Blog ne Digital Managed Services Cybersecurity Microsoft 365 & Azure

Cybersecurity Assessment: Discover your company's security score

Written by Nicolas Echavarria | Oct 14, 2024 1:30:00 PM

Welcome to the Cybersecurity Assessment at ne Digital. In this post, our experts will assess your company's security posture through a questionnaire based on NIST governance best practices, aligned with the requirements of the five functions of your Cybersecurity Framework:

  • Identify
  • Protect
  • Detect
  • Respond
  • Recover

By answering a series of detailed questions, you will be able to discover areas of strength and opportunities for improvement. Tally your points based on your responses to understand your security score in each critical aspect of your Cybersecurity strategy.

Cybersecurity Assessment: Discover Your Score

1. Governance

I. Cybersecurity Policies and Procedures

How would you describe your company's Cybersecurity policies and procedures?

  • 10 points: Well-documented policies aligned with my Cybersecurity objectives.
  • 5 points: A framework exists, but tracking and analysis are challenging.
  • 2 points: Compliance mechanisms are in place but not formalized as policies.
  • 0 points: My company lacks practical and institutional policies.

II. Risk Management Strategy

Does your organization have a formal Cybersecurity risk management strategy?

  • 10 points: Yes, it is formalized and regularly reviewed.
  • 5 points: Yes, but implementation is partial and needs improvement.
  • 2 points: Not formalized, but we consider risks in key decisions.
  • 0 points: No, we do not have a formal risk management strategy.

III. Cybersecurity Oversight and Review

How often are your Cybersecurity policies reviewed and supervised?

  • 10 points: Quarterly reviews or more frequent.
  • 5 points: Annual reviews.
  • 2 points: Sporadic reviews without a fixed schedule.
  • 0 points: We do not conduct formal reviews.

IV. Training and Awareness

Does your organization implement Cybersecurity training and awareness programs?

  • 10 points: Regular, mandatory programs for all staff.
  • 5 points: Occasional, non-mandatory programs.
  • 2 points: Only basic training for certain employees.
  • 0 points: We do not offer Cybersecurity training.

Your Governance Score

  • 31-40 points: Optimal Governance Level
  • 21-30 points: Adequate Governance Level
  • 11-20 points: Basic Governance Level
  • Less than 10 points: Critical Governance Level

2. Identify

I. Asset Inventory

Does your organization maintain an updated inventory of all technological assets?

  • 10 points: Yes, we have a comprehensive and regularly updated inventory.

  • 5 points: Yes, but not updated frequently enough.

  • 2 points: Partially, we have inventories for some critical assets.

  • 0 points: No, we do not maintain an asset inventory.

II. Cyber Risk Assessment

Does your company regularly conduct Cybersecurity risk assessments?

  • 10 points: Yes, we perform detailed and periodic risk assessments.
  • 5 points: Yes, but they are not always exhaustive or frequent.
  • 2 points: We conduct sporadic assessments without a defined schedule.
  • 0 points: No, we do not perform Cybersecurity risk assessments.

III. Data Classification

Does your organization have a data classification system based on sensitivity and criticality?

  • 10 points: Yes, with detailed classification and specific handling policies.

  • 5 points: Yes, but the classification is not exhaustive.

  • 2 points: Basic classification without specific policies.

  • 0 points: We do not have a data classification system.

IV. Mapping Interdependencies

Does your organization identify and map interdependencies between critical assets?

  • 10 points: Yes, with detailed maps and interdependency analysis.
  • 5 points: Yes, but mapping is not exhaustive.
  • 2 points: Basic identification without detailed mapping.
  • 0 points: We do not identify interdependencies.

Your Identification Score

  • 31-40 points: Optimal Identification Level
  • 21-30 points: Adequate Identification Level
  • 11-20 points: Basic Identification Level
  • Less than 10 points: Critical Identification Level

3. Protect

I. Access Control

How does your company manage access control to systems and data?

  • 10 points: Implement strict access controls with periodic reviews.

  • 5 points: Access controls exist but lack regular reviews.

  • 2 points: Basic controls without formal reviews.

  • 0 points: We do not formally manage access control.

II. Data Protection

What measures does your company take to protect sensitive data?

  • 10 points: We use encryption, regular backups, and other advanced measures.
  • 5 points: Some protection measures are in place but not comprehensive.
  • 2 points: Only basic protection measures are implemented.
  • 0 points: We do not have data protection measures in place.

III. Identity Management

How does your organization manage identities and access?

  • 10 points: Use of multi-factor authentication and centralized identity management.
  • 5 points: Basic authentication with strong passwords.
  • 2 points: Passwords without additional security measures.
  • 0 points: We do not have a formal identity management system.

IV. Network Security

What network security measures does your company have in place?

  • 10 points: Use of firewalls, IDS/IPS, and network segmentation.
  • 5 points: Firewalls in use with basic traffic monitoring.
  • 2 points: Only firewalls without additional monitoring.
  • 0 points: We do not have network security measures implemented.

Your Protection Score

  • 31-40 points: Optimal Protection Level
  • 21-30 points: Adequate Protection Level
  • 11-20 points: Basic Protection Level
  • Less than 10 points: Critical Protection Level

4. Detect

I. Continuous Monitoring

Does your company have continuous monitoring systems to detect threats?

