Cyber Security Assessment Tool (CSAT)
Basis for security journey and NIS2
The CSAT scan is the first step in our security journey, our three-step approach to ensuring your company's IT environment is secure. And is immediately a good basis to start complying with the NIS2 directive.
The CSAT: a proven assessment tool
CIS 18 framework, NIS2 and Zero-trust
The CSAT is a proven security assessment tool in line with international standards:
CIS 18 framework
Developed by a team of security experts, the tool is based on the CIS 18 framework. This is an internationally accepted framework of 18 controls developed by the Center for Internet Security (CIS). You can think of each control as a subject or management tool under which security measures hang. There are three levels(Implementation Groups):
- IG1 with 56 measures, a good basis for SMEs.
- IG2 with 130 measures, for business services companies working with a lot of sensitive information.
- IG3 with 153 measures, for companies that are very mature in terms of cybersecurity and, for example, employ a security manager.
NIS2
The tool also analyses from the principles of NIS2, the European cyber security directive. As a result, as a company, you therefore immediately have a good basis in hand to become NIS2-proof. Good to know: the CSAT is a tool and the outcome of the scan does not determine whether you comply with the NIS2 directive. For that, you need an additional audit by an auditor or certification company.
Zero Trust
Furthermore, conducting an assessment through the CSAT fits seamlessly into a Zero Trust policy in which you secure all employees, devices and applications wherever they are and without hindering your company's productivity.
The 18 controls of the CIS 18 framework
- Inventory of hardware and software
- Inventory of authorised and unauthorised software
- Securing configurations of hardware and software
- Continuously updated software
- Securing network configurations
- Controlling access to system resources and data
- Continuous monitoring and analysis of log files
- Secure configuration of mobile and remote devices
- Securing data at rest and in motion
- Securing e-mail
- Securing web browsers
- Securing user and administrator accounts
- Restricting access to networks and systems from unauthorised networks
- Managing the use of removable media
- Securing wireless access points
- Securing system processes
- Securing access to secure configuration tools
- Securing access to security monitoring tools
How does such a CSAT scan work?
Technical analysis and questionnaire
The CSAT consists of a comprehensive technical analysis and a questionnaire. The automated scan quickly and effectively checks your corporate network, endpoints and your Microsoft 365 and Azure environment. All possible vulnerabilities come to light. Additionally, our security specialist runs through the questionnaire together with you or a colleague. This also creates a clear picture of your organisation's security processes and procedures.
A few examples of what the scan touches like:
Infrastructure and devices
Are there insecure, outdated devices in your business? Are all connections secure? Are firewalls active? Can you block devices remotely?Applications
Which applications do your employees work with and what is their security like?Updates and patches
Are the latest updates and patches of all programmes and devices installed?Data
Where does the data reside? On your employees' devices, on your own server and/or on a server in an external data centre? Do employees use external hard drives or USB sticks? Is the data secure?Backups
Are up-to-date backups in place? And are they stored correctly and securely? Can you restore backups easily?Login
Does your company use two-factor authentication? Do your employees log in with a strong password? Are there remote users in your Microsoft environment?Workplace
Do all employees have the right rights appropriate to their role or function?Processes, procedures and policies
How do your employees handle data and passwords? Do they email files or share files? What is the company policy on sensitive data? How does your company handle data encryption and destruction? And what do you do in case of malware and its prevention?
Result: a clear advisory report
Full scan or quick scan, depending on your type of business
We offer the CSAT in two variants: a full scan and a quick scan. Your type of company determines the choice. In any case, both variants offer you a good basis for complying with NIS2.
Description
Full scan
Quick scan
Especially suitable for:
Large companies and those that handle a lot of sensitive information
SMEs (up to around 300 employees)
Insight:
Holistic insight into complete security hygiene
Holistic understanding of essential security hygiene
Technical scan:
Extended scan
In scope: endpoints (extended), including Linux machines and networked devices | local Active Directory | e-mail: DNS check | Microsoft 365 environment | Azure-tenant (extended) | SharePoint on-premises | including Google Workspace and AWS
Basic scan
In scope: endpoints (basic) | local Active Directory | e-mail: DNS check | Microsoft 365 environment | Azure-tenant (limited number of datasets)
Questionnaire:
Reporting:
Management summary + very comprehensive report
Management summary + comprehensive report
Full CIS controls:
CIS level
IG1, IG2 and IG3 (all 153 measures)
IG1 (56 measures)
Basis for complying with NIS2:
Basis for Zero Trust policy:
Full mapping to Microsoft's Zero Trust principle
Partial mapping to Microsoft's Zero Trust principle, everything that falls under IG1 is linked
Lead time:
Approximately 1 to 2 weeks
Approximately 1 week
This is what the CSAT scan pathway looks like:
Intake
We will start with an intake. In it, we'll talk through the process with you, discuss the scope of the assessment and align expectations. We will also discuss the technical requirements.
Duration: about 1 hour (quick scan) or about 3 hours (full scan).