Cyber Threat -- Yearly Assessment ?

I want to start doing a 3rd party
Cyber Threat Assessment YEARLY

1. Has anyone done the below ?

2. Does anyone have a different recommendation ?
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Have you done assesment YOURSELF ONCE?
btanExec ConsultantCommented:
The cyber assessment is a "health" posture of the asset and infrastructure and in short, vulnerability scan on network, OS and infrastructure, dynamic appl security scan on the web, application or equv systems. All these will chunk out the vulnerabilities and their severity level.

There will be various of such activities running to sum up the whole assessment which should include also the penetration testing. Likely a compliance check baseline is used in the mentioned scan to assess the level of compliance of the existing security control in place and enforcing the necessary safeguards against overly exposed critical services and infrastructure connectivity.

If you notice, there is also the user assessment which is the "awareness" checks e.g. sending of "phished email" to verify vigilance and diligence in handling and alerting...the scope of assessment depends on the coverage of your segment as well since there may be those for external and internal access, together with wired, wireless and mobile infrastructure too. The rule of engagement will need to ensure all the scan, physical checks, compliance verification should not impact business running or bring down any critical service unintentionally - need the mgmt. support and sanction before the go ahead.

Eventually the report will sum up all these and presented - there must be a risk assessment at the very beginning and eventually addressing all threat and vulnerability leading to these risk .. most of the times, the intent is to say the "close up " gap is to use or upgrade certain perimeter, endpoint and server system security design and augment them with layered defenses ...adding Web appl FW, NGFW, SIEMS, endpoint HIPS or DLP ...but do not be overwhelm as it should not be solution driven but instead risk driven assessment instead...

Suggest to check out this approach
-Pre-engagement Interactions
-Intelligence Gathering
-Threat Modeling
-Vulnerability Analysis
-Post Exploitation
The cover and scope of assessment can include these below where applicable and agree on

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Bryant SchaperCommented:
I would be hesitant to use Fortinet for your assessment, they are geared towards selling a product.

Do you have any legal requirements that are part of this, HIPAA, PCI, SOX ect.

I think you would be better served by contracting a security firm to handle this for you.  Pen testing while important is not the end of security assessment, many companies are subject to internal thief by employees, so the assessment needs to focus on internal security as well.
SolarWinds® IP Control Bundle (IPCB)

Combines SolarWinds IP Address Manager and User Device Tracker to help detect IP conflicts, quickly identify affected systems, and help your team take near instantaneous action. Help improve visibility and enhance reliability with SolarWinds IP Control Bundle.

btanExec ConsultantCommented:
risk assessment - security design - security implementation - security acceptance testing - evaluation and review - regular resiliency and security checks and discovery:  minimally the project engagement starts and end with consistent secure lifecycle and in each phases can have sprint activities to confirm that each portion is checks.

in the context for threat assessment, I understand it is more of self - discovery like do you know what you have as asset, "shadow IT" (undeclared type) asset, who are the external and internal users, what sort of e-Services/appl running in and out of the business premises via the wired and wireless etc..

Definitely Fortinet "offers" is just an instance or exposure...a more holistic is the consultancy to cover in specific the objective (e.g. compliance and certification etc) for your assessment - what are you trying to achieve in the outcome. those mentioned so far are just means to the end - define the "ends"

Here the sample (as expected on discovery) -

Written some past article on discovery and objective driven awareness and action plan for your interest e.g.

Why change -
Set stage -'s-Hard-Truth-Setting-the-Stage.html
Action plan -'s-Hard-Truth-Call-for-Actions.html
One can run their own automated scanner instead of paying salesman to run it.
btanExec ConsultantCommented:
even online web scan is available if you talking about public web app/site you wanted to do a check from the "public" perspective. Most use this for PCI check crypto checks too
...and also URL check for malicious codes  e.g.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Network Security

From novice to tech pro — start learning today.