IT Security Risk Assessment for Raleigh-Durham Businesses

Identify threats. Quantify risk. Build a defensible security posture. Petronella Technology Group delivers IT security risk assessments aligned to NIST SP 800-30 and NIST RMF for organizations across the Research Triangle -- from defense contractors to healthcare systems to financial services firms.

Schedule Your Assessment Call 919-348-4912

What Is an IT Security Risk Assessment?

An IT security risk assessment is a structured, repeatable process for identifying, analyzing, and prioritizing the risks that threaten your organization's information systems, data, and operations. Unlike a simple vulnerability scan that produces a list of technical weaknesses, a risk assessment contextualizes each finding by evaluating the likelihood that a specific threat actor will exploit a given vulnerability and the impact that exploitation would have on the confidentiality, integrity, and availability of your critical assets.

The output is not a raw list of CVEs. It is a ranked inventory of business risks -- each tied to a threat source, a vulnerability, a likelihood rating, an impact rating, and a calculated risk level. This risk register becomes the foundation for every security investment decision your organization makes, giving leadership the data they need to allocate budget where it reduces the most risk per dollar spent.

NIST Special Publication 800-30 Revision 1, Guide for Conducting Risk Assessments, defines the canonical methodology that PTG follows. The process fits within the broader NIST Risk Management Framework (RMF), which maps risk assessment activities to the Categorize, Assess, and Monitor steps of the system development life cycle. For organizations pursuing CMMC, HIPAA, SOC 2, PCI DSS, or ISO 27001 compliance, the risk assessment is not optional -- it is an explicit requirement embedded in every one of those frameworks.

Why Your Organization Needs a Risk Assessment

Every compliance framework mandates it. Every cyber insurance underwriter asks for it. Every breach post-mortem reveals that the organization either skipped it or conducted one that was superficial. The risk assessment is the single most consequential security activity your organization can perform, and here is why.

Regulatory survival. HIPAA's Security Rule (45 CFR 164.308(a)(1)(ii)(A)) requires covered entities to "conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information." The Office for Civil Rights has imposed multi-million-dollar fines on healthcare organizations that failed to perform adequate risk assessments. CMMC Level 2 maps to all 110 controls in NIST SP 800-171, and control RA.L2-3.11.1 explicitly mandates periodic risk assessments. SOC 2 Trust Services Criteria CC3.2 requires risk identification and analysis. PCI DSS Requirement 12.2 requires a formal risk assessment at least annually.

Insurance qualification. Cyber insurance carriers have tightened underwriting standards dramatically. Applications now ask whether your organization has completed a risk assessment within the past twelve months, what framework you followed, and whether you have a remediation plan for identified risks. Organizations that cannot answer yes face higher premiums or outright denial of coverage.

Budget justification. Security teams competing for budget against revenue-generating departments need more than fear-based arguments. A risk assessment provides quantifiable data: this vulnerability on this asset has a high likelihood of exploitation by this threat actor and would produce this level of business impact. That data turns a vague request for "more security spending" into a defensible business case.

Defense supply chain. The Department of Defense has made it clear that organizations handling Controlled Unclassified Information (CUI) must demonstrate a mature risk management program. For defense contractors and their subcontractors across the Raleigh-Durham corridor and Fort Liberty area, risk assessment is the entry ticket to winning and retaining contracts.

Our Assessment Methodology

PTG's risk assessment methodology is directly aligned to NIST SP 800-30 Revision 1 and operates within the NIST Risk Management Framework. We do not invent our own scoring systems or create proprietary matrices that obscure the logic behind risk ratings. We use the published NIST guidance because it is peer-reviewed, widely accepted by regulators and auditors, and produces results that map cleanly to any compliance framework your organization needs to satisfy.

The NIST SP 800-30 methodology defines risk as a function of three variables: the threat source and its characteristics (capability, intent, and targeting), the vulnerability and its severity, and the predisposing conditions that affect the likelihood that the vulnerability will be exploited. PTG evaluates each of these variables using a semi-quantitative approach that assigns ordinal values to likelihood and impact, then calculates the resulting risk level using the likelihood-impact matrix prescribed in Table I-2 of NIST SP 800-30.

