Compliance Risk Assessments
Evaluate and treat risks related to in-scope assets
Stay up-to-date on risk assessment requirements
Risk assessments are required as part of many regulatory and contractual processes, and ISO 27005, NIST 800-30, PCI DSS all include specific practices for performing these assessments. Our risk assessments use specific practices for evaluating and treating risks related to in-scope assets. The ISO 27005 methodology aligns closely with the requirements of ISO 27001, while NIST SP 800-30 methodology is often used to support other federal requirements including NIST SP 800-53, NIST SP 800-171, CMMC, and HIPAA.
“Weaving risk, group theory, and adaptation with business strategy is one way we stand out.”Rockie BrockwayDirector of Advisory Innovations
Rockie Brockway
Director of Advisory InnovationsRockie's focus is on helping organizations strengthen their security posture by better aligning security with business needs and requirements.
Read Our Blog
Explore current cybersecurity topics on the TrustedSec Security Blog
Why Risk Assessments are Essential for Information Security Maturity
Introduction Many compliance frameworks require Information Security Risk Assessments, and some organizations may receive third-party requests for Risk…
Building a Detection Foundation: Part 4 - Sysmon
Filling the Gaps Native Logging Can'tAt this point in our series, we have Windows Security events capturing logon sessions and process creation, and…
Full Disclosure: A Third (and Fourth) Azure Sign-In Log Bypass Found
Invisible password sprays. Invisible logins. Full tokens returned.Nyxgeek here. It's 2026 and I've got two more Azure Entra ID sign-in log bypasses…
Better Together: Combining Automation and Manual Testing
When I started working in mobile application security in 2018, most testing was still largely manual. Since then, the ecosystem has exploded with scanners,…
LnkMeMaybe - A Review of CVE-2026-25185
A Windows shortcut (.lnk) seems very simple on the surface. It is a file that points somewhere and tells the system to open or execute a resource. A shortcut…
Building a Detection Foundation: Part 3 - PowerShell and Script Logging
The Second Most Important Data Source You're Probably Not CapturingIn Part 2, we enabled process creation logging with command lines. That's a big…
Building a Detection Foundation: Part 2 - Windows Security Events
The Audit Policies Nobody ConfiguresIn Part 1, we looked at why relying on a single telemetry source is a recipe for blind spots. Now let's get practical.…
Building a Detection Foundation: Part 1 - The Single-Source Problem
The Uncomfortable Truth About Your Telemetry Let me start with an observation that might hit close to home. In my years working Incident Response cases and…
Notepad++ Plugins: Plug and Payload
Notepad++ has been in the news recently for a breach of infrastructure associated with the Notepad++ updater. This attack may have allowed an adversary to…
Updated GSA Contractor CUI Protection Requirements
CMMC has been getting much of the Controlled Unclassified Information (CUI) attention lately due to the size of the defense industrial base, but General…
Empower your business through better security design.
Talk directly with our experienced advisory consultants to learn how we can help.
