IT Cybersecurity Assessment
Information Cybersecurity & Operations Scorecard
The Cybersecurity Operations Scorecard program helps organizations assess and strengthen their cybersecurity performance. It leverages frameworks like ISO and NIST to identify key controls and evaluates maturity using the CMMI framework. Consultants provide expert guidance in prioritizing controls, identifying gaps, and developing a strategic roadmap for cybersecurity improvements, ensuring continuous enhancement aligned with business objectives and risks.
Based on Data Perceptions’ decades of security experience, industry current practices, and Scorecard findings, an overall security posture assessment and prioritized mitigation roadmap for improved IT security and operations is developed.
Information Security & Operations Scorecard
(Security Assessment)
​
Data Perceptions has developed a formal approach to helping organizations develop a roadmap for their risk mitigation efforts.
​
​Data Perceptions uses our industry-leading IT Security and Operations Scorecard to aid in the development of a security risk assessment profile. The Scorecard was developed based on "the 20+ years of experience of each of our team members" dealing with security breaches and implementing preventive measures. The scorecard was designed to align with the ISO 27001/2, an internationally accepted framework for IT controls. Other frameworks such as NIST 800-53, NIST 800-171, PCI DSS, COBIT, GDPR, PIPEDA, HIPAA, CMMC, or the Canadian Baseline Cyber Security Controls (CBCSC) can also be used.
​
The Scorecard provides a structured approach to evaluating and identifying the:
-
Risk tolerance level of an organization,
-
Acceptable risks, and
-
Priorities of risk mitigations.
​
​Risk tolerance typically balances potential damage, risk probability, relative priority, user inconvenience, data confidentiality and sensitivity, and mitigation cost. An organization must be able to understand its risk acceptance threshold. The scorecard helps identify each activity's risk acceptance level and documents the corresponding appropriate mitigation activities.
​
Initial discussions outline information security risk concerns in three common categories:
​
-
Major Revenue Stream;
-
Intellectual Property; and
-
Brand & Reputation
​
ISO 27002:2022 - Information Systems Security Areas in Security Scorecard
​
​
-
Organization Controls
-
Policies
-
Segmentation of Duties
-
Management Responsibility
-
Asset Inventory, Identification, and Management
-
Identity Management
-
Threat Intelligence
-
Information Classification
-
Information Transfer
-
Risk Assessment
-
Access Controls and Rights
-
Identity Management and Authentication
-
Change Management
-
Cloud Information Security
-
Incident Response Planning
-
Evidence Collection
-
Lessons Learned
-
Supply Chain Security
-
Regulatory and Legal Compliance
-
Independent Cybersecurity Review
-
Document Operations Procedures
-
Cybersecurity Policy and Operating Procedures Compliance
​
2. People Controls
-
Screening
-
Terms and Conditions of Employment
-
Cybersecurity Training, Education, and Monitoring
-
Disciplinary Process
-
Confidentiality / Non-Disclosure agreements
-
Information Security Event Reporting
-
Post-Termination Procedures
-
Remote Working
​
3. Physical Controls
-
Physical Perimeter Security
-
Physical Entry Points
-
Securing Offices, Rooms, and Facilities
-
Working in Secure Areas
-
Protect against physical threats
-
Working in Secure Areas
-
Clear Desks/Screens
-
Sitting Equipment Protection
-
Security of Off-premises Assets
-
Storage Media
-
Cabling Security
-
Equipment Maintenance
-
Secure Reuse and Disposal
​
4. Technological Controls
-
Endpoint Device Management
-
Privilege Access Rights
-
Information Access Restrictions
-
Secure Authentication
-
Malware Protection
-
Patching
-
Configuration Management
-
Deleting Information
-
Data Leakage Prevention
-
Information and Configuration Backups
-
System Processing Redundancy
-
Logging
-
Monitoring
-
Clock Synchronization
-
Controlling Privilege Utilities
-
Software Installations
-
Network Security
-
Network Segregation
-
Network Services Security
-
Web Filtering
-
Cryptographic Controls
-
Secure Development Life Cycle
-
Application Security
-
Secure Coding
-
Security Testing in Development
-
Outsourced Development
-
Separation of Production Test and Development Environments
-
Change Management
-
Test Information Security
-
Protect Information Systems during Audit
​
Other frameworks such as SOC2, CIS, NIST 800-171/A and COBIT have been considered and incorporated into the Scorecard.
It is challenging to develop an effective IT and cybersecurity strategy that mitigates business risks within the available budget. A comprehensive IT security assessment can help organizations map necessary activities to attain an appropriate IT and cybersecurity state.
​
Security risks are constantly evolving. Organizations are compromised by distraction and profit. Exploits use the weakest link in an organization's security profile—no organization is immune.
​
Delivering an optimized IT and cybersecurity posture requires a combination of design, technology, training, and operational practices. This holistic approach must be aligned to effectively mitigate an organization's relevant risks. The key is to balance cost optimization of security technology and operations with business risks.
Data Perceptions has developed our industry-leading security posture assessment, the IT Security & Operations Scorecard. The Scorecard leads your key information security stakeholders through a security and operations assessment process to help identify the current and target state of security operations.
​
To validate the initial assessments, we review:
-
network & systems configurations, availability, and integrity;
-
security operations policies, procedures, and practices;
-
external and internal vulnerability assessment (EVA/IVA) of the network and systems;
-
email impersonation/control/spam email assessment; and
-
simulated phishing (social engineering) assessment.
​