
function is a variety of activities that must be complet-
ed to minimize risk to your organization.
Vulnerability Assessment
A Vulnerability Assessment is the first step in under-
standing the cyber risks faced by your organization,
and will help identify all the strengths, weaknesses or
security gaps in the computer systems, network and
infrastructure. Unlike a penetration test, a Vulnerability
Assessment is not invasive and will only identify and
classify the vulnerabilities that are found. An assess-
ment can also help the organization identify and pri-
oritize gaps in their security risk management profile.
Conducting an assessment provides a company with
a solid understanding of the current state risk profile
and work on getting it to an optimal level of security.
Industry professionals recommend conducting a vul-
nerability assessment on a regular basis. This is an
important requirement of many of the regulations
and industry standards like Payment Card Industry –
Data Security Standards (PCI-DSS), Health Insurance
Portability and Accountability Act (HIPAA), Gramm-
Leach-Bliley Act (GLBA) and others.
© 2014 SMART DEVINE; All rights reserved.
A VULNERABILITY ASSESSMENT WILL
DETERMINE AND VERIFY:
• Devices that are attached to the network
• Unused user accounts
• Unnecessary open ports
• Software that is not patched
• Incorrect permissions on important system files
Once vulnerabilities are found in the assets, which in-
clude hardware, software and network infrastructure,
they are identified and classified according to the or-
ganization’s risk tolerance. The next step is to protect
the assets from threats. Not all threats can be elimi-
nated; so after a study of the likelihood and impact a
threat can cause to a business, management should
devise procedures to protect high-risk assets from
threats. This can be accomplished by implementing
protective technology, securing data, controlling ac-
cess, creating policies, and user awareness training.
The initial time and effort dedicated to protect your
data does not mean your company is secure.
Cybersecurity is an ongoing project because vulnera-
bilities change, and so do the threats that persist. The
monitoring of critical events and incidents can help an
organization strengthen its posture. However, there
must be a way to detect what is going on in your
company’s environment with processes such as con-
tinuous monitoring, web application scanning
and a solid vulnerability management program.

3. smartdevine.com 267.670.7300
© 2014 SMART DEVINE; All rights reserved.
Crisis Management Plan
Many organizations learn how to respond to a se-
curity incident only after the attack has happened. A
proper Incident Response Plan should be an integral
part of every organizations security policy.
There are many benefits to being prepared; one such
benefit could be obtaining a premium discount on
cybersecurity insurance. A well thought out response
plan demonstrates that the organization takes infor-
mation security seriously and is prepared to handle
attacks quickly, thoroughly, and efficiently. A well-
conceived Incident Response Plan, proper training
for the incident response team, and rehearsing
the plan by conducting mock exercises are all very
important activities.
The last function in this type of CyberRisk manage-
ment approach is recover, which is about bringing
an organization back to a point before the attack took
place. Many organizations have a robust disaster
recovery and business continuity plan in place, how-
ever, management should consider looking into mod-
ifying their existing plan to include a cyber attack as a
valid threat. Recovery planning is essential because
the quicker management can get up and running after
an incident, the better your brand, image and other
assets are preserved.
Our Approach
We use a SMART approach which involves people,
process and technology. There is plenty of technol-
ogy available in the market to help detect intruders,
but that should not be the only driver for your security
strategy. An effective security program takes a holistic
approach and will involve people and processes in ad-
dition to the technology. Humans are often the weak-
est link in the equation. User awareness can make
a big difference to a security program. Proper user
awareness training includes educating employees of
cybersecurity risks and developing a risk-awareness
culture to help mitigate this issue.
Our CMS approach uses automated tools as well as
manual validation to minimize the effort and maximize
the value for our clients.
Not sure your organization has a cybersecurity pro-
gram? Call us. If you believe you already have an ef-
fective program, consider putting it to a test with our
team. New threats to cyber security are frequent mak-
ing way for continuous improvement to your plan.
Benefits of a Holistic Approach to Cybersecurity
1. Plug Security Holes
2. Determine Security Requirements
3. Increase Security Awareness
4. Document Due Diligence
5. Justify Spending
CYBERRISK MANAGEMENT
SERVICE INCLUDES:
• Vulnerability Assessment
• Penetration Testing
• Regulatory Compliance
(PCI-DSS, HIPAA, GLBA and others)
• User Awareness Training
• Security Policy Review
• Disaster Recovery and Business
Continuity Planning
• Continuous Monitoring and Incidence Response

4. smartdevine.com 267.670.7300
A c c o u n t i n g T a x A d v i s o r y
Smart Devine provides a full range of accounting, advisory, tax and investigative forensic and litigation services
to organizations across a variety of industries.
Smart Devine | 1600 Market Street | 32nd Floor | Philadelphia, PA 19103 | T 267.670.7300 | info@smartdevine.com
© 2014 SMART DEVINE; All rights reserved.
INTEGRATED TEAM OF PROFESSIONALS
SMART DEVINE’s integrated team of business advisory and
consulting professionals draw upon experience from both
the public and private sectors. Our clients rely on us for our
skills, experience and the knowledge we offer in supporting
the critical operations of their businesses. For more infor-
mation, contact Anil Chacko, Managing Director at Smart
Devine’s Business Advisory Group. Anil has extensive ex-
perience as an IT Executive in the Financial Services and
Insurance industries. Contact Mr. Chacko at 267.670.7311
or achacko@smartdevine.com
Anil Chacko, MBA, CISM
Managing Director
SMART DEVINE OFFERS A FULL LINE OF SOLUTIONS
Also Read this White Paper:
CYBERSECURITY:
Is Your Business
Ready?
ACCOUNTING &AUDIT
• Audit, Reviews & Compilation
• Accounting & Tax Due Diligence
• Accounting Outsourcing
• Agreed Upon Procedures
• Business Valuation
• Finance Process & Reporting
Optimization
• Forecasts & Projections
• ForensicAccounting & Litigation
Support
• Internal Control Study &
Evaluation
• Personal Financial Statements
• Retirement PlanAudits & Prep
• TrustAccounting
• SECAdvisory Services
• Special Project Coordination &
Support
• TechnicalAccounting Consulting
• TransactionAdvisory Services
• SSAE 16/SOC 1 &
SOC 2 Reviews
BUSINESSADVISORY
• Business Process Outsourcing
• Business Performance & Profit Improvement
• FinancialAdvisory & Risk Services
• Technology & IT Security
RISK SERVICES
• Corporate Governance Regulatory
Compliance
• Enterprise Risk Management
• Business RiskAssessment
• IT RiskAssessment
• InternalAudit Services
• IT InternalAuditing
• InternalAudit Transformation
• QualityAssessment Reviews
• Sarbanes Oxley/ModelAudit Rule/
NAIC Compliance
• SSAE 16/SOC 1 & SOC 2
ReadinessAssessments
INSURANCEADVISORY SERVICES
• Accounting & Financial Reporting
• Tax Services
• Claims Services
• Underwriting Services
• Litigation Support & ForensicAccounting
• RiskAdvisory
TAX
• Tax Return Compliance
• Accounting for Income Taxes
• ASC 740 (FAS 109) Tax
Provision Services
• International Taxation
• IC-DISC
• Tax Planning &Advisory
• Tax Controversy
• Transfer Pricing
• Research & Development Tax Credit
• State & Local Taxation
FORENSIC & LITIGATION SERVICES
• Litigation Services
• Environmental Litigation
• Forensic Investigations
• Trustee & Monitoring Services
• Digital Forensics & eDiscovery