Threat modeling is where most assessments fail. Automated scanners do not model threats -- they report vulnerabilities without context. PTG identifies the specific threat actors relevant to your industry, geography, and data types. A healthcare organization in the Research Triangle faces different threat actors than a defense subcontractor. A financial services firm managing high-net-worth accounts faces different threat actors than a SaaS startup. We catalog threat sources (adversarial, accidental, structural, and environmental), assess their capability and intent, and map them to the specific vulnerabilities we discover in your environment.

Residual risk calculation accounts for the controls you already have in place. Raw risk assumes no controls exist. Residual risk reflects the actual risk level after your current security controls are applied. This distinction matters because it tells you which controls are working, which are insufficient, and where new controls are needed. PTG documents both raw and residual risk for every finding, giving your leadership team a clear before-and-after view of your security posture.

What We Evaluate

Our assessment scope covers the seven domains that together constitute your organization's complete attack surface. Each domain is evaluated against the applicable controls from NIST SP 800-53, NIST SP 800-171, and the specific compliance frameworks relevant to your organization.

Network Security

Perimeter defenses, internal segmentation, firewall rule sets, intrusion detection and prevention systems, DNS security, wireless network controls, and traffic analysis. We evaluate whether your network architecture limits lateral movement and contains blast radius in the event of a breach.

Access Controls

Identity and access management (IAM), multi-factor authentication deployment, privileged access management, role-based access control enforcement, account lifecycle management, and session controls. We verify that the principle of least privilege is implemented, not just documented.

Data Protection

Data classification, encryption at rest and in transit, data loss prevention (DLP), backup integrity, retention and disposal policies, and key management practices. For organizations handling ePHI, CUI, PII, or cardholder data, we map controls to the specific data protection requirements of the relevant framework.

Endpoint Security

Endpoint detection and response (EDR), patch management cadence, application whitelisting, removable media controls, mobile device management, and host-based firewall configuration. We assess whether your endpoints would survive common attack chains including phishing-to-lateral-movement scenarios.

Cloud Security

Cloud configuration review across Microsoft 365, Azure, AWS, and Google Cloud environments. We evaluate identity federation, conditional access policies, storage bucket permissions, logging and monitoring, and shared responsibility model alignment. Misconfigurations in cloud environments are now the leading cause of data exposure incidents.

Physical Security

Facility access controls, visitor management, server room protections, environmental controls, surveillance systems, and asset disposal procedures. Physical security is often the most neglected domain, yet it is explicitly required by NIST SP 800-171 (control family 3.10) and HIPAA's physical safeguards.

Policies and Procedures

Security policies, incident response plans, business continuity and disaster recovery plans, acceptable use policies, change management procedures, vendor risk management, and employee security awareness programs. We review not just whether policies exist but whether they are current, enforceable, communicated to staff, and actually followed. An incident response plan that has never been tested in a tabletop exercise provides a false sense of readiness. A password policy that is documented but not enforced by technical controls is security theater.

Assessment Deliverables

Every PTG risk assessment produces a comprehensive deliverable package designed for two audiences: technical teams who need actionable remediation guidance, and executive leadership who need risk-informed decision support.

  • Executive Summary: A plain-language overview of your organization's risk posture, the most critical findings, and the recommended strategic priorities. Written for board members, C-suite executives, and non-technical stakeholders.
  • Risk Register: A complete inventory of identified risks, each with a defined threat source, vulnerability, likelihood rating, impact rating, raw risk level, existing controls, and residual risk level. The register uses the NIST SP 800-30 likelihood-impact matrix for consistent, defensible scoring.
  • Vulnerability Detail Report: Technical findings with severity ratings (CVSS where applicable), affected assets, evidence and reproduction steps, and specific remediation instructions.
  • Compliance Gap Matrix: A control-by-control mapping showing your current implementation status against the requirements of your target framework (CMMC, HIPAA, NIST 800-171, SOC 2, PCI DSS, or others). Each gap is cross-referenced to the risk register.
  • Prioritized Remediation Roadmap: A phased action plan that sequences remediation activities by risk reduction value and implementation effort. Quick wins are separated from strategic initiatives so your team can show progress immediately while planning larger improvements.
  • Threat Landscape Briefing: An analysis of the threat actors most relevant to your industry and geography, including current tactics, techniques, and procedures (TTPs) mapped to the MITRE ATT&CK framework.

