compliance barometer
CyTRAP Labs checklist rating was developed to be used as a general ranking system for Urs+Nahum’s Security Checklist
Our star rating should provide not a logical but just a convenient path to achieving and maintaining security over the extended time period, particularly for an organization of limited resources.
In line with the typical SME concerns, it is biased towards the action, expediency and urgency of implementation.
The 5‑star rating is subjectively assigned, so that presumably SME executives would know that it is critical first to implement all the 5 star measures, than the 4‑stars, and so on.
Still, it is really up to the executive to decide what is the road to the most effective and speedy implementation, taking into account that SMEs often operate in the survival mode and can allocate only so much time and resources to security. To be on the safe side, always consider security implementation as a life‑long journey with more stars assigned to more urgent steps.
|
CyTRAP Labs checklist rating |
||||
|
low |
ele- |
mode- |
critical |
severe |
|
1 * |
2 ** |
3 *** |
4 **** |
5 ***** |
Presumably SME executives would know that it is critical first to implement all the 5 star measures, than the 4 stars, and so on. The users should consider for implementation at their enterprises all the clauses of 3 and higher stars at any of our checklists, without an exception.
In practice it means that although it is meaningless to develop comprehensive security defenses without an overall corporate vision, a typical SME should not just wait several months until expensive consultants develop its security policy and action plan, and only than start the implementation. Although it might appear to be logical and less wasteful, there are many actions that a company should and could implement right away regardless whether it already has approved the comprehensive and holistic security implementation plan.
The ongoing navigation of the checklists we provide and by addressing remaining high-star risks, the corporate management should be able to provide effective security oversight and ensure a ‘shaking low hanging fruits’ approach, thus improving organizational security in the pragmatic and cost effective ways. Moreover, personnel must be encouraged to report up the chain of command all known security and risk problems without the fear of retaliation for doing so.
For further information you may also look at:
– compliance the practical way
– CyTRAP Guide – rated compliance and comparative metrics action – FAQ