Cybersecurity Risk Assessment Scoping

Cybersecurity Risk Assessment Scoping
Date

MonthDayYear
Overview
A Cybersecurity Risk Assessment (CRA) is a systematic process that evaluates an organization's IT environment for vulnerabilities and threats and assesses the potential impact of a security event. The goal of a cybersecurity assessment is to help an organization improve its security posture by identifying and addressing vulnerabilities and closing gaps in security controls. Our services and reporting options not only help you meet your compliance requirements and satisfy your auditing team but also enhance your security posture, benefiting your organization and clients. However, the goal is to find the right balance to provide a level of assessment matching a realistic threat without wasting time and resources. There are two (2) main factors we consider: 1. Optimum effort (time) required for the security assessment and 2. Client’s cybersecurity budget. The following four (4) sections will help develop the Scope of the CRA (https://mccoe.org/risk-assessments).
Organization
Website
Person of Contact

First NameLast Name
Position
Phone Number
Please enter a valid phone number.
Email
example@example.com
Address

Street Address

Street Address Line 2

CityState / Province

Postal / Zip Code

III. What is the scope of this engagement?
a. What are the primary business applications utilized by your organization?
(Email, Calendar, SaleForce, Etc.)

b. Network Vulnerability Assessment (NVA)
1. Number of IP addresses within the assessment
2. IP Ranges in Scope
3. IP Ranges Excluded from Scope
4. Domain Names in Scope
5. Domain Names Excluded from Scope
6. Number of Networks / VLANs in scope
7. How many total live systems are in scope (i.e. active IP addresses)?
Servers, PC/Laptops, Mobile Devices?
8. Are there any firewalls? Name brand?
If yes, will they be disabled during the scan?

d. Mobile Application
1. What operating system does the application runs on?
iOS, Android, HarmonyOS
2. Are there any security mechanisms enabled? If these mechanisms are enabled, would the client be able to provide an insecure build by disabling them?
For instance, Root/Jailbreak detection or SSL pinning.

f. Additional Coordination Info:
1. Does the client own all the target environments in scope? If not, has permission been granted by the owning parties?
2. Are there any MSPs, MSSPs, or other third parties who need to be made aware of the testing? Do we need to coordinate with them?
3. Do you have a Secure Site for uploads and reports?
Else use MCCoE?

IV. Understanding of Mission
a. What is the Organizational Mission?
b. Who are the internal Stakeholders?
c. Who are the External Stakeholders?
d. What is the Organizational Chain of Command?
e. What are the Lines of Communications? Is there a Governance Document Established?
f. What are the critical objectives, capabilities, services, and outcomes that stakeholders depend on or expect from the organization are understood and communicated?
g. Have you established Legal, Regulatory, and Contractual Requirements regarding Cybersecurity for your organization?
h. Have you established Cybersecurity Risk Objectives? If so, what are they?
i. Have you conducted previous assessments and Penetration Tests? If so, how did they go?

V. Time Scheduling

Note: Characterized in terms of overall time limitations of how many days/weeks/months the engagement will last as well as time schedules.
1) Requested Period of Engagement

Usually 4 – 8 Weeks
Beginning Date

MonthDayYear
NLT Ending Date

MonthDayYear
2. Are there any days and/or times that work best for In-Progress Report Meetings (IPRMs)?

Overview