Services description: Security Rating® and AD Rating®

I. Security Rating® services

I.1. General overview

‍Security Rating® is a non-intrusive SaaS solution that evaluates a company's Cyber Security maturity through its public assets (IP address, URL, domain name). The solution provides an overall rating of a company's cyber security performance from 0 to 1000, as well as a grade from A to E in 6 security domains:

1. Attack surface: identifies the open entry points to the Internet that an attacker could potentially exploit to gain access to information.
   
2. Messaging: checks for the presence of technical devices limiting identity theft and exchange interception, as well as the presence of open relay services.
   
3. Web TLS/SSL: inspects aspects related to the hardening of web components: certificates, security headers and SSL vulnerabilities.
   
4. Security check: estimates the ability of an attacker to falsify domain name system (DNS) entries in order to redirect visitors to a malicious site.
   
5. Potential vulnerabilities: collects clues (identification of the types and versions of services retrieved) enabling us to deduce the components used and thus the existence of potential vulnerabilities in the scope being evaluated.
   
6. Security events discovered: tracks security events discovered among the assets present in the perimeter map, thanks to interconnection with Cyber Threat Intelligence (CTI) databases.
   

From 2 evaluated companies, the solution gives access to:

• A multi-rater dashboard: The scatterplot system lets you visualize the performance of all your ratings at a glance, and compare each company in your portfolio with the players in their sector.
  

• Maturity level by security domain: visualize your ecosystem's performance in each area of analysis, with a breakdown of companies by rating from A to E.
  

• A benchmark by company sector (divided into 22 sectors) to assess how the sectors of the companies in your portfolio measure up.
  

• A system of filters: 3 categories of filters (sector, audit type, tag) for one-click access to the data you're looking for. Tags can also be added.
  
  

  I.2. Key features

  This global rating, by area of analysis, can be accessed directly on the Security Rating® platform. A dashboard is available for each rated company. In addition to this rating, Security Rating® offers several functionalities:
  

• A sector benchmark: assess how your company ranks against all rated companies in the same sector. The benchmark shows the minimum rating, the maximum rating and the median for the sector.
  

• A timeshift function: access the history of all notes generated. View the note's evolution over time and download reports at each key date..
  

• Rating comparator: at two selected dates, compare changes in your rating for each area of analysis, as well as changes in your cartography, to better understand your rating.
  

• Reports to download with company logo:
  

  • A summary report, in PPT and PDF versions, including the overall assessment, the dashboard and the analysis by area of analysis to assess the cyber risk with your board;
    
  • A detailed report, in Excel and PDF format, with observables, recommendations and criticality levels to help the SSI team improve its cyber performance;
    
  • For multi-company accounts: export of mappings for all companies, in ZIP or Excel format;
    
  • For multi-company accounts: Observables for all companies, in ZIP or Excel format.
    
  • Mapping: check and modify the company's valuation perimeter, the administrator has control over the mapping and can add or deactivate an asset. A two-date comparison function is also available.
    

• Customized notifications: set up stall alerts and other notifications sent by email, on webhooks (Slack, Teams) or on the platform.
  

• Distribution of providers: graphical representation of the proportion of the various providers of IP addresses linked to the company's discovered assets,
  

• Priorities and points for improvement: view the number of assets assessed and those at risk for each area of analysis, access the criticality level indicated for each problem identified, and zoom in on points for improvement by selecting either a view by asset at risk or by control point.
  

• Detailed explanations and recommendations: access detailed explanations and recommendations for each problem identified, to bring you closer to the state of the art and improve your cyber posture.
  

• Vulnerability patching cadence: analyze your patching cadence on each severity level to ensure you are following best practices. Identify the most exposed URLs to improve your organization and your remediation plan.
  
  

  I.3 Available questionnaires

  Questionnaires can be completed on the Security Rating platform. They provide an additional level of insight into companies' cybersecurity maturity. These questionnaires can also benefit from a scoring system to facilitate analysis. These scores do not count towards a company's overall rating. Questionnaires can be repeated 3 times a year.
  

3 templates developed by Board of Cyber can be made available:

1. Assessing safety requirements:
   
   • Potential consequences of a security incident
     
   • Sensitivity of your IT assets
     
   • Level of exposure to threats
     
   • Importance of vulnerabilities
     
2. Cybersecurity maturity assessment:
   
   • Awareness-raising and training
     
   • Understanding the information system
     
   • Authentication and access control
     
   • Securing desktops and servers
     
   • Network security
     
   • Securing administration
     
   • Managing nomadism
     
   • Keeping information system up to date
     
   • Monitoring and auditing
     
   • Early detection of security incidents
     
   • Being prepared to manage security incidents
     
   • Business continuity
     
3. GDPR/data protection maturity audit:
   
   • Governance
     
   • Audit, Registry, Legality
     
   • Transfer outside EU
     
   • Subcontractors' GDPR compliance
     
   • Training and awareness-raising
     
   • Tools, processes, charts and procedures
     
   • Holding period
     
   • Data collection information
     
   • Consent of data subjects
     
   • Rights of the people concerned
     
   • IS security
     
     

