APPENDIX G

CYBERSECURITY RISK ASSESSMENT

A Cybersecurity Risk Assessment is a thorough evaluation of an organization’s IT infrastructure, systems, and processes to identify vulnerabilities, threats, and risks to digital assets and data. This assessment involves analyzing both internal and external attack surfaces, classifying data based on sensitivity, and assessing the likelihood and potential impact of security breaches. The goal is to provide actionable insights for strengthening the organization’s security posture and ensuring preparedness against evolving cyber threats.

Penetration Testing

• Description: Conduct internal and external simulated attacks to identify exploitable vulnerabilities within and outside the organization.

Network Topology and Asset Discovery

• Description: Map and identify all network-connected assets to ensure comprehensive coverage in risk assessments.

Data Sensitivity Scanning

• Description: Scan and classify organizational data based on sensitivity and regulatory requirements to prioritize protections for critical assets.

Simulated Ransomware Attacks/Adversary Emulation

• Description: Simulate ransomware attacks and advanced threat scenarios to test resilience and improve response strategies.

Risk Identification

• Description: Catalog potential security threats, including vulnerabilities and dark web exposure, to safeguard digital assets and data.

Vulnerability Assessments

• Description: Systematically scan systems and software to uncover weaknesses exploitable by attackers.

 Risk Evaluation and Analysis

• Description: Evaluate the organization’s current security posture, analyze risks, and assess the adequacy of existing controls to highlight areas for improvement.

Risk Mitigation

• Description: Develop and implement strategies to address high-priority risks, including security enhancements and best practices for risk reduction.