Quality Score Rubric

The Quality Score Rubric offers general scoring guidelines for the Organization, Asset, and Transfers tabs. Guidelines for the individual scores on each tab are listed below.

Organization

Asset

Transfers

Disaster Recovery Score

Encryption Quality Score

Encryption Quality Score

Business Recovery Score

Antivirus Quality Score

 

Network Intrusion Recovery Score

Firewall Quality Score

 

Security Policy Score

 

 

Vendor Security Policy Score

 

 

Privacy Policy Score

 

 

IT Maturity Score

 

 

Choosing a quality score sometimes involves some subjective evaluation. Use these guidelines to help you choose a score that reflects your best judgment,  even if it doesn’t exactly match the guidelines. Assign the “Below Average” or “Above Average” scores when you think the organization’s program or policy falls between “Poor” and “Average” or between “Average” and “Excellent,” respectively.

Quality Score Fields

Guidelines

Poor

Below Average

Average

Above Average

Excellent

Organization Tab

 

 

 

 

 

 

Business Recovery Score

1. Business Recovery Plan

1.1 Policy and Procedures

Yes

 

Yes

 

 

1.2 Development/ Implementation with additional support plans like: IT service continuity plan, Business resumption plan, Incident management plan

 

 

Yes

 

 

1.3 Testing and Training

 

 

Yes

 

 

2. System audit and update

2.1 Frequency

 

 

Annual

 

Biannual

3. Certification/Compliance

3.1 ISO 27001/ ISO 20000 (and/ or) ISO 22301 (and/ or) Applicable NIST 800-53 Security Controls; e.g. Contingency Planning, Risk Assessment.

 

 

 

 

Yes

Network Intrusion Recovery Score

1. Network Intrusion Detection System

1. Incident tracking and reporting

Yes

 

Yes

 

Yes

1.2 Web Traffic Log management

 

 

Yes

 

Yes

1.3 Penetration Testing

 

 

Yes

 

Yes

1.4 Security Information and Event Management (SIEM) solutions

 

 

 

 

Yes

1.5 Data Leakage Protection

 

 

 

 

Yes

1.6 Intrusion Prevention system (IPS) 

 

 

 

 

Yes

2. System audit and update

2.1 Frequency

 

 

Annual

 

Biannual

3. Certification/ Compliance

3.1. Applicable NIST 800-53 Security Controls; e.g. System and Information Integrity

 

 

 

 

Yes

Security Policy Score

1. IT Security Policy

1.1 Scope and purpose

Yes

 

Yes

 

 

1.2 Personnel Information Security

 

 

Yes

 

 

1.3 Physical Information Security

 

 

Yes

 

 

1.4 Access Control

 

 

Yes

 

 

1.5 Information Asset Management

 

 

Yes

 

 

1.6 Information Security Incident Management

 

 

Yes

 

 

1.7 Media/ Publishing policy for publication of content

 

 

Yes

 

 

2. System audit and update

2.1 Frequency

 

 

Annual

 

Biannual

3. Certification/ Compliance

3.1 ISO 27001  (and/ or) Applicable NIST 800-53 security controls; e.g., Access Control, Configuration Management, Incidence Response  and/ or Cyber Essentials (UK only)

 

 

 

 

Yes

Vendor Security Policy Score

1. Vendor Security Policy

1.1 Basic Policy

Yes

 

Yes

 

Yes

1.2 Vendor classification/ Profiling and assessment

 

 

Yes

 

Yes

1.3 Details the type of data that can be accessed, duration of access and specific time of access

 

 

Yes

 

Yes

1.4 Includes a recovery plan if a vendor device with sensitive information relating to the organization is compromised

 

 

 

 

Yes

1.5 Covers incident reporting from vendor standpoint

 

 

 

 

Yes

 

1. Cloud Security if Applicable?

 

 

 

 

 

2. System audit and update

2. Frequency

 

 

Annual

 

Biannual

3. BitSight® Rating (Optional, not required for a valid score)

3.1 Rating Bins

250-350

350-500

500-640

640-740

>740

Privacy Policy Score

1. Privacy Policy

1.1 Scope and Purpose

Yes

 

Yes

 

