IT security review: Cybervadis report

·

IT security matters

We often remind our clients that we take data and IT security very seriously. As such we are always open to evaluations from trusted third parties, and often we are tested on several domains as part of the tendering process for big projects. Our CTO goes deeper into the topic of why IT security matters in this blog about our ISAE 3000 audit: https://www.egssis.com/we-passed-the-isae3000-type-1-audit/

In December 2020 another assessment was done for an important project with a large industrial customer. This assessment was executed by Cybervadis. Because we like to practice what we preach we are sharing the key findings of this cybersecurity report in this blog.

About Cybervadis

We were assessed by a leading company in the cyber-security review space, Cybervadis (https://cybervadis.com). In their own words: “CyberVadis provides enterprises with a cost-effective and scalable solution for third-party cybersecurity risk assessments. Our methodology maps to all major international compliance standards including NIST, ISO 27001, GDPR, and many other privacy and security laws. CyberVadis’ solution combines the speed of automation with the accuracy and effectiveness of a team of experts. We directly engage vendors from all over the world with assessments, validate results with an in-house team of security analysts, and issue companies a standardized cybersecurity rating that they can share with others, along with a detailed improvement plan for increasing their score and the ability to collaborate with clients on implementing better practices.”

Our score across 4 domains

As you can see on the screenshot below we have an overall score of 836/1000, while the average assessment score stood at 655, at the date of our assessment.

There are 4 domains that contribute to the overall score. Each sub-domain’s score is determined by evaluations across a range of categories.  

Identify

The first domain is all about identifying sensitive assets, risks, and how to cover major cybersecurity risks. As you can see we score 841/1000 for this domain.

In the graph you can also see how we score on the categories that are evaluated for this domain. We score above average for:

  1. HR (1000/1000!)
  2. Data Privacy
  3. Governance (1000/1000!)
  4. Risk Assessment (1000/1000!)

We have an industry average score for “Compliance” and “Asset Management”. The assessment also comes with some tips on how we can increase these scores. At the end of this blog our CTO explains how we’re addressing identified areas of improvement. This is an important part of our project to get ISO27001 certified by the end of 2021.

Protect

Besides identifying potential IT & cybersecurity threats it is important to have security measures in place to limit the risks, whether the threat is known or unknown. Protection is evaluated across 8 categories, as you can see in the graph below. We have attained a score of 825/1000 for this domain.

As you can see we scored slightly below average for ‘Network management & mobile security’. When we dive deeper, the points of improvement are mainly related to the wifi/internet in the EGSSIS offices, but this doesn’t impact any of our solutions, which are hosted in ISO27001 certified data centres!

For all other areas we score well above average:

  • Access management
  • Awareness & Training (1000/1000!)
  • Information protection
  • Third-party management
  • Physical protection
  • Infrastructure security (1000/1000!)
  • Security in projects & application development

We are open to providing prospective clients access to the full report and walk you through it.

Detect

You’ve identified risks, and have done the most you can to protect yourself from these cybersecurity threats, but there is more! You also need systems in place to detect and identify these threats should they occur. We have a score of 828/1000 for this domain.

As the graph shows we are scoring above average for “Logging & Monitoring” and “Anomalies & Events”.

Regarding EGSSIS’ “Detection Process” we even attain the maximum score.

React

Once threats are detected you need to have the appropriate response. We’re very proud to see we attain the maximum score for this domain, with both our ‘Improvements’ and ‘Incident Management’ areas getting scored 1000/1000!

One part of reacting appropriately is to simulate events and learn from these exercises. You can read the story about our ‘Disaster Recovery Exercise’ which we executed a year ago: https://www.egssis.com/disaster-recovery-exercise-of-13-06/ – soon there will be another one scheduled, to ensure all systems are ready in case disaster strikes.

Recap by our CTO

Our mission at EGSSIS is to make sure we deliver high-quality solutions to our customers.  These days you cannot ship IT solutions without having a good security design/practice throughout the complete phase of the IT project.

Hardware and software components must be protected against attacks “known” by everyone. But this is not the only attack surface of “hackers”; when we communicate with our customers we share a lot of sensitive information (connections to servers, username/passwords/…); to protect this information we need to coach our staff.

That is the main reason why we are certifying ourselves for an ISO27001 certificate. Beforehand only IT was thinking about (cyber)security, but nowadays everyone in the organization thinks and acts in line with IT security guidelines and policies when they have to deal with (digital) information! We have noticed an increased awareness of such issues throughout our training sessions with employees, ‘phishing tests’,etc. I can gladly report that all Butlers & Whizzkids follow proper IT security practices and work 24/7 to keep your data safe.