Every major security framework and regulatory mandate lists an information security risk assessment as a key part of a broader risk management process. Not only is risk assessment foundational to a good security program; it’s an absolute must for compliance with most industry and government standards. While many firms perform “in-person” risk assessments for organizations, LBMC Information Security has developed a cloud-based SaaS risk assessment and management tool that automates and simplifies the process - while also taking it to the next level. As Mark Fulford, a Shareholder in LBMC’s Information Security Group explains, "BALLAST helps organizations automate their risk assessments, create and track remediation activities, and provide real-time reporting through intuitive dashboards while engaging multiple stakeholders. The end result allows organizations to move beyond expensive, consultant driven static risk assessments to a true risk management platform, which frees up time and money to improve the maturity and effectiveness of their security program. With BALLAST, we’ve created an efficient, effective way for our clients to perform risk assessments themselves and get actionable, real-time data as a result.”
BALLAST was designed with knowledge gained from hundreds of risk assessments, as well as guidance from national and international standards-making bodies including NIST, HIPAA, and ISO. The result is a tool that streamlines the assessment process and eliminates bottlenecks associated with manual approaches. Users can define the business units, facilities, and other information systems assets to be included in the risk assessments. Then, clients can select the threat model suitable for their business. For instance, if a healthcare organization has protected health information and HIPAA requirements, then BALLAST can account for that in the risk analysis.
BALLAST helps organizations automate their risk assessments, create and track remediation activities, and provide real-time reporting through intuitive dashboards
BALLAST’s intuitive dashboards provide real-time feedback on assessment activities and risk levels. Reporting can be configured to support single entity panels or more robust views for organizations with multiple operating units. On the macro level, businesses can view their risk levels by location and show business units where they stand relative to peers. The reports show overall threat level risk scores as well as detailed risk rankings. With automated remediation tracking, BALLAST allows users to see the scope of the assessment and progress of cleanup activity. Remediation items can be prioritized, and responsibility can be delegated and tracked. One-click compliance reporting provides a fully-formulated, current risk assessment report in seconds.
As Fulford points out, most firms lack the internal expertise to perform the highly technical aspects of information security risk assessments; BALLAST acts as a force multiplier at a much lower cost than hiring experts externally. Just one example of the product’s capabilities is a hospital management company that was performing risk assessments required by HIPAA and meaningful use. The client used spreadsheets to compile data from various locations which was cumbersome and inconsistent-- leading to inaccurate reports. By using BALLAST, the client was able to perform over 70 risk assessments within weeks and consolidate the data, providing actionable findings for the security team. The BALLAST solution helped the client track remediation items ensuring a decrease in risk profiles. “The client also took advantage of regional reporting capabilities that allowed them to compare the performance of one region with another,” explains Fulford.
LBMC is set to venture into new areas with its BALLAST platform, such as third-party vendor management and broader integration with LBMC’s existing managed services offerings. As Fulford points out, “Today, many organizations are under pressure to improve the quality and maturity of their security programs and meet regulatory requirements, but they struggle with identifying where to place priorty. BALLAST helps meet these challenges.”
“BALLAST is LBMC’s newest product in a suite of robust cloud-based services that will meet the evolving demands of our clients and their risk management needs.”