Yes

1.2 Collection and use of personal information and its purpose

Yes

 

Yes

 

Yes

1.3 Use of cookies

 

 

Yes

 

Yes

1.4 Security/ Protection of the data

 

 

Yes

 

Yes

1.5 Links to other websites

 

 

Yes

 

Yes

1.6 Changes to the policy

 

 

Yes

 

Yes

1.7 Contact Information

 

 

Yes

 

Yes

1.8 Posted on the organization website

 

 

Yes

 

Yes

1.9 Handling electronic devices of employees and in workplace

 

 

 

 

Yes

1.10 Policy conditions for handling financial gateways in your system  

 

 

 

 

Yes

1.11 State/ country specific

 

 

 

 

Yes

2. System audit and update

2.1 Frequency

 

 

Annual

 

Biannual

3. Certification/ Compliance

3.1 Meets applicable regulatory guidelines, e.g., HIPAA, Gramm-Leach Bliley Act 1999, EU-

US Safe Harbor Framework Agreement, European Union Data Protection Directive etc.

 

 

 

 

Yes

IT Maturity Score

1. Information Security

1.1 Information security is weak and presents unacceptable risks 

Yes

 

 

 

 

1.2 InfoSec activities are ad-hoc and typically IT-focused

Yes

 

Yes

 

 

1.3 Line-of-business managers are clearly aware of risk associated with their business lines

 

 

 

 

Yes

1.4 Continuous self-improvement practices in place

 

 

 

 

Yes

 

1.5 CISO

 

 

 

 

Yes

2. Roles and Responsibilities, Information Security Polices

2.1 Scope of definition

 

 

Not well defined

 

Well defined

3. Enterprise Security Awareness

3.1 Level of Awareness

Low

 

Medium

 

High

3.2 Security training and proactive testing for employees

 

 

Yes

 

Yes

Asset Tab

 

 

 

 

 

 

 

Encryption Quality Score

1. Encryption

1. Basic Disk Encryption 

Yes

 

 

 

 

2. Certification/ Compliance

2.1 ISO 27001

 

 

 

Yes

Yes

2.2 FIPS 140-2- Security Level

None

Level 1

Level 2

Level 3

Level 4

Antivirus Quality Score

1. Antivirus Product

1.1 Free Version- downloaded from the Internet

Yes

 

 

 

 

 

1.2 ICSA Certified Product

 

 

Yes

 

Yes

 

1.3 Scope of Installation

Few workstations

 

Most workstations, servers

 

 All endpoint devices

2. Certification/ Compliance

2.1 PCI DSS Compliance

 

 

 

 

Yes

Firewall Quality Score

1. Firewall

1.1 Types

 Basic packet filtering 

Circuit-level gateway 

 Application level gateway

Stateful multilevel firewalls/ UTM 

Next Generation Firewalls (NGFW)

 

1. Sandboxing

 

 

 

Yes

Yes

 

1.3 Scope of Installation

Few workstations

Few workstations

Most workstation, servers

All endpoint devices

All endpoint devices

2. Certification/ Compliance

2.1 PCI DSS Compliance

 

 

Yes

Yes

Yes

2.2 NIST  800-41 Compliance (and/ or) ISO 27001 (and/ or) Cyber essentials (UK only)

 

 

 

Yes

Yes

Application Security Score

1. Software Flaws

1.1 Identification of software flaws, common vulnerabilities and exposures (CVE/ CWE) in all applications, software modules including the ones developed internally.

Yes

 

Yes

 

Yes

1.2 Patch Management for identified vulnerabilites

 

 

Yes

 

Yes

1. Time frame for implementation of critical patches

Greater than a month

 

A week

 

24-72 hours

1.4 Zero Day Analytics

 

 

 

 

Yes

Transfers Tab

 

 

 

 

 

 

 

Encryption Quality Score

1. Encryption

1.1 Basic DES 56 bit encryption

Yes

 

 

 

 

2. Certification/ Compliance

2.1 ISO 27001

 

 

 

Yes

Yes

2.2 FIPS 140-2- Security Level

None

Level 1

Level 2

Level 3

Level 4

 

© 2016 AIR Worldwide. All rights reserved.