Assessing Your Vulnerabilities

Risk Assessment and Analysis

There are many ways to infiltrate a company. Often, a company’s biggest weakness is not knowing how exposed it is to a cyberattack. An IT security risk assessment and analysis can help identify and assess the holes in your operation—a good first step toward protecting your organization.

A risk assessment can help answer several key questions:

• What systems are most at risk?

• Who has access to the most significant organizational data?

• How was mission-critical data acquired?

• What vital data is being processed, and how?

• What essential data is being stored, and how?

• What valuable data is being transmitted, and how?

• Where is crucial data being transmitted?

A cybersecurity risk assessment and analysis needs to be conducted annually and should focus on internal cybersecurity controls each year as well.

Penetration Testing

In addition to conducting a cybersecurity risk assessment and analysis and focusing on internal cybersecurity controls, prudent cybersecurity management also requires penetration testing.

Penetration testing allows highly skilled and experienced security consultants to identify vulnerabilities by invading your systems from a cyberattacker’s perspective. Put another way, penetration testing is “ethical” hacking.

Third-Party Due Diligence

If you use cloud-based or third-party hosting services or other services that help manage an aspect of your technology environment, such as firewall management or data backup, then you should ascertain the protections and security measures the vendor has in place to protect client data.

Audits: Attestation Reports on Controls

A company should request and review a System and Organization Controls (SOC) examination report, also known as SSAE 18. Alternatively, utilize an ISO 27001 audit by an independent and objective firm that specializes in technology audits before entering into an agreement with the service provider and giving them access to your sensitive data. In addition, the contract between your organization and the service provider should include language that allows you to conduct audits of their hosting environment.

Cybersecurity is a bit like playing cat and mouse. The risk of a breach will always be present, but staying one step ahead and being aware of evolving cybersecurity threats will go a long way toward enhancing your organization’s security. If you’d like to learn more, download the Moss AdamsCybersecurity Guide.

More on our authors:

Mark Edwards has been solving corporate cybersecurity problems since 2001. His experience covers a range of industry groups, regulations (GDPR, PCI, HIPAA, CFS, etc.), and frameworks, including NIST, ISO, HITRUST CSF, and COBIT. He can be reached at (858) 627-5530 or

Joan Taylor has provided internal control services since 2004. She specializes in risk management and assessment as well as compliance services across many industries. She also manages audits under the requirements of Sarbanes-Oxley (SOX) Section 404. She can be reached at (949) 221-4086 or

Assurance, tax, and consulting offered through Moss Adams LLP. Investment advisory services offered through Moss Adams Wealth Advisors LLC. Investment banking offered through Moss Adams Capital LLC.