The 5 key areas of cyber assessment
We've used our decades of experience in IT and information security management, together with both a thorough understanding of cyber insurance and our first-hand engagement in investigating hundreds of cyber incidents, to create the Cyber3 assessment.
The evaluation delivers a comprehensive survey based on current risk concerns of cyber insurance underwriters, with cybersecurity best-practice from standards such as ISO 27001, PCI DSS, and NIST. Combined with our unique CyberProfiler: Attackers Eye View™ online footprint analysis, our findings are summarised and delivered in a comprehensive, jargon-less report.
Most importantly, we help executives and management to cut through the complexity, aligning the assessment findings and recommendations by scoring a set of five key metrics. The resulting score demonstrates an organisation's Cyber Risk Management Maturity (CRMM).
How our cyber assessment works
Skills & resources
We review staff roles and ensure they are clearly defined and assigned to those with appropriate experience or cyber risk qualifications. We also check the organisation has proper IT resourcing considering the information which they store and process. We base our scoring on best practice considering the organisation's size combined with the assets they handle.
Documentation & workflows
Security protection & detection
We review the technologies used to protect the organisations business data are planned, budgeted, implemented, up-to-date, and operated effectively. We review security-specific solutions and the security functions available within other standard IT technology, such as operating systems and databases. We apply best-practice to review key safeguards using a layered approach.
Our assessment reviews organisational policies to ensure the correct procedures are in place with appropriate guidance, standards and agreements. A high maturity indicates a hierarchical document set exists, is regularly updated and followed. We examine the organisations cybersecurity culture; are staff aware of cyber threats, governance documents & their obligations.
Reliance & assurance
4. Vendor management
We review the assurances an organisation has in regard to their outsourcing partners and vendors. A high maturity indicates the company has considered a degree of trust and cybersecurity as important factors in their contractual relationships. We pay particular attention to clients existing relationships and standard practices when planning outsourcing and vendor assignments.
Records & control
5. Data asset awareness
We examine how the organisation categorises the data it utilises. We ensure that critical personal and other business data is clearly understood so that the organisation can suitably assess the risks associated with these assets. As part of our assessment report, we produce a data asset register allowing clients to gain clarity over data access content and aggregation, to assign ownership and retention policy.
Records & control
Cyber security exposure scan
CyberProfiler gives you a unique 'Attacker's Eye View'™ of your business
Many businesses unnecessarily leak information which is used by attackers to scam them and compromise their systems.
Our profiler service provides an attacker's perspective for an organisation’s online presence. We scan for vulnerable systems, configurations, user accounts, domains, third party links, technology investment, and other sensitive details. Results then drive practical recommendations for remediation.
Cybersecurity audit breakdown
The Cyber3 assessment consists of sections of east to answer questions.
Most questions offer simple - Yes, No, In Progress, Not Applicable - answers.
There is the option to defer up to 5 questions that cannot be answered for post-review completion, although this can delay the report.
Section A Introduction & Business Details.
Section B Your Business Information Assets.
Section C IT Operations and Cyber Security Function.
Section D Your Cyber Risk Assessment Programme.
Section E Your Information Governance Programme.
Section F Your Cyber Security Systems & Processes.
Section G Your Cyber Incident Management Process.
Section H Historical Information
Cybersecurity audit findings overview
Cyber3 report sections
We outline assessment findings in a comprehensive well-structured report. The report contains jargon-less insights that are easy to understand by both technical and non-technical executives. Using the following report structure, we can raise risks clearly and provide a path to remediation with direct links from our recommendations to stepped improvements in cyber risk management maturity.
Cyber Risk Management Maturity scoring
We rank an organisations resilience using a straightforward 1-5 score in five key maturity areas. Our scores use proprietary logic functions applied to the information gathered over a personal one-to-one 90-minute security review by our expert assessors.
We summarise assessment findings in a tailored opinion statement. The jargon-less summary clearly outlines the assessment findings for both technical and non-technical executives.
Risk results dashboard
This area provides an overview of every finding paired with a visual high/medium/low risk determination. With one glimpse, a business can identify its cyber strengths and weaknesses and identify where best to act to address the most critical areas of exposure.
In-depth remediation details
This section lists each assessment finding in order of urgency. We document each high/medium risk with a reason for its determination. The report also contains clear remediation advice for every high and medium risk, in addition to a commentary on low risks. Tags show a direct relationship to maturity improvement.
This checklist provides a clear action plan for the assessed organisation. The ten most urgent findings are summarised and scored. This section allows the assessed business to determine key remediations actions on its overall cyber maturity.
Data asset register
Many organisations are not aware of the information assets they store and process. As a result, they cannot demonstrate the steps taken to understand and protect these assets. The Cyber3 assessment generates a formal information asset register enabling tracking of ownership, access control and data retention policy.
Attackers Eye View™
We help organisations understand the attackers perspective by including an open-source intelligence assessment. This section scans the business for susceptible technologies, misconfigured services, vulnerable user accounts, and many other details commonly used by hackers to breach organisations.
Developing cyber maturity
The Cyber3 report gives you a remediation plan to improve cyber security
Our assessment is performed over a 90 minute call with a STORM Guidance cybersecurity expert.
As part of the review, we also complete an 'Attackers-Eye-View' scan of the company's entire digital estate. This scan examines all public-facing digital assets for security threats, domain misconfigurations and other exposures.
The result is a Certificate of Assessment, a comprehensive Risk Management Report incorporating our unique maturity scoring, and a straightforward strategy to achieve cyber resilience. Assessments are priced at £995 with discounts available for insurers, brokers and their clients.