Compliance Coverage

Risk assessments are not just a best practice -- they are an explicit, auditable requirement in every major compliance framework. PTG structures each assessment to satisfy the risk assessment requirements of the frameworks relevant to your organization, so the output serves double duty as both a security improvement tool and a compliance artifact.

CMMC 2.0 NIST SP 800-171 HIPAA SOC 2 Type II PCI DSS ISO 27001 FTC Safeguards GDPR

CMMC: The Cybersecurity Maturity Model Certification requires organizations in the defense supply chain to demonstrate risk management practices. At Level 2, control RA.L2-3.11.1 requires periodic risk assessments, and control RA.L2-3.11.2 requires vulnerability scanning. PTG's assessment satisfies both controls and produces artifacts that can be presented during a CMMC assessment. For defense contractors throughout the Triangle and the Fort Liberty corridor, this is a contract-retention requirement.

HIPAA: The Security Rule mandates that covered entities and business associates conduct risk assessments of ePHI environments. The Office for Civil Rights considers the absence of a current risk assessment to be one of the most serious compliance deficiencies. Healthcare organizations in the Triangle -- from large health systems like Duke Health, UNC Health, and WakeMed to small medical practices and dental offices -- face this requirement regardless of size.

SOC 2: Trust Services Criteria CC3.2 requires organizations to identify risks that could affect the achievement of their service commitments. CC3.3 requires the assessment of fraud risk. PTG's risk assessment maps findings directly to the SOC 2 criteria, producing evidence that your auditor can rely on during the examination.

PCI DSS: Requirement 12.2 mandates a formal risk assessment at least annually and upon significant changes to the cardholder data environment. Our assessment identifies risks to cardholder data and evaluates the controls protecting it, providing the documentation needed for PCI DSS validation.

Our Risk Assessment Process

PTG follows a seven-phase methodology derived from NIST SP 800-30 and adapted for the operational realities of mid-market organizations. Each phase has defined inputs, activities, and outputs that ensure rigor and repeatability.

1

Scope Definition

Define system boundaries, identify stakeholders, confirm compliance targets, and establish risk tolerance levels with leadership.

2

Asset Inventory

Catalog hardware, software, data repositories, cloud services, network segments, and personnel. Assets are classified by criticality and data sensitivity.

3

Threat Identification

Identify adversarial, accidental, structural, and environmental threat sources. Map threat actors to your industry, geography, and data types using threat intelligence.

4

Vulnerability Analysis

Conduct authenticated vulnerability scanning, configuration reviews, policy assessments, and manual testing to identify exploitable weaknesses across all seven evaluation domains.

5

Risk Calculation

Assign likelihood and impact ratings using the NIST SP 800-30 semi-quantitative scale. Calculate raw risk, apply existing controls, and determine residual risk for each finding.

6

Mitigation Planning

Develop a prioritized remediation roadmap with cost-benefit analysis, implementation timelines, and responsible parties for each risk treatment decision.

7

Report and Brief

Deliver the complete assessment package and conduct stakeholder briefings for executive leadership and technical teams. PTG is available for follow-up questions.

Why Petronella Technology Group

Petronella Technology Group has served businesses across Raleigh, Durham, Chapel Hill, Cary, Apex, and the Research Triangle since its founding in 2002. With BBB accreditation since 2003 and more than 2,500 clients served over more than two decades, PTG has the operational maturity and technical depth that risk assessments demand.

