Service Overview
The Maturity Assessment, conducted by CYE’s architecture team, serves as a foundational step in evaluating and improving an organization’s cybersecurity maturity. The assessment focuses on the organization's various cyber defense aspects to determine the current maturity level by identifying gaps in the overall security program from a technical and procedural perspective as well as providing recommendations for rectifying the identified gaps to increase the organizational maturity score.
Methodology
The assessment includes the following activities:
Interviews with relevant personnel to obtain insight into the organization’s procedures, infrastructure, and security controls.
Configuration reviews of critical infrastructure, based on the organization’s technology stack.
Analysis of current security gaps using NIST Cybersecurity Framework (CSF) 2.0.
Deliverables
All discovered findings are presented in Hyver, CYE’s Continuous Threat Exposure Management (CTEM) platform.
A maturity level indicative of the organization's current security posture.
The maturity level is derived from NIST CSF, incorporating both technical findings and contextual insights from the organization.
Prerequisites
A network diagram
Read-only/Viewer access to relevant infrastructure, including (but not limited to):
Azure Active Directory (AAD)
Cloud management plane
Security controls
Firewall administration tools
Asset management systems
SIEM
MDM
(A full list is available in the appendix)
Remote access to domain controllers
Engagement and availability of relevant stakeholders
Completion of a pre-assessment document, including scoping information, asset data, and other relevant information based on the environment and the unique scope of the engagement
Customer Engagement
The following meetings are required:
During the assessment, CYE may coordinate a visit to the client's HQ to meet key individuals in the organization.
Post-visit, the team might require a few remote sessions to clarify questions during the analysis phase.
Relevant Standards
This engagement aligns with the following standards:
NIST Cybersecurity Framework 2.0
ISO/IEC 27001
Security Domains
The following security domains are addressed and revised depending on the results of the assessment:
Cross-organization policies, procedures, and governance
Security operations, monitoring, and incident response
Identity management and remote access
Sensitive data and information management
Network level security
Servers, Network equipment, and endpoints security
Appendix
System List Access Requirements
NIST Function | System | Exists? | Product | Required permissions |
IDENTIFY | MDM |
|
| Global Reader |
IDENTIFY | Asset management |
|
| Read-only |
GOVERNANCE | Risk Register |
|
| Viewer |
GOVERNANCE | Vendor Management system |
|
| Viewer |
IDENTIFY | Vulnerability Management |
|
| Security Administrator |
PROTECT | EDR/XDR/MDR |
|
| Read-only Admin |
PROTECT | Email protection solution |
|
| Security Administrator |
PROTECT | IdP |
|
| Domain Admin Security reader in Entra-ID |
PROTECT | Code repository |
|
|
|
PROTECT | Cloud infrastructure |
|
| Reader on relevant subscriptions |
PROTECT | DLP |
|
|
|
PROTECT | Firewall / SD-WAN |
|
| Read only admin to management console |
PROTECT | Remote Access |
|
| Read only admin to management console |
PROTECT | NAC |
|
|
|
PROTECT | PAM Solution |
|
|
|
PROTECT | VDI |
|
| Read only admin to management console |
IDENTIFY | CASB |
|
|
|
DETECT | SIEM |
|
| Read only admin |
RESPONSE | Case Management Solution |
|
|
|
RECOVER | Backup Solution |
|
|
|