Cyber Maturity Assessment.
Our Cyber Maturity Assessments reveal how resilient your cybersecurity is and provide clear, tailored guidance to strengthen your defenses against evolving threats.
Our Process:
Our approach to Cyber Maturity Assessment and Roadmap Development is guided by a structured, step-by-step methodology designed to assess current capabilities and define a clear path for improvement.
- Each control area is rated against the CIS 8 Control based on the design and level of maturity of the controls in place.
- We utilize a proprietary assessment tool to capture the gap assessment results, and the control score result is determined using the highest severity issue found per category.
- The rating of each control is averaged into a total control strength for each domain.
We report on the current findings resulting from the Assessment phase and how it relates to the CIS Controls.
A baseline is determined of the current state, and a possible remediation path is presented to move to the next maturity phase.
- Risk severity
- Cost
- Implementation Complexity
- Organizational Adoption
Remediation of findings will be based on individual projects and changes. Each project or change will be assigned a responsible entity responsible for compiling the required documentation, processes, and timelines to implement the remedial action.
Upon completing a remediation task, a formal signoff will be filed as proof of implementation.
Remediation actions will be reviewed at the next assessment interval.
Remediation is billed according to the project or change agreement, and therefore is not included in the scope of work.
Methodology:
Furthermore, the CIS framework diversifies between three different Implementation Groups based on self-identified criteria and cybersecurity goals.
A brief definition of the Implementation Groups is as follow:
IG1
An IG1 enterprise is small to medium-sized with limited IT and cybersecurity expertise to dedicate towards protecting IT assets and personnel. The principal concern of these enterprises is to keep the business operational, as they have a limited tolerance for downtime. The sensitivity of the data that they are trying to protect is low an principally surrounds employee and financial information.
Safeguards selected for IG1 should be implementable with limited cybersecurity expertise and aim to thwart general, non-targeted attacks. These Safeguards will also typically be designed to work in conjunction with small or home office commercial off-the-shelf (COTS) hardware and software.
IG2 (includes IG1)
An IG2 enterprise employs individuals responsible for managing and protecting IT infrastructure. These enterprises support multiple departments with different risk profiles based on job function and mission. Small enterprise units may have regulatory compliance burdens. IG2 enterprises often store and process sensitive client or enterprise information an can withstand short interruptions of service. A major concern is loss of public confidence if a breach occurs.
Safeguards selected for IG2 help security teams cope with increased operational complexity. Some Safeguards will depend on enterprise-grade technology and specialized expertise to properly install and configure.
IG3 (includes IG1 and IG2)
An IG3 enterprise employs security experts that specialize in the different facets of cybersecurity (e.g.. risk management, penetration testing, application security). IG2 assets and data containt sensitive information or functions that are subject to regulatory and compliance oversight. An IG3 enterprise must address availability of services and the confidentiality and integrity of sensitive data. Successful attacks can cause significant harm to the public welfare.
Safeguards selected to IG3 must abate targeted attacks from a sophisticated adversary and reduce the impact of zero-day attacks.