CEO Craig Petronella is a Licensed Digital Forensic Examiner, CMMC Certified Registered Practitioner (CRP), and MIT-certified professional in cybersecurity, AI, blockchain, and compliance. He brings over 25 years of hands-on experience in threat investigation, forensic analysis, and compliance consulting. Craig has authored multiple books including How HIPAA Can Crush Your Medical Practice, How Hackers Can Crush Your Law Firm, and The Ultimate Guide To CMMC, and has been featured on ABC, CBS, NBC, FOX, and WRAL as a cybersecurity expert. He provides expert witness testimony and forensic consulting for attorneys across North Carolina.

PTG holds certifications including CCNA, MCNS, and Microsoft Cloud Essentials. Our team specializes in CMMC 2.0, NIST 800-171/172/173, HIPAA, FTC Safeguards Rule, SOC 2 Type II, PCI DSS, GDPR, CCPA, and ISO 27001 compliance. Our forensic capabilities span endpoint and network cybercrime investigation, data breach forensics, ransomware analysis, data exfiltration investigation, cryptocurrency and blockchain analysis, and SIM swap fraud investigation.

When you engage PTG for a risk assessment, you get more than a report. You get a partner who understands your regulatory obligations, knows the threat landscape specific to your industry, and has the remediation capability to help you close the gaps we identify. Our managed IT services and cybersecurity teams can handle implementation end-to-end if your organization needs support beyond the assessment itself.

