Cyber Security Maturity Assessment

Identify your overall cyber security resilience and prioritize areas to improve

Service

To properly improve your cyber security resilience, it is important to have a baseline of what level of security is currently held. Once the current level is known, prioritized tasks can be performed to increase areas with the highest risk or highest return on investment. Our Cyber Security Maturity Assessment assesses your current cyber security posture based on the CIS Critical Security Controls, which are also known as CIS Controls. The assessment is further enhanced with inspiration from other industry standard frameworks. The methodology and assessment is based on interviews, reviews of documents and configurations along with technical tests. The assessment is joined by a roadmap with prioritized tasks for improving the security. Prioritization of the tasks is based on a risk-based approach that ensures focus is maintained on tasks that increases the cyber security resilience the most along with ensuring great return on investment.

Value

  • Overview of cyber security maturity based on 18 different control groups.

  • Use of standardized publicly accessible framework allows for easy comparison between companies and ensure it can be delivered vendor independent.

  • Prioritized tasks to increase security where it provides the most value based on risk and economics.

Deliverables

  • Executive summary stating the current security posture and any challenges to sufficiently increase it.

  • Security Maturity score between 0-100 based on the CIS Controls framework. The score can be used to compare towards other organizations within the same industry and size.

  • Roadmap for how to increase the security posture with specific and prioritized tasks.

  • Critical or severe vulnerabilities posing a current high threat to the organization is reported during the project and summarized in appendix of the Roadmap.

 

Methodology

The assessment is based on the CIS Controls framework, which contain 18 control groups, with a total of roughly 200 sub-controls. For each of these sub-controls we seek to ascertain:

  • To which degree the there is a policy for the sub-control

  • Is it is technically implemented and how?

  • Is the sub-control technically enforced and how?

  • How reporting is performed for the sub-control

Uncovering of this information is done through a combination of interviews of key employees, reviews of documents and configurations along with technical tests. Some of the technical tests will expand beyond what is covered by the CIS Controls framework, because we have added additional technical security checks for good measure based on our knowledge of hacking techniques and best practice.

 
 

Involvement

Before project start, we will need several types of documents, and it is our experience not many organizations have this information ready at hand, and it can therefore take some to develop or identify where the information is stored. These are documents such as network documentation, VLAN documentation, firewall rules, internal IT policies, and more.

At the start of the project, we need to have interviews with key employees such as head of IT, employees responsible for AV/EDR, e-mail, workstations, servers, network, user support etc. This is usually performed with everyone in a large meeting, taking anywhere from 2-8 hours depending on the complexity of the infrastructure and internal discussions.

After this initial involvement, limited resources are required, and usually only for occasional questions.

 
 

See our other services