Your facilities exist in a threat environment that is changing constantly. But threat likelihood is only one piece of the picture. To build your baseline risk picture we will use a threat profile like the one pictured below. We start with overall prevalence of incidents and required knowledge and materials to commit an attack to score threat categories on a relative scale.

Beyond Baseline: Your threat profile can then be updated, at any frequency, independent of there rest of your foundational inputs. This instantly puts any “red flag” in context and shows you whether you are vulnerable to that isolated example or rising trend.

Your threat profile can be automated as well in response to manually entered incident reports, integration with your existing incident reporting system, or open source threat intelligence sources.

Learn more about automating your risk assessment in response to incidents in the Quill Wiki.

To elevate your Threat Assessment or Vulnerability Assessment to look at RISK you must consider your assets. Assets are those people, infrastructure, material, equipment, and information that allow your organization to achieve it’s mission.

To build your baseline risk picture we gather initial information about the most common and most critical assets at each facility. Assets are rated for 3 types of criticality: Operational, Symbolic and Financial.

Assets can be added, removed and edited independent of the rest of your risk picture, making it easy to gain new insight when changes to your staff or supply chain happen.

Beyond Baseline: Some assets are tracked closely in ERP, Inventory or Access Management systems. Quill can integrate with available systems to make sure your understanding of business impact is based on the most accurate information.

Auditing the security program already in place can be a daunting task. Quill has made it simple by building out a predefined library of policies, technologies and processes that mitigate risk. Each measure in Quill has clear definitions around capability so you can clearly evaluate if your site does or does not have the capability, or whether you need to go beyond baseline.

Beyond Baseline: Because many security controls are reliant on people, they can change with the time of day, day of the week, level of maintenance, times since last training. Quill can incorporate validation schedules to make sure you are maximizing your existing resources.

Quill uses your data to make powerful recommendations for maturing your security level and reducing your Quill Score.

Quill associates the cost of your security program line items with the risk reduced to give you powerful insight into cost-efficacy.

Risk to Budget reports and KPIs can then rollup to the department or organizational level to provide broad guidance, or targeted insight.