4 Pillars Security Risk Assessment

Frequently Asked Questions

How is a risk assessment different from a vulnerability scan?
A vulnerability scan is an automated tool that identifies known technical weaknesses in systems and software. It outputs a list of CVEs and misconfigurations ranked by CVSS severity. A risk assessment is a fundamentally different exercise. It incorporates vulnerability scan results as one input, but then layers on threat modeling, asset valuation, likelihood analysis, impact analysis, and control effectiveness evaluation to produce a risk-ranked register of business risks. A vulnerability scan tells you that a server is missing a patch. A risk assessment tells you whether a specific threat actor is likely to exploit that missing patch, what the business consequences would be, and how that risk compares to the other risks in your environment. Every compliance framework that requires a risk assessment explicitly distinguishes it from vulnerability scanning.
How long does a risk assessment take?
The duration depends on the size and complexity of your environment. For a small to mid-sized business with 25 to 100 employees, a single office location, and a relatively straightforward IT environment, the assessment typically takes two to four weeks from kickoff to final report delivery. Larger organizations with multiple locations, complex network architectures, multi-cloud environments, or extensive compliance requirements may require four to eight weeks. The initial scoping call establishes the timeline based on your specific environment and objectives.
Is a risk assessment required for HIPAA compliance?
Yes. The HIPAA Security Rule at 45 CFR 164.308(a)(1)(ii)(A) requires covered entities and business associates to "conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate." The Office for Civil Rights (OCR) has consistently identified failure to conduct a risk assessment as one of the most common and most serious HIPAA violations. OCR has imposed fines exceeding one million dollars on organizations that lacked a current, comprehensive risk assessment. Healthcare organizations throughout the Research Triangle -- including those affiliated with Duke Health, UNC Health, WakeMed, and independent practices -- are subject to this requirement.
What is a likelihood-impact matrix and how does it work?
A likelihood-impact matrix is the core analytical tool in the NIST SP 800-30 risk assessment methodology. It is a two-dimensional grid where one axis represents the likelihood that a threat event will occur (rated on a scale from Very Low to Very High) and the other axis represents the impact that the threat event would have on the organization (also rated from Very Low to Very High). Each identified risk is plotted on the matrix based on its assessed likelihood and impact ratings, producing a combined risk level. For example, a threat event with High likelihood and Moderate impact would produce a different risk level than one with Low likelihood and Very High impact. The matrix ensures that risk ratings are consistent, transparent, and defensible -- critical properties when the results will be reviewed by auditors, regulators, or insurance underwriters.
What is residual risk and why does it matter?
Residual risk is the risk that remains after your organization has applied its existing security controls. It is calculated by taking the raw (inherent) risk -- the risk level assuming no controls are in place -- and adjusting it downward based on the effectiveness of the controls currently protecting the asset. Residual risk matters because it represents your actual exposure. An organization might have a high raw risk associated with a particular vulnerability, but if strong compensating controls reduce the likelihood or impact of exploitation, the residual risk may be acceptable. Conversely, a moderate raw risk with weak or absent controls may produce a residual risk that requires immediate attention. PTG documents both raw and residual risk for every finding so leadership can see which controls are providing value and where gaps need to be closed.
Do we need a risk assessment for CMMC certification?
Yes. CMMC Level 2 incorporates all 110 security requirements from NIST SP 800-171, including the Risk Assessment (RA) control family. Control RA.L2-3.11.1 requires organizations to "periodically assess the risk to organizational operations, organizational assets, and individuals, resulting from the operation of organizational information systems and the associated processing, storage, or transmission of CUI." Control RA.L2-3.11.2 requires scanning for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities are identified. For defense contractors and their supply chain partners across the Triangle and the Fort Liberty area, a current risk assessment is a prerequisite for achieving CMMC certification and maintaining eligibility for DoD contracts.
What qualifications does PTG have for conducting risk assessments?
PTG has been conducting risk assessments for businesses across North Carolina since 2002. CEO Craig Petronella is a Licensed Digital Forensic Examiner, a CMMC Certified Registered Practitioner (CRP), and holds MIT certifications in cybersecurity, AI, blockchain, and compliance. He has over 25 years of experience and has served as an expert witness in cybercrime and compliance cases. PTG holds CCNA, MCNS, and Microsoft Cloud Essentials certifications, has maintained BBB accreditation since 2003, and has served more than 2,500 clients. Our methodology is aligned to NIST SP 800-30 and NIST RMF, and our assessments produce audit-ready artifacts for CMMC, HIPAA, SOC 2, PCI DSS, ISO 27001, and other frameworks.
Can PTG help remediate the issues found during the assessment?
Yes. PTG offers complete remediation services including technology implementation, security architecture design, policy and procedure development, employee security awareness training, and ongoing managed security services. Many organizations prefer to engage PTG for both assessment and remediation because it eliminates the handoff overhead between separate vendors and ensures that the team implementing fixes has full context from the assessment findings. Our managed IT services team can also provide ongoing monitoring and maintenance to sustain the security improvements over time.
How much does an IT security risk assessment cost?
The cost of a risk assessment depends on the size and complexity of your environment, the number of locations, the compliance frameworks in scope, and the depth of testing required. PTG provides a detailed proposal after an initial scoping call where we understand your environment, objectives, and regulatory obligations. We are transparent about pricing and will never add hidden charges. Contact us at 919-348-4912 or through our website to schedule a scoping call and receive a proposal tailored to your organization.
What industries do you serve in the Raleigh-Durham area?
PTG serves organizations across all industries in the Research Triangle, with particular depth in healthcare (HIPAA), defense contracting (CMMC and NIST 800-171), financial services (SOC 2, PCI DSS, and GLBA), legal services, technology and SaaS companies, manufacturing, government agencies, nonprofits, and professional services firms. The Triangle's concentration of healthcare institutions, defense contractors, financial services firms, and technology companies creates a regulatory landscape where risk assessments are not optional -- they are a cost of doing business.

Know Your Risk. Protect Your Business.

Contact Petronella Technology Group to schedule your IT security risk assessment. We will scope the engagement, provide transparent pricing, and deliver the actionable intelligence your organization needs to reduce risk and achieve compliance.

919-348-4912 Schedule Your Assessment

5540 Centerview Dr., Suite 200, Raleigh, NC 27606

Related Security & Compliance Services

An IT security risk assessment forms the foundation of your security program. Build on your results with our penetration testing, cybersecurity services, and Managed XDR Suite for continuous monitoring. Need compliance guidance? Our CMMC, HIPAA, and NIST compliance teams can turn assessment findings into a compliance roadmap. Explore our 4 Pillars Security Risk Assessment for a broader view of your risk posture.