-
Intro
-
General Guidance
-
Tasks
-
Compliance
-
Controls
-
Meta Model
-
Administration
Compliance
Challenges
Role Specific Access
vucavoid challenges are accessible to users with the following roles:
- Compliance Manager: Full access to manage and oversee challenges within the system.
- Risk Manager (view only): Access to view challenges, enabling insights into the organization's compliance and risk landscape.
- Challenge Manager: Specialized role focusing on the creation, management, and assessment of challenges.
- Slot Assessors: Any account assigned as a slot assessor can contribute specifically to their assigned slots within a challenge.
Overview
Challenges in vucavoid are assessments designed to measure an organization's compliance and security posture against specific benchmarks. These challenges enable organizations to "challenge" their scope against set requirements or threats, ensuring continuous alignment with compliance and security requirements.
Every challenge is established by matching two different parts:
- Benchmark: The baseline for the compliance level that all scope elements are expected to meet. Could either be the tenant's requirements or the tenant's cyber threat.
- Scope: Capabilites and/or objects of a tenant's meta model that that are challenged against the benchmark elements.
Challenges could be set up for internal or external purposes. Since a tenant can create an unlimited number of challenges, a multitude of varations is possible.
Types of Benchmarks
Challenges in vucavoid support two main types of benchmarks:
- Requirements: These are derived from contracts, regulations, or standards, providing a compliance-focused benchmark.
- Threats: Modeled on the MITRE ATT&CK framework, these benchmarks focus on assessing IT assets against known cybersecurity threats.
For both, requirements and threats, a tenant can select one, multiple or all to become the benchmark for a specific challenge - providing the option to slice challenges as needed by the tenant's organization.
Scope elements
Challenges in vucavoid can be applied to various types of scope elements from your meta model:
- Requirements-Based Challenges: Can be benchmarked against any type of asset in scope.
- Threat-Based Challenges: Limited to benchmarking IT assets in your meta model against threats.
Potential use cases
Challenges can be used for all use cases that involve the assessment of requirements and/or threats. See the following table for non-exhaustive list of requirements.
Use case | Comment |
---|---|
Internal audit | Running an internal audit for a specific set of requirements, for example to check on the implementation of a requirements that belong to a specific domain or category in a specific scope of the tenant's meta model, can be significantly supported by a vucavoid challenge.Selecting the audit-relevant requirements and scope elements, auditors and auditees have a major improvement in transparency and expectaton management when an audit scope is planned as a challenge. |
Pre-audit for external audit | For upcoming audits, like ISO audits (e. g. ISO 27001, ISO 9001 or ISO 22301) both, requirement- and threat-based challenges are a great tool to prepare internally.By selecting requirements of a specific standard as the benchmarkig element and the audit-relevant scope of the meta model, organizations can effectively do a dry run of the upcoming audit. Also, challenge data can be shared with external auditors (offline, e. g. via screen-sharing) or online by inviting the auditor to the tenant and only make the user account a watcher (see further below) for the specific challenge. |
Client assessments | Using requirements that are coming from a specific client engagements (contracts, SLAs) as the benchmark and service-related meta model parts as the scope can effectively provide a client with an assuring report on the compliance posture of a tenant's organization.This feature can also come in very handy when going for tenders/ request for proposals (RFPs), effectively providing insights in the current coverage of the compliance requirements. |
Readiness assessment/Fitgap | Any other kind or subset of requirements can easily be benchmarked against the scope of choice/relevance.This could be regulatory requirements, upcoming laws, upcoming client contracts or standards (for certification or attestation). |
Since, challenges also have a direct support for creation of findings, risks and controls, they are not isolated assessments but integrate into the overall compliance management of a tenant.
Challenge Attributes
vucavoid's Challenges are defined by a set of attributes, ensuring detailed documentation and management of each challenge.
Challenge Basics
- Title: Assign a unique and descriptive title for clear identification.
- Type: Select between Requirement-based or Threat-based challenges, which determines the benchmarking elements.
- Description: Provide a brief overview of the challenge’s primary purpose.
Challenge Timing
- Starts at: Define the start date for the challenge period.
- Ends at: Set the end date, ensuring it is future-dated and after the start date.
- Deadline: Establish a deadline for the assessment of assigned slots.
- Is recurring: Indicate if the challenge repeats, and if so, define the recurrence interval.
- Select interval (for recurring challenges): Choose from options like Monthly, Quarterly, Biannually, and Annually.
Benchmark Elements
- Requirements (for Requirement-based challenges): Choose the relevant requirements to benchmark against.
- Threats (for Threat-based challenges): Select specific threats from the MITRE ATT&CK framework for assessment.
Requirements can be selected by filtering and searching for them just like in the overview of requirements themselves.
Scope Elements
- Capabilities: Define the scope through direct or indirect selection of elements via capabilities.
- Objects: For Requirement-based challenges, include various object types. For Threat-based challenges, only IT assets are applicable.