     I.4. Putting the solution into service

     The solution is commissioned as soon as possible after receipt of the quotation, depending on the exchange of information between the customer and the service provider. Onboarding is equivalent to:
     

• Account and company(ies) creation;
  
• Launch evaluation of one or more notes;
  
• Checking and configuring mapping;
  
• Adding key users to the platform;
  
• CSM sets up a launch meeting (approx. 1h) with the customer to check user access, present the platform and its main functions, and the notes issued;
  
• CSM and support service available, user assistance;
  
• Shared knowledge base providing a first level of information on the solution.
  

II. Complementary products

As an option to the basic Security Rating® offer, 3 products can complete your rating and adapt it to your needs.

II.1. Rating frequency

The frequency of rating can be adapted to suit your needs: daily, weekly, monthly, quarterly, half-yearly or annual rating. A 45-day "Due Diligence" rating is available.

II.2. The scope of assessment: mapping

You can choose between 3 sizes of assets analyzed. Assets are domain names, URLs and IP addresses:

• Mapping of max 1000 assets - included.
  
• Extended cartography (between 1,001 and 2,500 assets) - optional.
  
• Extended cartography (between 2501 and 5000 assets)-optional.
  

II.3. Personalized questionnaires

Customized models can be integrated for completion and evaluation directly into the platform, on request.
Questionnaires integrated and/or created by our partners on the basis of various reference frameworks: eg. NIS Directive, OSE, LPM, sector-specific standards...

II.4. Advanced tests

Advanced tests can be set up by Board of Cyber partners. A dedicated tab will allow the partner to share information and test reports on the platform.

III. AD Rating® services

III.1. General overview

The AD Rating® Service is a continuous evaluation service for Active Directory configuration. It has two main components:

1. The AD Rating agent, installed on the customer's server machine:

a. The agent evaluates the AD configuration;

b. The agent generates an encrypted AD configuration report;

c. The agent communicates the encrypted report via a secure connection with the SaaS Platform.

2. The SaaS Platform, hosted in Board of Cyber environments:

a. The platform receives and stores the encrypted report;

b. The transmitted report is never stored in a decrypted version;

c. The score is calculated and displayed on the platform. Recommendations for configuration improvements are provided.

From 2 companies evaluated, the solution provides access to :

- A multi-rater dashboard: The scatterplot system enables you to visualize the performance of all your ratings at a glance.

III.2. Key features

This rating, both overall and by area of analysis, can be accessed directly on the AD Rating® platform. A dashboard is available for each rated company and for each Active Directory domain evaluated. In addition to rating, AD Rating® offers several other features:

• A timeshift function: access the history of all notes generated. View rating trends over time and download reports at any key date.

• Rating comparator: compare the rating evolution of each analysis area on two selected dates, as well as the evolution of your cartography, for a better understanding of your rating.

-Reports to download with company logo:

o A summary report, in PPT and PDF versions, including the overall assessment, the dashboard and the analysis by area of analysis to evaluate the cyber risk with your board;

o A detailed report, in Excel and PDF format, with observables, recommendations and criticality level, to help your ISS team improve cyber performance on your Active Directory domains;

• Customized notifications: set up stall alerts and other notifications sent by e-mail, on webhooks (Slack, Teams) or on the platform.

-Priorities and points for improvement: visualize the number of observables and the level of criticality, and zoom in on points for improvement.

• Detailed explanations and recommendations: access detailed explanations and recommendations on each identified problem to bring you closer to the state of the art and improve your cyber posture on Active Directory.

III.3. Putting the solution into service

The solution is commissioned as soon as possible after receipt of the signed Order and quotation, depending on the exchange of information between the Customer and the Service Provider. Onboarding is equivalent to:

• Creation of account, company or companies;

• Downloading the AD Rating installer and retrieving the API key from the AD Rating platform or via e-mail;

• Installing the agent on a machine in the customer's Active Directory domain: The Windows machine needs to belong to the AD domain to be evaluated. The machine must not be a domain controller. The machine must be able to connect to the product server via an Internet connection and be switched on 24/7. It does not need any special administrator rights on the network. Installation of the program requires local administrator rights on the machine.

• Insert the agent's specific API key to finalize installation;

• The unique API key enables the remote agent to upload information to the AD Rating platform;

• Main users are added to the platform;

• CSM sets up a launch meeting (approx. 1h) with the customer to check user access, present the platform and its main features, and the rating(s) issued;

• CSM and support service available, assistance with use.