Vulnerability and Risk Assessment

Home / Consulting / Vulnerability Assessment

Customized and Industry Specific

We have experience performing compliance, vulnerability, and risk assessments throughout Canada, the United States, Mexico, and South America. We have reviewed organizations with one owner to 250,000+ employees in a variety of industries from health and government to manufacturing and Silicon Valley.

Our standard processes allow us to customize our approach for your specific needs. Although we can leverage our partially-automated and highly customizable vulnerability and risk assessment approach for nearly any industry and framework, we have already developed specific approaches for Information Management and Information Technology (ITIM) systems at the following organization types:

Health IMIT Asessments for Alberta and British Columbia.

Money services businesses


Publicly-Traded Companies

Private Companies

Ready to go?



Our consulting services use consistent, automated, and efficient sub processes. This allows ThreeShield to focus on your unique concerns and needs with a fully customizable -- yet very efficient -- approach. Although fully customizable, a typical engagement includes the following:

Phase 1: Find compliance and security vulnerabilities

  1. Initial scope discussion covering:
    • web sites and Internet-facing systems
    • networks, VPNs, and wireless systems
    • servers, workstations, virtual machines, and operating systems
    • established policies, standards, and procedures
    • business impact assessment, disaster recovery, business continuity plans, and backup processes
    • external systems and service providers
    • compliance needs
  2. Signed agreement with permission to perform vulnerability assessments.
  3. Internal and external vulnerability scans
  4. Partially-automated penetration tests
  5. Execution of proprietary configuration extraction scripts.
  6. Compliance assessment for:
    • PCI
    • NERC
    • privacy and personally-identifiable information (PII)
    • C-SOX and SOX financial statement controls
    • corporate policies
  7. Server, Active Directory, databases, applications, and cloud service configurations.
  8. Reporting at the level you need: from highly technical, executive risk statements, and customer assurance.

Phase 2: Fix: project and security management with hands-on support

We provide as much support to fix your security and compliance vulnerabilities as you need. Many companies have great IT teams that can take care of most changes. However, with competing priorities, they can often benefit from additional security and project management. Our most common services during this phase include:
  1. Chairing of a Security Council to ensure that senior leadership understand and prioritize security and compliance needs among other critical business concerns.
  2. Security project management to ensure the success of security-related projects. We will oversee your whole security program and provide hands-on support as needed.
  3. Documentation and improvement of critical policies, business impact assessments, disaster recovery plans, business continuity processes, and other regulatory needs.
  4. Training, including phishing simulations, OWASP developer training, PCI and NERC CIP-004 compliance, and other job-specific training requirements.

Phase 3: Ongoing training and monitoring

Once the high-priority items are in place, we provide:
  1. Monthly phishing simulations with additional training during peak phishing seasons.
  2. Annual security awareness training
  3. On-demand solutions for security design and configuration problems
  4. Continuous monitoring of emerging threats, missing patches, and configuration problems.
  5. Annual updates to disaster recovery and business continuity plans, business impact assessments, and other living documents

Ready to protect your business?



As the Chief Compliance Officer of a payments entity, I have relied on ThreeShield Information Security to provide risk-based solutions that have satisfied regulators and business partners alike. While our Money Services Business is unique in that it supports commerce within virtual worlds and video game environments, the security standards that we have to meet are the same as they would be for any regulated financial institution.

ThreeShield has employed a dynamic, risk-based approach to information security that is specific to our business needs but also provides comfort to our external stakeholders.

I recommend their services.

-Scott Butler, CCO of Tilia Inc.


ThreeShield Information Security has provided customized IT security tools and consulting to organizations of all sizes, including the following:
1-Page  •   Carrier Corporation  •   Computer Sciences Corporation  •   Deloitte  •   Ernst & Young  •   First Gulf Bank  •   Government of Alberta  •   Hamilton Sundstrand Corporation  •   Hurricane Computer Solutions  •   International Aero Engines  •   KPMG  •   Linden Research (Linden Lab)  •   NASA  •   Note-able Music  •   NORESCO  •   Otis Elevator Company  •   Plateau Systems  •   Pratt & Whitney  •   Red Link SA (Argentina)  •   Segurança da Informação e Conformidade  •   Sikorsky Aircraft Corporation  •   Tilia Inc  •   TOOT'n TOTUM  •   Towers Watson  •   United Technologies Corporation  •   Universidade de São Paulo  •   UTC Power  •   Whitecap Resources Inc