Welcome to the IT Security Grader

This 7 question grader matches your problem areas with solutions aligned to increase your competitiveness.

The goal here is to identify holes in your security system and processes.  It will also educate basic security issues.

As your Managed Service Providers we are responsible to educate you and your team to make right decisions about security.

Background

Question 1

How do you see IT related risks impacting your company in the future:
Managing IT security is going to be more important
We see it the same way. Company data is more embedded in networks, people are using multiple devices, and data is now everywhere internally and externally. The impact of IT security in your company is growing. Management of this is a must. You have to make the right decisions to be secure but not overspend.
Managing IT security is going to be less important
Market trends see it differently. Your company data is more embedded in networks, people are using multiple devices, and data is now everywhere around the world. The impact of IT security on the whole is growing. Management of this is a must. You have to make the right decisions to be secure but not overspend.

Question 2

Do you think proper backup is enough to prevent any data loss?
Yes, it is enough

Backup is not enough to prevent data loss.
All the intellectual property of any company is in your files, emails and systems. Protecting these properties is a very basic and crucial business risk management responsibility. The obvious solution for managing that risk is backup. Most companies are not thinking further on this topic..

Current backup technologies are designed for saving the raw data and in case of data loss, managing the restoration process. In the last couple of years infrastructure systems have become very complex. This complexity means the systems are interrelated and working through integrations. Also, backup policies and processes do not always keep up with changes in technology.

There is a good chance that during data loss the integrations and bridges between different systems and software suffer as well. This means a pure back up restoration cannot guarantee the full restoration of the systems. Sometimes only partial data and services can be restored.

Challenge/Threat

Even with best efforts to systemize a backup process, the possibility of data loss remains high when true, real world restoration tests cannot be completed. The solution is to do comprehensive data loss and recovery tests periodically to make sure in any case of data loss the data can be recovered fully without any issue.

Action Item

A Data Recovery Test Project solves this problem. It tests the current state and defines easy compliance processes.

No, it is not enough

You are correct! Backup is insufficient to prevent data loss.

All the intellectual property of any company is in your files, emails and systems. Protecting these properties is a very basic and crucial business risk management responsibility. The obvious solution for managing that risk is backup. Most companies are not thinking further on this topic.

As you already know, current backup technologies are only designed for saving the raw data, and in case of data loss, manage the restoration process.

There is a good chance that during data loss the integrations and bridges between different systems and software suffer as well. This means a pure backup restoration cannot guarantee the full restoration of the systems. Typically only partial data and services can be restored.

Challenge/Threat

Even with best efforts to systemize a backup process, the possibility of data loss remains high when true, real world restoration tests cannot be completed. The solution is to do comprehensive data loss and recovery tests periodically to make sure in any case of data loss the data can be recovered fully without any issues.

Action Item

A Data Recovery Test Project solves this problem. It tests the current state and defines easy compliance processes.

Question 3

Do you have a proper, updated plan for disaster?
Yes we have an all updated 360 degree Disaster Recovery Plan

Good Job!

Having a 360 degree all updated Disaster Recovery Plan is not for the shelf, we all know it! We hope you will never need it.

I am not sure.... do I really need one?

Disaster Recovery Plan

There is no question your company is wired with technology in a big way. This is a good thing because of fast communication, efficient workflow, better collaboration, and so on. We have to be aware that the technology around us is very fragile. Many systems, devices, and networks work together with changing environment components.

The failure of any system or the whole ecosystem impacts the performance and continuity of the entire company. Therefore we have to identify what are the business processes and company deliverables most impacted by a potential failure. Knowing what can be at risk is one thing, being proactive and knowing what to do in case of failure is the other.

How do you call your customers if their numbers are in the system which is down? How do you service the clients if the accounting system is down? How do you communicate with other branches or remote employees if the email is down?

Challenge/Threat

Do you have mandatory fire drills to escape the building as soon as possible? You have general workplace health and safety training all the time to keep aware of general safety issues.

A Disaster Recovery Plan can help you and your customers act as fast as possible to get back on track, restore data, and get everything up and running again. It also helps the employees to identify failures, and moreover, how to substitute processes until the entire system is back up. Create a plan and education for people.

Low Hanging Fruit Action Item

The Disaster Recovery Plan project solves this problem. The goal is to let the key stakeholders understand the effects of IT on the main company workflows and processes, so that IT services can best be implemented to ensure the needed business continuity. We create a document regarding the main company workflows, company work time, possible downtime causes, and downtime cost calculations.

Question 4

Are the personal, company mobile devices are secure across the organization?
Yes, every device around the company is secure

Great Job!.

It’s important to control and audit this with some frequency. If you haven’t done that in quite a while, it may be time to review.
I do not know what the company has to do with personal devices of individuals?!

Personal Mobile Device Security In many cases employees are using both personal and company devices for their work. Many of these devices are portable: notebooks, tablets and smartphones. These devices often contain very sensitive company data. Typically the most important and sensitive data is related to your clients: contracts, prices, account numbers, projects, and so on. There are ways to protect devices and the statistics are 10-15% of these devices are lost or stolen every year.

There's no shortage of problems created in the loss or theft of a mobile device. Data on hard drives and memory cards can be captured even when there is password protection in the operating system. The email server data is right there in the settings menu on the smartphones. The file server’s and cloud application passwords are saved in the browser which also can be easily captured.

