Who should use this standard assessment
With increasing threats of cyber-terrorism, malware and data theft, the prioritisation of good information security practices within a business is key to avoiding fines, reputational damage and loss of business. Common weak are often from the supply chain or third parties which, given a wide spread of risk, makes it useful to have a risk-proportional approach to assessment in this area.
Organisations that wish to avoid dealing with non-compliant businesses and minimise exposure to high-risk data practices can use this Standard Assessment within Rizikon Assurance. This will assist with ensuring a foundational level of information security within an organisation, particularly where the risk is low. As such, it is a useful baseline standard of security in a supply chain.
How this Standard Assessment was developed
This assessment is based on the government-backed Cyber Essentials scheme, designed to help protect organisations of various sizes against a whole range of the most common cyber attacks.
The content of the scheme covers some of the most basic cyber-security practices than an organisation can adopt. The questions in this Standard Assessment in Rizikon Assurance are derived from those that an organisation will answer when applying for cyber essentials, with the scoring also being highly correlated.
Questions, sections and scoring
The structure of the Security (Low Risk) assessment covers the fundamental areas of Office Firewalls and Internet Gateways, Secure configuration (such as password procedures), Patches and Updates, user and administrative Accounts, Malware Protection, and others. It also gathers basic information on the company in question and the scope of the assessment to ensure the relevance of the assessment is clear. There are only 9 sections in total.
The questions are “negatively” scored on a tiered basis – answers can be provided that are either scored Minor, Major or Fail, whereas compliant answers will simply remain unhighlighted. These scores indicate that organisation is potentially not operating within a pass mark of cyber essentials. Minor scores indicate advisory notes, whereas majors and fails indicate serious non-conformity with best practices as outlined in the scheme. The overall assessment score will be inherited from the most severe question score provided, highlighting their point of least compliance.