Compliance Risk Assessments
Evaluate and treat risks related to in-scope assets
Stay up-to-date on risk assessment requirements
Risk assessments are required as part of many regulatory and contractual processes, and ISO 27005, NIST 800-30, PCI DSS all include specific practices for performing these assessments. Our risk assessments use specific practices for evaluating and treating risks related to in-scope assets. The ISO 27005 methodology aligns closely with the requirements of ISO 27001, while NIST SP 800-30 methodology is often used to support other federal requirements including NIST SP 800-53, NIST SP 800-171, CMMC, and HIPAA.
“Weaving risk, group theory, and adaptation with business strategy is one way we stand out.”Rockie BrockwayDirector of Advisory Innovations
Rockie Brockway
Director of Advisory InnovationsRockie's focus is on helping organizations strengthen their security posture by better aligning security with business needs and requirements.
Read Our Blog
Explore current cybersecurity topics on the TrustedSec Security Blog
Why Risk Assessments are Essential for Information Security Maturity
Introduction Many compliance frameworks require Information Security Risk Assessments, and some organizations may receive third-party requests for Risk…
Managing Privileged Roles in Microsoft Entra ID: A Pragmatic Approach
Introducing a custom model for understanding privileged roles in Microsoft Entra ID, developed by TrustedSecWhenever our team conducts a Hardening Review of…
Helpful Hints for Writing (and Editing) Cybersecurity Reports
When it comes to reading (and editing) (and proofreading) technical documents, it's important to remember that the details are key, and can make all the…
CMMC Subcontractors and Service Providers
Defense contractors are preparing their systems for the start of the upcoming CMMC rollout but what they may not have considered is how their relationship with…
Hack-cessibility: When DLL Hijacks Meet Windows Helpers
In preparation for a talk, Jason Lang (@curi0usJack) and I were doing at MCTTP about mining TTPs from VX-underground, we both ended up doing research based on…
Detecting Password-Spraying in Entra ID Using a Honeypot Account
Password-spraying is a popular technique which involves guessing passwords to gain control of accounts. This automated password-guessing is performed against…
There's More than One Way to Trigger a Windows Service
Service triggers can be a pentester’s secret weapon, letting low-priv users quietly fire up powerful services like Remote Registry and EFS. Learn how they can…
Skimming Credentials with Azure's Front Door WAF
Your Web Application Firewall (WAF) sees EVERYTHING. In this blog, we demonstrate how an attacker with access to Azure Front Door’s WAF and Log Analytics can…
PCI P2PE vs. E2EE – Scoping it Out
If your payment processor says they use “End-to-End Encryption” your PCI DSS compliance scope may be bigger than you expect. In this blog, we break down how…
HIPAA Applicability - Understanding the Security, Breach Notification, and Privacy Rules
In this blog, we explain how HIPAA’s Privacy, Security, Breach Notification, and Administrative Rules apply while clearing up common misunderstandings about…
Empower your business through better security design.
Talk directly with our experienced advisory consultants to learn how we can help.
