Select a choice to view how you compare
Compliance & Regulation Risk Assessment
Benchmark your organisation against others in your industry.
Cyber hygiene policies for infrastructure
1
Do you have cyber hygiene policies in place and regularly conduct cyber awareness training to mitigate the social engineering attack vector?
No policies or training in place
At this level, the organization has not yet implemented any policies or training related to cyber hygiene or social engineering attacks. There is no formal process for keeping systems updated, and users are not provided with guidance on how to identify or prevent attacks.
- No policies or training in place
- No policies or training in place
Ad hoc policies and training
At this level, the organization has some ad hoc policies and training programs in place related to cyber hygiene and social engineering attacks. Some users may receive occasional training or guidance on these topics, but there is no consistent or comprehensive approach.
- Ad hoc policies and training
- Ad hoc policies and training
Formal policies and regular training
At this level, the organization has formal policies in place related to cyber hygiene and social engineering attacks. All users receive regular training on these topics, and there are procedures in place for reporting and responding to potential incidents.
- Formal policies and regular training
- Formal policies and regular training
Mature policies and ongoing training
At this level, the organization has mature policies and ongoing training programs in place related to cyber hygiene and social engineering attacks. The policies and training programs are regularly reviewed and updated to reflect changes in the threat landscape, and there is a strong culture of security awareness throughout the organization.
- Mature policies and ongoing training
- Mature policies and ongoing training
Best-in-class policies and training
At this level, the organization has best-in-class policies and training programs in place related to cyber hygiene and social engineering attacks. The policies and training programs are tailored to specific job roles and functions within the organization, and there is a continuous improvement process in place to ensure that the organization stays ahead of emerging threats.
- Best-in-class policies and training
- Best-in-class policies and training
2
Do you have a maintained inventory of your organization’s digital assets and networks?
No inventory
The organization does not have an inventory of its digital assets and networks, and does not consider it a priority.
- No inventory
- No inventory
Ad hoc inventory
The organization may have an ad hoc inventory of its digital assets and networks, but it is not maintained or regularly updated.
- Ad hoc inventory
- Ad hoc inventory
Partial inventory
The organization has a partial inventory of its digital assets and networks, but it may be incomplete or not up-to-date.
- Partial inventory
- Partial inventory
Full inventory
The organization has a complete and up-to-date inventory of its digital assets and networks, but does not regularly review or maintain it.
- Full inventory
- Full inventory
Mature inventory management
The organization has a complete and up-to-date inventory of its digital assets and networks, and has a process in place to regularly review, update, and maintain it. Additionally, the inventory is integrated with other security processes such as vulnerability management and incident response.
- Mature inventory management
- Mature inventory management
3
Do you regularly update your programs and maintain system health to prevent cyber threats and attacks?
No updates
The organization does not update its programs or maintain system health, and does not consider it a priority.
- No updates
- No updates
Ad hoc updates
The organization may perform updates and maintenance on an ad hoc basis, but there is no formal process for doing so.
- Ad hoc updates
- Ad hoc updates
Partial updates
The organization has a process for performing updates and maintenance, but it is not comprehensive and may not cover all systems and software.
- Partial updates
- Partial updates
Full updates
The organization has a comprehensive process for performing updates and maintenance, but it may not be fully automated and may require manual intervention.
- Full updates
- Full updates
Continuous updates
The organization has a fully automated process for performing updates and maintenance, which is regularly reviewed and improved. Additionally, the organization has a process in place to detect and respond to security incidents that may result from unpatched vulnerabilities.
- Continuous updates
- Continuous updates
4
Have you implemented privileged access management, identity and access management, and endpoint security to secure and control admin accounts, user passwords and access, and prevent privilege escalation?
No
The organization does not have any of these measures in place.
- No
- No
Partially
The organization has implemented one or two of these measures, but not all of them.
The implementation of the measures is inconsistent across the organization.
The implementation of the measures is inconsistent across the organization.
- Partially
- Partially
Basic
The organization has implemented all three measures, but the implementation is not comprehensive or mature. The measures are not integrated or coordinated with each other.
- Basic
- Basic
Advanced
The organization has implemented all three measures in a comprehensive and mature manner.
The measures are integrated with each other and with other security controls.
The measures are integrated with each other and with other security controls.
- Advanced
- Advanced
Best practice
The organization has implemented all three measures in a comprehensive and mature manner.
