If you have questions or need support, contact the BALLAST support team.
Our team is made up of seasoned, certified professionals who live in this risk assessment domain every day. We are available for pre-sales consultation and even after the sale to make sure that BALLAST is meeting your needs. BALLAST is designed to be useable “out of the box,” but sometimes our clients still need some assistance. Contact us at firstname.lastname@example.org.
I’d like to use the product to gauge my compliance with an industry regulation such as HIPAA, PCI, or the FFIEC security requirements. Can I do that with BALLAST?
BALLAST is first and foremost a risk assessment and remediation tracking tool. However, each assessment is done within a specific threat and control set context. Customers can select pre-defined control libraries or create their own to suit their needs. While the tool will report risks at the threat level, remediation (if needed) is generated at the control statement level. As such, any gaps between a regulatory standard or control framework would result in a remediation task that could be tracked and used a gauge of the state of compliance or adherence to a standard or framework. If you have something particular in mind, we would love to talk to you about it to see if we can help.
I already know I have risks. What can BALLAST really do for me?
No doubt some of our risk awareness is intuitive. Having a structured approach, however, helps us make sure we are not missing anything. As the question implies, simply knowing about risk and doing nothing about it, is pretty much a waste of time. That’s why we’ve built robust remediation generation, delegation, and tracking into BALLAST. You can define your risk tolerance (e.g. how risky something needs to be before the BALLAST generates a remediation activity) and then delegate remediation to individuals in your organization. You can also assign due dates, have the system automatically send email reminders, and report on all of the remediation tasks and their status. This moves you beyond just assessing risks, into true risk management.
Where did the name “BALLAST” come from?
Great question. BALLAST is a nautical term. It’s the material that helps a ship maintain stability as it traverses the ocean (which can get stormy from time to time). We thought that was a good metaphor for a risk assessment – it helps bring stability and a foundation to your security program, even in times of turbulence.
Who develops and maintains BALLAST?
BALLAST was originally a collaborative effort between a very large public company with compliance mandates to perform regular risk assessments across a number of their facilities/locations and their business partner (i.e. us – the BALLAST team). The idea was such a hit that we both agreed it should be available to the masses. As security and IT audit professionals, we’ve been doing risk assessments for decades and seen our clients struggle to keep up with these tasks on spreadsheets. The time was right, and BALLAST was born. Our firm has been around since 1984 and we are here to stay. BALLAST is continuously being updated with new features and functionality to better serve our current and future clients.
How long will it take me to do a risk assessment with BALLAST?
It really depends on the size of your organization and the scope you determine. For instance, if you are just assessing or a single location, or maybe even a single application, you can probably work through the process in several hours. If your scope is large (e.g. enterprise assessment) you will probably need several weeks to deploy everything to the appropriate process and system owners and monitor their progress on completing their portion of the assessment.
Is BALLAST complicated to use?
One of the biggest benefits of BALLAST is ease of use. This is especially true for those who must answer assessment questions, which are presented in a very intuitive interface. As a customer, you will assign an administrator to create assessments and assign them to locations and users. Whether one person is doing it all, or assessment activities are delegated over dozens or hundreds of users, the process is an easy one.
What control frameworks are used in BALLAST?
BALLAST has available control libraries based on NIST Cybersecurity Framework, NIST 800-53, PCI, and HIPAA Security Rule. BALLAST customers have the ability to modify those public libraries to create their own, or start from scratch to build a control library that meets their needs. All controls must be mapped to threats in order to support the risk management objectives of the tools. A comprehensive taxonomy (list) of threats is also part of the tool.
Is BALLAST secure?
BALLAST was designed with security in mind. The application is hosted in Amazon Web Services GovCloud environment (their most secure). Data is encrypted at rest and in transit. In fact, we leverage two-factor authentication for access to the BALLAST site.
Will BALLAST satisfy my regulatory and audit requirements for risk assessments?
Almost every control framework and regulatory standard for information security these days mandate a risk management process to include a risk assessment. Because we have developed BALLAST around generally accepted standards (e.g. NIST), the approach you will follow, and the reports you can provide auditors and regulators should be spot on. As an example, BALLAST’s methodology supports all of the elements described in the Department of Health and Human Services Office of Civil Rights guidance for performing risk assessments. Many of our healthcare clients use BALLAST to support their obligations under HIPAA and Meaningful Use.
Is BALLAST a true risk assessment or just a controls-based assessment?
BALLAST is a true risk assessment platform. Our underlying framework leverages NIST standards for risk assessments as published in NIST SP 800-30. Using BALLAST, you will consider threats, vulnerabilities, likelihood, and impact to determine risks associated with a set of threat events. Controls do come into play in a big way because they help frame how vulnerable you might be to one or more threats.