Dodati u FAQ #35
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Q: How do you protect our data?
Protecting your data is the foundation of our service. We use a multi-layered, "security-in-depth" strategy to safeguard your information at every level.
End-to-End Encryption
Your data is fully encrypted at all times. We use strong TLS 1.2+ protocol for data in transit and industry-standard AES-256 encryption for data at rest. These are the same robust standards trusted by financial institutions and governments worldwide.
Secure and Compliant Infrastructure
Our platform is built on industry-leading cloud providers (like AWS/GCP). All customer data is hosted in the EU, ensuring it benefits from world-class physical security and meets rigorous compliance standards, including ISO 27001.
Application & Access Security
We design our application to be secure from the ground up. Our development follows secure coding practices to prevent vulnerabilities. We enforce strict Role-Based Access Controls, and our application undergoes regular penetration testing by independent, third-party security experts.
Proactive Monitoring & Response
We operate with a "never trust, always verify" mindset. Our systems are monitored 24/7 for suspicious activity, and our team is prepared with a robust incident response plan to act swiftly on any potential threat.
For our Pay-Per-Report offering, we’ve engineered a revolutionary process that delivers a comprehensive risk analysis without requiring any of your sensitive, internal data.
Here’s how our privacy-first model works:
Questionnaire: You provide general characteristics about your company (e.g., industry, size, geography) through a simple questionnaire.
Digital Twin Creation: We use this information to build a "digital twin"—a conceptual model of your company's operational profile.
Threat Analysis: We then cross-reference this digital twin against our proprietary threat database to identify and evaluate the key threats and risks relevant to your unique characteristics.
The result is a highly accurate, tailored risk register created for you, without you ever having to upload a single sensitive document or confidential detail.
Q: Does Risklet confirm if our organization has a specific control and how effective it is?
A: No. Risklet does not perform an external audit or confirmation of your controls. It is a self-assessment tool designed to empower your organization.
Risklet enables you to conduct your own validation of controls. In the subscription version, you can then track the changes in your residual risk after this validation is completed, providing a clear view of your risk management progress.
Q: What is the role of our management in the risk analysis process, and what are our responsibilities after generating a report?
A: Management's role is critical, and the organization has several key responsibilities to turn the Risklet analysis into an effective cybersecurity program.
Management Approval is Essential
Management body approval and involvement are non-negotiable. There must be formal, documented proof that management has reviewed the analysis and approved the resulting action plans.
Formal Review and Approval: All policies and the risk register (including your organization's risk appetite and the acceptance of residual risk) must be formally reviewed and approved by the designated management body.
Document Decisions: These approvals and decisions must be documented, for example, in official meeting minutes.
Approve Action Plans: Management must formally approve the implementation of any "Plan of Actions and Milestones" (POAM) that results from the risk analysis.
Your Organization's Responsibilities
The Risklet report should be used as a catalyst to build and mature your cybersecurity program.
Define Your Risk Appetite: Risklet may present a standard consultancy scale for risk, but your organization must formally define, approve, and document its own specific risk appetite and tolerance levels.
Establish Governance: Use the report's findings to justify the resources needed to establish foundational governance. This includes creating and getting management approval for overarching policies (e.g., Policy on Security of Network and Information Systems) and a formal Risk Management Policy.
Develop and Document: Systematically create, document, and implement any missing topic-specific policies (e.g., Incident Handling, Business Continuity, Access Control). For each policy, document the supporting procedures and establish a schedule for testing them (e.g., BCDR tests, incident response drills).
Q: Does the Risklet report cover all possible risks in my organization?
A: Expand Scope with a Multi-Tiered Approach
The Risklet report provides an essential enterprise-level risk assessment. This aligns with Tier 1 (Organization Level) in the NIST risk management framework, focusing on high-level, strategic risk.
To achieve a more mature and comprehensive security posture, it is highly advised to expand this analysis to the other two tiers:
Tier 2 (Mission/Business Process Level): Assess risks in the context of your specific core business operations and processes.
Tier 3 (Information System Level): Conduct detailed technical risk assessments on the individual systems, applications, and networks that support those operations.
While performing assessments at all three tiers is a best practice, it's important to note that a deep-dive analysis at Tiers 2 and 3 is advised for robust security but not explicitly mandated by the NIS2 Directive. Your primary responsibility is to ensure that risks to all essential and important services are identified and managed effectively, using the Tier 1 analysis as your foundation.
changed the description
changed the description
mentioned in merge request !40
mentioned in commit
880db05156