Meta model elements, in the below example IT assets, can be selected by filtering and searching for them just like in the overview of the meta model elements themselves.
Challenge Status
- Status: Displays the current state of the challenge, with possible statuses including Initial, In Progress, Final, and Archived.
Challenge Management
- Owner: Appoint the individual responsible for overseeing the challenge.
- Assessors: Assign assessors for the challenge, or default to the owner or SMEs if not specified.
- Watchers: Read-only access to the specific challenge.
Slots
Slots in vucavoid challenges represent individual assessments within a broader challenge, where scope elements are evaluated against benchmark elements.
vucavoid creates one slot for each unique match of a benchmark and a scope element. See the following exmaple for more clarity.
Example (simplified)
The following benchmark elements are part of a challenge:
Case 1: Requirement-based challenge
Title | Cluster Objective | Object type relevance |
---|---|---|
User Access Audits | Conduct regular audits of user access rights and remove unnecessary access promptly. | IT asset (Overall) |
Endpoint Protection | Implement endpoint protection solutions to secure all devices accessing the network, including mobile devices. | IT asset (Endpoints), IT asset (Mobile device) |
Case 2: Threat-based challenge Any MITRE ATT&Ck based threat in vucavoid consists of tactics and (sub-) techniques of the chosen MITRE ATT&CK version. As of now, all techniques create a match with any IT asset.
The following scope elements are part of a challenge:
Title | Type |
---|---|
Enterprise Resource Planning (ERP) System | IT asset - Application |
iPhone corporate inventory | IT assets - Mobile devices |
Lenovo ThinkPads | IT asset - Endpoint |
Note: For a threat-based challenge, only IT assets are allowed as scope elements.
The following slots would be created in the above setup of a requirement-based challenge:
Slot ID | Benchmark | Scope |
---|---|---|
1 | User Access Audits | Enterprise Resource Planning (ERP) System |
2 | User Access Audits | iPhone corporate inventory |
3 | User Access Audits | Lenovo ThinkPads |
4 | Endpoint Protection | iPhone corporate inventory |
5 | Endpoint Protection | Lenovo ThinkPads |
The following slots would be created in the above setup of a threat-based challenge: *
Slot ID | Benchmark | Scope |
---|---|---|
1 | Technique | Enterprise Resource Planning (ERP) System |
2 | Technique | iPhone corporate inventory |
3 | Technique | Enterprise Resource Planning (ERP) System |
- Assumption: The tenant-individual threat that has been selected for the challenge entails only one technique.
Each slot would then be rated by the assigned assessor(s) in terms of its fulfilment degree:
- No fulfilment
- Partial fulfilment
- Complete fulfilment
For each slot, the assessor(s) can provide a rationale as well as links to controls, findings and risks - or create new (if access roles match).
Attributes of Slots
For each slot, the assessor(s) can see detailed information about the benchmark and the scope element. Also, if even more information is needed, the assessor(s) can click on the benchmark or scope elment's name in the slow row (in the challenge's slot overview).
Each slot needs at least one assessor but can also have multiple ones. Assessors can be changed until the slot is finalized. It is apparent who decided on the last assessment for a specific slot from the slot overview.
The main attribute of a slot, naturally, is the assessment value, decided by the assessor(s) whether the scope element fully, partially or not complies with the benchmark element.
Completing Slots
- Finalization Process: Once the assessment is completed, slots can be finalized by the assessor, indicating compliance or identifying issues.
- Reopening: A finalized slot can be reopened for reassessment until the overall challenge is finalized.
Starting a Challenge
Initiating a challenge in vucavoid involves several key steps to ensure proper setup and execution.
- Preparation: Before starting, ensure all attributes, scope, and benchmark elements are defined.
- Activation: Navigate to the challenge's detail view and click the "Start" button. Confirm in the modal dialog to initiate the challenge.
- Slot Creation: Starting the challenge automatically generates slots based on the scope and benchmark elements.
- Task Assignment: Each slot generates a task in vucavoid for the assigned assessors to complete their evaluations.
Additional Information
This section provides extra insights and best practices for effectively utilizing challenges in vucavoid:
- Strategic Use of Challenges: Leverage challenges to systematically assess and improve your organization's compliance and security posture. Challenges can be particularly useful for preparing for certifications or audits.
- Regular Review and Updates: Continuously monitor and update the scope and benchmarks of challenges to reflect any changes in organizational objectives, regulatory environment, or threat landscape.
- Collaborative Assessment: Engage a diverse group of assessors, including SMEs and stakeholders from different departments, to gain comprehensive insights during the challenge assessments.
- Actionable Insights: Use the results from challenges to identify areas for improvement, formulate action plans, and track progress over time.
- Documenting and Sharing Findings: Maintain thorough documentation of each challenge and its findings. Share insights and lessons learned with relevant teams to foster a culture of continuous improvement and compliance awareness.
By following these guidelines, organizations can maximize the benefits of vucavoid Challenges in maintaining a strong and compliant operational environment.