Security Assessment


Assessment (Score: 77%)

Data

Data Protection

Data; API; Database; Storage

Data protection ensures sensitive information remains secure, accurate, and accessible to those authorised, mitigating risks of loss or compromise

Private

Customer & Health Data

Protecting data continuously from the moment it is stored through every stage of its processing and consumption.

  1. Implement Strong Access Controls: Use multi-factor authentication and role-based access controls to limit data access.
  2. Encrypt Sensitive Data: Ensure data is encrypted both in transit and at rest.
  3. Regular Security Audits: Conduct regular audits to identify and address vulnerabilities.
  4. Employee Training: Educate employees on data security best practices and phishing awareness.
  5. Incident Response Plan: Develop and regularly update an incident response plan to quickly address data breaches.
  6. Monitor and Detect: Use advanced monitoring tools to detect unusual activity and potential breaches.
  7. Audit Trails: Keep detailed logs of data extraction activities for monitoring and auditing purposes.
  8. Data Loss Prevention (DLP): Implement DLP solutions to monitor and control the flow of sensitive data, preventing unauthorized copying, sharing, or removal.
  9. Zero-Trust Security Model: Adopt a zero-trust security model, requiring continuous verification and authorization for every user and device.
  10. Regular Patch Management: Keep all systems and software up to date with the latest security patches to address vulnerabilities.


efacb457-8f91-4223-ab01-2ce1c9fdbb8c

Impacts
Impact Description Impact
Regulatory Data theft can result in non-compliance with data protection regulations such as GDPR, HIPAA, or PCI-DSS. This can lead to legal penalties, restrictions on business operations, and increased scrutiny from regulatory bodies. Moderate
Reputational A data breach can severely damage a business's reputation. Customers and partners may lose trust in the organization's ability to protect their data, leading to a loss of business opportunities and customer attrition. Major
Customer Customers affected by data theft may experience identity theft, financial fraud, and other forms of harm. This can lead to increased customer support costs and a need for additional measures to protect customer data. Major
Operational Addressing a data breach can disrupt normal business operations. Resources may need to be diverted to manage the incident, investigate the breach, and implement additional security measures, leading to delays in projects and reduced efficiency. Moderate

Risks
Risk Description Type Overall Risk
1 Encryption In Transit: Lack of data encryption throughout its journey across the network from the source to the destination may lead to unauthorized access and modification of data in transit. Threat Major
2 Encryption At Rest: Un-encrypted data at rest may expose data to unauthorised access and the potential for data loss. Threat Major
3 Encryption In Use: Lack of payload encryption may lead to unauthorized access and modification for both data in transit and at rest. Threat Major
4 Compromised Privileged Account Credentials: Attackers can exploit compromised credentials to access and steal data. Threat Critical
5 Weak Network Controls: Inadequate network controls can allow unauthorized access to data and service disruptions. Threat Critical
6 Insecure File Locations: Exposed file locations whether internal or external can lead to data loss from malicious threats Threat Major
7 Insider Threats: Employees or insiders with access to sensitive data may leak or steal data, either intentionally or unintentionally. Threat Major
8 Insecure Data Source(s): repositories from which data is obtained for processing, analysis, or storage. They can be internal or external, structured or unstructured, and may vary depending on the system or application. Threat Critical

Severe 58 4
Major 12367
Moderate
Minor
Insignificant
Impact / Likelihood Rare (0 - 5%) Unlikely (5% - 15%) Possible (15% - 40%) Likely (40% - 90%) Certain (>90%)

Threats
Threat: Enterprise Internal External 3rd Party Technological Physical
Exfiltration - The adversary is trying to steal data.
Collection - The adversary is trying to gather data of interest to their goal.

Controls
Control Coverage: 75%
Controls Effectiveness
Data.02 Encryption at Rest - At a minimum Confidential and Highly Confidential data must be encrypted at rest to protect it from unauthorised viewing and to protect it from potential data loss.
Mitigation: sgregererernernrenretn		 Met
Data.03 Encryption Keys - Implement secure key management practices, including key rotation, access controls, and secure storage of encryption keys.
Data.05 Encryption In Transit - Data must be encrypted throughout its journey across the network from the source device to the destination device. These measures often include encryption and the use of secure connections (HTTPS, SSL, TLS, FTPS, VPN, etc) to protect the contents of data in transit.
Data.06 Data Integrity - Data integrity monitoring should be used whenever the accuracy, reliability, and consistency of data is required.
Data.08 Data Loss Protection (DLP) - Ensure Data Loss Prevention (DLP) measures are in place to prevent sensitive or confidential data from being lost, stolen, or accessed by unauthorized individuals. Including but not limited to endpoint devices, systems and networks that process, store or transmit sensitive information.
Data.09 Data Masking - Ensure data masking is applied to protect data in line with classification requirements such as applying characters, numbers or redacting (blanking or removing) sensitive information.
Data.16 Encryption In Use - The payload must be encrypted to prevent unauthorized access and modification, covering both data in transit and at rest.
Data.17 Access Control: Employee - To ensure access to organizational tools is granted based on role, responsibility, security requirements and to prevent unauthorized use or data exposure.
Data.19 Access Control: Non Human - To define the rules and procedures for managing access to service accounts, ensuring secure and auditable use across systems and applications.
Data.20 Privacy - All PII \ PHI collected, processed, stored, or transmitted by the organization must be protected in accordance with applicable privacy laws, regulations, and internal policies. This includes but is not limited to names, addresses, identification numbers, financial data, health information, and biometric data.
File File Storage - When considering guidelines for file storage, it's essential to focus on both security and efficient management.
IM Incident Management - Must have arrangements to respond, contain, investigate and manage security incidents including agreed breach notification procedures
INFRA Infrastructure - Must be able to provide network protection controls and secure communication services such as firewalling, secure gateways, proxy services and wireless network controls (if used) and use network access control lists to protect exposed product or service components from external and internal threats.
LMA Logging; Monitoring; Alerting - Must support continuous logging, auditing and monitoring of crucial application and platform level security events, user events and critical application or data transactions including: - Supporting connectivity to a continuous Security Event Monitoring service (e.g. SIEM); - Having ability to retain and protect audit, system and security logs.
Control

:




None

No Threat(s) found.

No Control(s) found.
An error has occurred. This application may no longer respond until reloaded. Reload 🗙