top of page

Security Risk Assessments (SRA)

Most industries have regulatory requirements about security and one of the key compliance facets is for an organization to complete a Security Risk Assessment on its security program, leadership, teams, policies, procedures, infrastructure, culture, and initiatives. BluTinuity has deep experience evaluating the current state against Information Security Frameworks for compliance, such as the HIPAA Security & Privacy Rules, NIST Cybersecurity Framework, ISO 27000, AICPA SOC-2 Trust Services Criteria, and the State of New York Cybersecurity Requirements.

We can provide an assessment that is right-sized for your organization, that may include the following aspects:

  • NIST Cybersecurity Framework Assessment

  • HIPAA Security Risk Assessment

  • HIPAA Privacy Rule Assessment 

  • SOC-2 Trust Services Criteria Readiness Assessment

  • NIST SP800-53 Controls Assessment

  • NIST SP800-171 Controls Assessment

  • FIPS-199 Potential Impact Assessment

  • FIPS-200 Minimum Security Requirements for Information Systems Assessment

  • Compliance Readiness Assessment Against State Cybersecurity, Data Privacy, and Data Breach Requirements

  • Review of Security and Privacy Policies and Procedures

  • Interviews with Key Leaders from Information Technology, Information Security, Human Resources, Physical Facility Operations, and Others as Appropriate

  • Examination of Data Center, Server Rooms, and Infrastructure Locations

  • In-depth Review of Specific Application Security Features

  • Development of Data Classification Schema

  • Information Security Program Analysis against One of the Information Security Frameworks Listed Above

  • Prioritization of the Gaps and Recommendations

  • Development of a Security Risk Assessment Report Suitable to Meet Appropriate Audit & Compliance Requirements

  • Development of an Information Security Program Remediation Plan

BluTinuity can assist you by providing an assessment that is right-sized for your organization.


"Athletico began its partnership with BluTinuity and Scott Owens in 2013 with a simple HIPAA Security Risk Assessment. At that time, we had roughly 75 physical therapy clinics in the greater Chicago area. Since then, Athletico has grown to over 600 clinics in 14 states, and with this growth, we have experienced a complex, challenging, and ever-changing organizational risk profile. BluTinuity has helped our team understand the risks, develop information security requirements and controls, and grow its Information Security, Business Continuity, and Incident Response programs to scale with the business. We value Scott’s expertise and would highly recommend BluTinuity as a trusted advisor."

US Health Center

"US HealthCenter engaged with Scott Owens of BluTinuity in 2020 to provide a comprehensive Security Risk Assessment for compliance with the HIPAA Security Rule. While confirming that US HealthCenter was positioned well for HIPAA compliance, we also learned many valuable insights into improving our security environment. BluTinuity’s approach was to start with mentoring our team through the entire process so we better understood the HIPAA requirements, but the approach also led us to a higher objective of developing a stronger information security posture and culture within US HealthCenter. They shared a variety of mature tools and templates to streamline our security procedures. We highly recommend BluTinuity as a consulting firm to guide your information security and compliance programs."


"BluTinuity has been a trusted, strategic, security and technology partner of WebPT for 4 years. We originally were introduced to Scott Owens through our health law attorney when WebPT was in need of a HIPAA Security Risk Analysis to comply with the HIPAA Security Rule. The experience was excellent and we learned a great deal about our infrastructure, our teams, and a smart, pragmatic approach to security compliance. Since then, we have engaged BluTinuity to provide Security Risk Assessments as part of our acquisition due diligence process as WebPT has grown, as well as for disaster planning and tabletop exercises. We rave about his services."

Related Blog Posts:

bottom of page