  • 10 points: Yes, with advanced systems and ongoing reviews.
  • 5 points: Yes, but monitoring is not consistent.
  • 2 points: Basic monitoring without continuity.
  • 0 points: We do not have continuous monitoring systems.

II. Event Analysis

How does your organization handle security event analysis?

  • 10 points: We have structured processes and dedicated personnel.

  • 5 points: We analyze events but lack formal structure.

  • 2 points: Sporadic and unstructured analysis.

  • 0 points: We do not conduct security event analysis.

III. Threat Intelligence

Does your organization use threat intelligence to identify potential risks?

  • 10 points: Yes, with integration into security systems and regular analysis.

  • 5 points: We use threat intelligence but without formal integration.

  • 2 points: Open-source threat information without formal analysis.

  • 0 points: We do not utilize threat intelligence.

IV. Alerts and Notifications

How does your company manage security alerts and notifications?

  • 10 points: Automated alert system with real-time reviews.
  • 5 points: Alert system exists but with periodic reviews.
  • 2 points: Basic alerts without continuous review.
  • 0 points: We do not have an alert and notification system.

Your Detection Score

  • 31-40 points: Optimal Detection Level
  • 21-30 points: Adequate Detection Level
  • 11-20 points: Basic Detection Level
  • Less than 10 points: Critical Detection Level

5. Response

I. Incident Response Plan

Does your company have a documented and tested incident response plan?

  • 10 points: Yes, it is documented and regularly tested.

  • 5 points: Documented but not tested frequently.

  • 2 points: We have an undocumented plan.

  • 0 points: We do not have an incident response plan.

II. Communication During Incidents

How does your company manage communication during Cybersecurity incidents?

  • 10 points: Clear and defined protocols in place.

  • 5 points: We communicate but lack established protocols.

  • 2 points: Ad-hoc communications without formality.

  • 0 points: We do not have communication protocols.

III. Coordination with External Teams

Does your organization collaborate with external teams (e.g., CERTs) during incidents?

  • 10 points: Yes, with regular coordination and collaboration.

  • 5 points: We collaborate when necessary but lack formal planning.

  • 2 points: Minimal collaboration without defined protocols.

  • 0 points: We do not collaborate with external teams.

IV. Post-Incident Evaluation

Does your company conduct post-incident evaluations to improve future responses?

  • 10 points: Yes, with detailed evaluations and policy updates.
  • 5 points: Evaluations occur but lack thorough detail.
  • 2 points: Basic evaluations without significant changes.
  • 0 points: We do not conduct post-incident evaluations.

Your Response Score

  • 31-40 points: Optimal Response Level
  • 21-30 points: Adequate Response Level
  • 11-20 points: Basic Response Level
  • Less than 10 points: Critical Response Level

6. Recovery

Recovery Plan

Does your company have a recovery plan for Cybersecurity incidents?

  • 10 points: Yes, regularly updated and tested.

  • 5 points: Yes, but without regular testing.

  • 2 points: Basic plan without formal testing.

  • 0 points: We do not have a recovery plan.

II. Lessons Learned

Does your organization review and document lessons learned after an incident?

  • 10 points: Yes, with detailed reviews and policy updates.

  • 5 points: We document lessons but without thorough reviews.

  • 2 points: Superficial reviews without formal documentation.

  • 0 points: We do not conduct post-incident reviews.

III. Post-Incident Communication

How does your company manage post-incident communication with stakeholders?

  • 10 points: Clear and regular communication with all stakeholders.

  • 5 points: Occasional communication without regularity.

  • 2 points: Basic and unstructured communication.

  • 0 points: We do not have a post-incident communication protocol.

IV. Improvement Measures

Does your organization implement improvements based on lessons learned from incidents?

  • 10 points: Yes, with regular implementation and follow-up.
  • 5 points: Some improvements are made, but without formal follow-up.
  • 2 points: Minimal improvements without follow-up.
  • 0 points: We do not implement improvements after incidents.

Your Recovery Score

  • 31-40 points: Optimal Recovery Level
  • 21-30 points: Adequate Recovery Level
  • 11-20 points: Basic Recovery Level
  • Less than 10 points: Critical Recovery Level

Conclusion: Elevate Your Cybersecurity Level

At ne Digital, we understand the critical importance of cybersecurity in protecting your company against increasingly sophisticated threats.

Reducing vulnerabilities is essential in an era of constant cyber threats and cyber attacks, such as phishing, ransomware, data breaches, and other malicious actions against information security.

Analyze this diagnosis and outline the necessary actions to reduce the attack surface, perform effective penetration tests and improve security controls against the threat of hackers and internal breaches.

Through these structured assessments in the areas of Governance, Identification, Protection, Detection, Response, and Recovery, we provide the necessary tools to identify strengths, weaknesses, and areas for improvement, allowing you to determine your current security level.

By knowing your score in each function, you can make informed decisions to strengthen your cybersecurity strategy and develop a robust security program tailored to your organization’s needs.

Damage mitigation and building a solid Cybersecurity methodology are within your reach, reduce the level of risk and empower your security teams with a proactive approach.

Do you require a more in-depth assessment? Need help with remediation for identified gaps? Our experts are here to assist you.

We invite you to contact ne Digital for personalized advice, including guidance on managing third-party vendors and securing your cybersecurity posture with effective cyber insurance policies. Define the roadmap towards consolidating your cybersecurity processes, enhancing your security ratings, and establishing an effective cybersecurity framework.

 
View full post