The measures are continuously reviewed, tested, and improved based on industry best practices and emerging threats. The measures are fully integrated with other security controls, risk management processes, and compliance requirements.
The measures are continuously reviewed, tested, and improved based on industry best practices and emerging threats. The measures are fully integrated with other security controls, risk management processes, and compliance requirements.
- Best practice
- Best practice
Utility sector security
5
Do you protect your increasingly connected digitalized utilities and smart cities against cyberattacks?
No protection measures in place
The organization has no established security measures or protocols to protect digitalized utilities and smart cities from cyberattacks.
- No protection measures in place
- No protection measures in place
Basic protection measures in place
The organization has implemented some basic security measures to protect digitalized utilities and smart cities from cyberattacks. This could include basic access controls and network segmentation.
- Basic protection measures in place
- Basic protection measures in place
Proactive protection measures in place
The organization has implemented more advanced security measures to protect digitalized utilities and smart cities from cyberattacks. This could include network monitoring and threat detection, intrusion prevention systems, and security information and event management (SIEM) tools.
- Proactive protection measures in place
- Proactive protection measures in place
Advanced protection measures in place
The organization has implemented a comprehensive set of security measures to protect digitalized utilities and smart cities from cyberattacks. This could include advanced threat detection and response capabilities, penetration testing and vulnerability assessments, and regular security audits.
- Advanced protection measures in place
- Advanced protection measures in place
Best-in-class protection measures in place
The organization has implemented cutting-edge security measures and practices to protect digitalized utilities and smart cities from cyberattacks. This could include artificial intelligence (AI) and machine learning (ML) technologies and continuous security monitoring.
- Best-in-class protection measures in place
- Best-in-class protection measures in place
6
Have you implemented privileged access management, identity security intelligence, endpoint privilege security, and identity and access management to mitigate risks and secure your utility sector against cyberattacks?
No, we don’t have any of these measures in place
- No, we don’t have any of these measures in place
- No, we don’t have any of these measures in place
We have some of these measures in place
We have some of these measures in place but they are not comprehensive or well-integrated into out overall security framework
- We have some of these measures in place
- We have some of these measures in place
We have implemented these measures
We have implemented these measures, but they are not consistently enforced or monitored, and there may be gaps in our coverage.
- We have implemented these measures, but they are not consistently enforced or monitored, and there may be gaps in our coverage.
- We have implemented these measures, but they are not consistently enforced or monitored, and there may be gaps in our coverage.
We have a mature security program in place
Our security program includes all of these measures and is regularly tested and updated to address new threats and vulnerabilities
- We have a mature security program in place
- We have a mature security program in place
We have a highly advanced and sophisticated security program
Our security program goes beyond the basics and incorporates cutting-edge technologies and strategies to defend against the most advanced cyber threats.
- We have a highly advanced and sophisticated security program
- We have a highly advanced and sophisticated security program
Ransomware protection
7
Has the organisation deployed central components to detect, process and evaluate security-relevant events?
No, we do not have any defenses in place
We are also not aware of the potential risks and consequences of such attacks
- No, we do not have any defenses in place
- No, we do not have any defenses in place
We have basic security measures in place
These measures include antivirus software and firewalls, but we do not have a specific defense strategy against ransomware attacks. We are aware of the risks and are taking steps to improve our security posture.
- We have basic security measures in place
- We have basic security measures in place
We have implemented ransomware-specific defenses
These include regular backups, network segmentation, and vulnerability management. We have also established incident response and business continuity plans to ensure that we can quickly respond to any potential ransomware attacks.
- We have implemented ransomware-specific defenses
- We have implemented ransomware-specific defenses
We have implemented advanced security technologies
These include behavioural analytics, deception technology, and threat intelligence, to proactively detect and prevent ransomware attacks. We have also conducted regular security assessments and penetration testing to identify any vulnerabilities and improve our defenses.
- We have implemented advanced security technologies
- We have implemented advanced security technologies
We have implemented a comprehensive security program
Our program integrates people, processes, and technologies to protect our critical infrastructure against ransomware attacks. We regularly conduct security awareness training, use security analytics and automation to improve threat detection and response, and have established partnerships with industry experts and law enforcement agencies to stay up-to-date with the latest threat intelligence and best practices.
