by meagancleary
Share
by meagancleary
Share
Paul Cleary, our managing partner, walks us through a security assessment kickoff presentation, providing you with a complete understanding of what your organization can expect when you engage with us (hint: it’s actually pretty painless).
The Rapid QS assessment method defined by the CIS (Center for Internet Security). In this post, we discuss the benefits of a rapid QS security assessment and why you need one. It also looks at how Horn IT conducts an assessment, and then drills down into the control groups looked at with regards to the specific areas of concern in any organization.
What is a Rapid QS Security Assessment?
The goal of the rapid QS assessment is to quickly assess your security posture based on the 20 top critical CIS control groups. The CIS top 20 are a subset of the approximately 171 technical control groups that represent best practices for securing your IT infrastructure.
Note: Version 8 of top critical CIS reduced the number to 18 control groups, but for the purposes of this post, the same cybersecurity principles apply against Version 7 of the control groups described here. See “Differences between version 7 and 8” for an overview.
How you’ve implemented these 20 control groups provides a solid baseline of where your organization stands as far as security is concerned. In addition, the 20 control groups also have the added benefit of easily mapping onto any kind of compliance framework that you might need to adhere to – whether that’s NIST or ISO or HIPAA or others.
Security assessment scoring and timelines
At the end of the assessment, we determine a score to represent your security posture. A score of 1 indicates that all controls have been implemented, .5 if partially implemented, and 0 if nothing is implemented.
This type of quick scoring enables us to apply a percentage across each of the appropriate control groups. At the end of the assessment, you are left with a baseline score, and a real metric that determines where you stand as far as your cybersecurity is concerned.
With this baseline score, you can also easily identify the gaps across your controls and prioritize the ones that need to be implemented first. With that information, we can help develop a high level project plan with relevant timelines and the required resources so that you can implement the missing controls right away.
The assessment takes approximately one to two weeks to complete. When complete, your provided with a useful and clear operational approach on how to improve your organization’s cybersecurity.
Scope of areas for security review
The scope and context of a rapid assessment are focused the following areas:
Internal corporate environments
Includes your internal environment, including any internal corporate network, devices, end-users, access, cloud services, third-party connections, Wi-Fi configuration and even printers.
Cloud, hosted or SaaS infrastructures
We prioritize any hosted services or environments that you provide to your clients. We will examine how you secure and protect those environments.
External network connections
Any connections you may have with your client’s environments. Do you connect to your clients for any of the services that you provide? And if so, how do you do that and how do you make sure that your connection is secure?
What is the security review process?
The assessment review process is as follows:
- Kickoff meeting – We introduce the team you’ll be working with, review the process, and set the schedule.
- Questionnaire – We’ll then send you roughly 20 questions that will help us understand how your environment is set up.
- Technical drilldown – In response to the questions we sent over above, the team at Horn will drill down further. This may involve logging onto your systems and taking a look at your environments. depending on the complexity of your network, cloud environment and how your client connects, this stage may be split up into two or three meetings,.
What are the Top Critical CIS 20 control groups?
As mentioned, the top 20 critical CIS controls (now V8) represent the key controls that every organization should implement in order to maintain good cybersecurity hygiene. If you’ve implemented most of these, and we usually aim for about 80 percent of the controls that are appropriate for your organization, then you will be secure. You also have the added benefit of being compliant to any compliance framework that you need to adhere.
Basic controls
The basic controls look at inventory as well as the control of hardware and software assets and whether an organization has implemented continuous vulnerability management. Other sections drill down on how administrative privileges are granted, and whether you have implemented secure configurations of hardware and software of devices as well as the maintenance and monitoring of audit logs.
Foundational
The foundational controls encompass items like email and web browser protections, malware defences, and the management of network ports protocols and services. In addition, the foundational category includes your data recovery capabilities, disaster recovery planning, and your security configuration for network devices such as firewalls routers and switches.
How do you defend your boundaries for both incoming and outgoing traffic? How is your data protected? Do you know what your sensitive data is? Where is it and how do you secure it? Do you encrypt it or not? Do you have data loss prevention to make sure it doesn’t get moved out of your organization?
Organizational
The final control group is organizational. These controls have technical elements, but they are really more about the people and the processes involved in your organization. This includes items such as how access to servers are controlled? Are they given access based on need to know? How do you control the access to data in your environment? How is access to the wireless network managed?
Do you know what accounts you have created to access your environment and do you monitor that in any way? Have you implemented security awareness and training programs for your employees, so that they know how to stay secure.
Are you developing in-house software? If so, are the engineers aware of what their specific obligations are in order to keep their work secure? Do you have secure coding practices? Do you test your code to make sure it’s secure? If you were to have a cyber security incident? How would you respond to that? How would you manage it and who would be responsible for what and how would you communicate that to your stakeholders? Do you do penetration testing on your environment in both your corporate environment and your hosted environments? What type of penetration testing do you do? Is it just external testing? Is it both external and internal?
Watch the entire talk below:
Final thoughts
With Horn IT, you’re choosing a partner dedicated to driving your business forward. From advanced cybersecurity to strategic guidance, rapid support, and cost-effective solutions, our comprehensive approach empowers your success.
Contact Horn IT today to explore how we can elevate your business.
STAY IN THE LOOP
Subscribe to our free newsletter.
Cyber threats are increasingly targeting small and medium-sized businesses (SMBs) in today's digital landscape. A well-crafted incident Response Plan (IRP) is essential to mitigate risks.
The NIST Cybersecurity Framework aims to provide small and medium sized businesses and other organizations across various sectors with a set of industry standards and best practices to help manage cybersecurity risks.
In an evolving landscape of cyber threats, ransomware attacks remain one of the most pervasive and damaging risks to businesses. Ransomware attacks can not only disrupt business operations but they impose heavy financial burdens, making ransomware insurance essential.
Ransomware is a type of malicious software designed to block access to a computer system until a sum of money is paid. It encrypts files on the infected system, making them inaccessible, and then it demands ransom for the decryption key.