Challenge/Threat

Users can be educated for obvious and non-obvious threats and basic device protection strategies. Hard drives can be encrypted and the mobile devices can be forced to be password protected with the ability to be remotely managed and erased.

The goal is to make sure company data will not be breached by losing portable and mobile devices.

Action Item

The Personal Mobile Device Security Project solves this problem. Hard drives use encryption. Mobile devices are password protected and data security policies are implemented, tested and enforced.

Question 5

Are you sure your client's sensitive data is secure in case of data breach?
Yes, we have a proper policies and processes about managing the risk

Good Job!

most people neglect IT security. Security is not about buying expensive solutions, it’s about being smart.

Many do not know that the best practice is a focused effort on protecting sensitive data.

No, I am not sure what are the risks I am taking

Risk Management Audit. Many companies manage all kinds of data - client related, internal, government, or employee related. Much of the data you are managing can be sensitive, classified, or non-disclosure. You have responsibilities managing those data. If your employees or your vendors mismanage the information, you will be put in a difficult situation.

You manage email lists and all companies are regulated how we can use those lists. If your junior marketing assistant starts sending emails with the new email software, you violate the spam act. You have contracts and agreements that fall under non-disclosure agreements. An employee can easily break it by sending it to a wrong email address. You have salary, commissions, healthcare information and agreements with employees. There are many ways people can breach this intentionally or unintentionally and cause legal issues in the company. Pricing sheets, client lists, internal calculations, vendor information and business processes are all very critical documents that need to be protected to keep the competitive edge.

Challenge/Threat

If we are able to identify sensitive or classified information, we are able to create a strategy to protect them efficiently. If not, either we have to protect everything (which is ineffective), or have holes in our system and take a huge business risk.

After creating the strategy, we can break it down to smaller projects: protecting emails, file systems, creating access control, and so on.

Action Item

The Risk Management Audit solves this problem. The goal is to make sure you and your company understand the basic IT related risks, and have common ground on what data is sensitive, what you need to protect better, and what needs to have regulated access.

Question 6

Are the passwords of all the devices, systems are secure in your company?
Yes, we have a password management system in place to have control over every device, system

Well done!

Having a password management tool can help the business manage all the HR based risks. We have all heard about the revenge of ticked off people who had access and passwords to systems that were not disabled in time..
I am not sure if we are controlling the passwords

Password Management System Implementation Project

Every company relies on their IT and on the applications running on top of that. The system access is managed by usernames and passwords. As the complexity goes up, the number of devices and servers go up accordingly. The usernames and passwords are managed by service providers, internal resources and third party technicians in several companies.

Too often these passwords and usernames are not at all protected. Vendors use different password combinations and IT service providers are using their internal documentation for handling the passwords.

Our employees are facing more challenges, because the number of systems they are using has increased dramatically. Think about the cloud services, banking information, local applications and network access. Every one of them needs a username and password.

Challenge/Threat

Changing service providers has a potential risk to breach critical information of your internal systems. Management of your critical passwords are not governed; you do not see who has access nor from where. Our users are managing way more passwords than they can handle. Eventually they are going to write them down and share them, which makes your systems totally vulnerable.

Overall, the company has no systems in place to be able to lock out any technical or non-technical resource from any type of system. Think about a layoff, or an event of a broken trust. The business has no control over the most critical assets: the information assets.

Action Item

The Password Management Implementation project solves this problem. The goal is to make sure all the passwords in the organization could be controlled by executives. That is why a password management system, which controls all the corporate-wide passwords from admin passwords to user and cloud-based applications is crucial. The project implements such solutions in the your environment, creates necessary company policies and education.

Question 7

Are you able to measure the IT related security, business continuity?
No, this is a totally black box to me

IT Management Maturity Benchmark and action plan

The technology impacts your company more and more, and the complexity of it is getting higher and higher. The technology part is probably solved by vendors and technology people. What about the management and leadership? Is a leadership / management role in place to manage those issues? Technology and management maturity of the company directly relate to the competitiveness in the market. If the maturity is high, the technology can be a competitive advantage of the company.

Now there are methods to measure the different elements influencing the competitive advantage, benchmark those, and set up action plans that should be done to manage the bottlenecks.

Challenge/Threat

Your company, with more mature use of technology, can outpace your competition in many ways: better alignment, internal communication, productivity, and branding, more agile workforce, teamwork, and customer satisfaction.

The measurement of the competitiveness creates an X-Ray of the company. The benchmark determines where the company is performing best or worst. The action plan makes a very straightforward opportunity to develop the certain areas. The quarterly measurement creates a feedback loop and continuous improvement.

Action Item

The IT Competitiveness Quotient solves this problem. The goal is to have a self-assessment, benchmark and action planning tool, with target scores to help the company to increase the maturity with IT. The maturity increase causes improved competitiveness in many areas in the company efficiency, productivity, and operational excellence.

Yes we have a benchmark and we measure ourself against it

Wow.

This is the rarest of qualities of any company. So rare, we have yet to meet a company that does this effectively.

Receive Your Grade.





Your Score

Your Answers

How do you see IT related risks impacting your company in the future:
Do you think proper backup is enough to prevent any data loss?
Do you have a proper, updated plan for disaster?
Are the personal, company mobile devices are secure across the organization?
Are you sure your client's sensitive data is secure in case of data breach?
Are the passwords of all the devices, systems are secure in your company?
Are you able to measure the IT related security, business continuity?

Have Any Questions? Call or Email Us Today!

Question