- We have implemented a comprehensive security program
- We have implemented a comprehensive security program
8
Is there a routine in place on how to act should you be subject to ransomware?
No routine or plan in place
There is no established routine or plan for how to act in the event of a ransomware attack.
There are no documented procedures or guidelines for handling a ransomware attack.
There are no documented procedures or guidelines for handling a ransomware attack.
- No routine or plan in place
- No routine or plan in place
Informal plan or guidelines
There is an informal plan or guidelines in place for how to respond to a ransomware attack.
The plan may be incomplete or outdated, and not all staff are aware of the plan.
The plan may be incomplete or outdated, and not all staff are aware of the plan.
- Informal plan or guidelines
- Informal plan or guidelines
Formal plan and procedures
There is a formal plan and documented procedures in place for how to respond to a ransomware attack. All staff are aware of the plan and have received training on their roles and responsibilities in the event of an attack.
- Formal plan and procedures
- Formal plan and procedures
Regular testing and updates
The response plan is regularly tested and updated to ensure it is effective and up to date.
Staff receive regular training and awareness campaigns on the latest threats and best practices for responding to ransomware attacks.
Staff receive regular training and awareness campaigns on the latest threats and best practices for responding to ransomware attacks.
- Regular testing and updates
- Regular testing and updates
Continuous improvement and advanced response capabilities
The organization has advanced response capabilities, such as real-time threat intelligence and automated response mechanisms. The response plan is continuously improved and refined based on the latest threat intelligence and incident data.
- Continuous improvement and advanced response capabilities
- Continuous improvement and advanced response capabilities
Supply chain security
9
Do you address supply chain security vulnerabilities?
No identified measures for supply chain security
At this level, the organization has not yet identified any supply chain security vulnerabilities and does not have any specific measures in place to address them.
- No identified measures for supply chain security
- No identified measures for supply chain security
Basic identification and monitoring of supply chain risks
At this level, the organization has identified some potential supply chain security vulnerabilities and has implemented basic monitoring measures to identify any potential threats.
- Basic identification and monitoring of supply chain risks
- Basic identification and monitoring of supply chain risks
Formal supply chain security management program
At this level, the organization has a formal program in place to manage supply chain security risks. This program includes regular risk assessments, vendor evaluations, and contract clauses that hold vendors accountable for security.
- Formal supply chain security management program
- Formal supply chain security management program
Advanced supply chain security program with continuous monitoring
At this level, the organization has an advanced program in place that includes continuous monitoring of the supply chain. The organization has established protocols for incident response and has implemented advanced threat detection and mitigation measures.
- Advanced supply chain security program with continuous monitoring
- Advanced supply chain security program with continuous monitoring
Robust supply chain security program with third-party verification
At this level, the organization has a robust program in place that includes third-party verification of its supply chain security measures. The organization has implemented advanced technologies such AI to manage and secure the supply chain, and regularly conducts penetration testing and red teaming exercises to identify and remediate vulnerabilities together with the entire supply chain.
- Robust supply chain security program with third-party verification
- Robust supply chain security program with third-party verification
10
Have you implemented secrets management and secure just-in-time remote access and session recording for outside vendors to reduce software supply chain risks and enforce the principle of least privilege?
Yes
- Yes
- Yes
No
- No
- No
Partially
- Partially
- Partially
Cyber hygiene practices for users
11
Do you use Zero Trust principles and identity and access management to enhance security?
Yes
- Yes
- Yes
No
- No
- No
Partially
- Partially
- Partially
12
Have you implemented multi-factor authentication and just-in-time access to restrict access to specified time windows and support Zero Trust principles?
Yes
- Yes
- Yes
No
- No
- No
Partially
- Partially
- Partially
Public electronic communications network security
13
Do you use end-to-end encryption and data-centric security concepts to ensure public electronic communications network security?
Yes
- Yes
- Yes
No
- No
- No
Partially
- Partially
- Partially
Mandatory incident reporting
14
Do you require critical entities to submit an early notification of an incident within 24 hours? (Required by NIS 2)
Yes
- Yes
- Yes
No
- No
- No
Partially
- Partially
- Partially
15
Have you implemented audit trails, identity security intelligence, identity and access management, and endpoint privilege security to automatically identify and report anomalous behavior and endpoint-originated attacks?
Yes
- Yes
- Yes
No
- No
- No
Partially
- Partially
- Partially
© {{CurrentYear}} Okta
