To undergo a CDCAT assessment, the scope of the system to be assessed is defined. This could range from a whole organisation, to one main information system, down to a single laptop. The risk tolerance for the system is then agreed - how much business risk is acceptable for that system? This determines the controls and the level of maturity required to be effective against the current threats. If a control is not in place or is not being implemented effectively, this is viewed as a vulnerability and will adversely affect the capability of the organisation to withstand attack. Attackers will always target the weakest link in the security chain. The easily repeatable assessment can take as little as two hours depending on the scope, and produces a report immediately with full explanations. Frequent repetitions enable organisations to be responsive to cyber-criminals’ continuously evolving methods and check any enhancements made to their defences.
Typically, a CDCAT assessment engagement is over three days:
- Day 1 Initial client scoping
- Day 2 CDCAT Assessment with customer team
- Day 3 Delivery of CDCAT Assessment report and customer debrief