Security Assessment

Score: 77%

Assessment

Data

Data Protection

Data; API; Database; Storage; Data in Transit; Data at Rest

Data Theft / Exfiltration Unauthorized access to sensitive information which can lead to the exposure, misuse, or loss of data. This risk can arise from various sources, including cyberattacks, insider threats, or vulnerabilities in a company's security systems.

Private





  1. Implement Strong Access Controls: Use multi-factor authentication and role-based access controls to limit data access.
  2. Encrypt Sensitive Data: Ensure data is encrypted both in transit and at rest.
  3. Regular Security Audits: Conduct regular audits to identify and address vulnerabilities.
  4. Employee Training: Educate employees on data security best practices and phishing awareness.
  5. Incident Response Plan: Develop and regularly update an incident response plan to quickly address data breaches.
  6. Monitor and Detect: Use advanced monitoring tools to detect unusual activity and potential breaches.
  7. Audit Trails: Keep detailed logs of data extraction activities for monitoring and auditing purposes.
  8. Data Loss Prevention (DLP): Implement DLP solutions to monitor and control the flow of sensitive data, preventing unauthorized copying, sharing, or removal.
  9. Zero-Trust Security Model: Adopt a zero-trust security model, requiring continuous verification and authorization for every user and device.
  10. Regular Patch Management: Keep all systems and software up to date with the latest security patches to address vulnerabilities.


efacb457-8f91-4223-ab01-2ce1c9fdbb8c

Impacts
Impact Description Impact
Regulatory Data theft can result in non-compliance with data protection regulations such as GDPR, HIPAA, or PCI-DSS. This can lead to legal penalties, restrictions on business operations, and increased scrutiny from regulatory bodies. Moderate
Reputational A data breach can severely damage a business's reputation. Customers and partners may lose trust in the organization's ability to protect their data, leading to a loss of business opportunities and customer attrition. Major
Customer Customers affected by data theft may experience identity theft, financial fraud, and other forms of harm. This can lead to increased customer support costs and a need for additional measures to protect customer data. Major
Operational Addressing a data breach can disrupt normal business operations. Resources may need to be diverted to manage the incident, investigate the breach, and implement additional security measures, leading to delays in projects and reduced efficiency. Moderate

Risks
Risk Description Type Overall Risk
1 Encryption In Transit: Data moving between two systems or endpoints. Threat Major
2 Encryption At Rest: Data stored on a physical or digital storage medium. Threat Major
3 Encryption In Use: Data actively being processed by a CPU or held in active memory (RAM). Threat Major
4 Compromised Privileged Account Credentials: Attackers can exploit compromised credentials to access and steal data. Threat Critical
5 Weak Network Controls: Inadequate network controls can allow unauthorized access to data and service disruptions. Threat Critical
6 Insecure File Locations: Exposed file locations whether internal or external can lead to data loss from malicious threats Threat Major
7 Insider Threats: Employees or insiders with access to sensitive data may leak or steal data, either intentionally or unintentionally. Threat Major
8 Insecure Data Source(s): repositories from which data is obtained for processing, analysis, or storage. They can be internal or external, structured or unstructured, and may vary depending on the system or application. Threat Critical

Severe 58 4
Major 12367
Moderate
Minor
Insignificant
Impact / Likelihood Rare (0 - 5%) Unlikely (5% - 15%) Possible (15% - 40%) Likely (40% - 90%) Certain (>90%)

Threats
Threat: Enterprise Internal External 3rd Party Technological Physical
Exfiltration - The adversary is trying to steal data.
Collection - The adversary is trying to gather data of interest to their goal.

Controls
Control Coverage: 0%

800-53 Revision 5_1_1 Effectiveness
AC-02(01) AUTOMATED SYSTEM ACCOUNT MANAGEMENT
Controls Effectiveness
Data.02 Encryption at Rest - At a minimum Confidential and Highly Confidential data must be encrypted at rest to protect it from unauthorised viewing and to protect it from potential data loss.
Data.03 Encryption at Rest - Implement secure key management practices, including key rotation, access controls, and secure storage of encryption keys.
Data.05 Encryption In Transit - Data must be encrypted throughout its journey across the network from the source device to the destination device. These measures often include encryption and the use of secure connections (HTTPS, SSL, TLS, FTPS, VPN, etc) to protect the contents of data in transit.
Data.17 Access Control: Employee - To ensure access to organizational tools is granted based on role, responsibility, and security requirements, and to prevent unauthorized use or data exposure.
Data.19 Access Control: Non Human - To define the rules and procedures for managing access to service accounts, ensuring secure and auditable use across systems and applications.
Data.20 Privacy - All PII \ PHI collected, processed, stored, or transmitted by the organization must be protected in accordance with applicable privacy laws, regulations, and internal policies. This includes but is not limited to names, addresses, identification numbers, financial data, health information, and biometric data.
File File Storage - When considering guidelines for file storage, it's essential to focus on both security and efficient management.
NIST 2.0 Effectiveness
GV.SC-01 GV.SC-01: A cybersecurity supply chain risk management program, strategy, objectives, policies, and processes are established and agreed to by organizational stakeholders
Control

:




None

No Threat(s) found.

No Control(s) found.
An error has occurred. This application may no longer respond until reloaded. Reload 🗙