📆 Following the demand, we extended our free trial to 30 days! No automated billing/upgrade. You decide!  

Compliance

Challenges

Role Specific Access

vucavoid challenges are accessible to users with the following roles:

  • Compliance Manager: Full access to manage and oversee challenges within the system.
  • Risk Manager (view only): Access to view challenges, enabling insights into the organization's compliance and risk landscape.
  • Challenge Manager: Specialized role focusing on the creation, management, and assessment of challenges.
  • Slot Assessors: Any account assigned as a slot assessor can contribute specifically to their assigned slots within a challenge.

Overview

Challenges in vucavoid are assessments designed to measure an organization's compliance and security posture against specific benchmarks. These challenges enable organizations to "challenge" their scope against set requirements or threats, ensuring continuous alignment with compliance and security requirements.

Every challenge is established by matching two different parts:

  • Benchmark: The baseline for the compliance level that all scope elements are expected to meet. Could either be the tenant's requirements or the tenant's cyber threat.
  • Scope: Capabilites and/or objects of a tenant's meta model that that are challenged against the benchmark elements.

Challenges could be set up for internal or external purposes. Since a tenant can create an unlimited number of challenges, a multitude of varations is possible.

Types of Benchmarks

Challenges in vucavoid support two main types of benchmarks:

  • Requirements: These are derived from contracts, regulations, or standards, providing a compliance-focused benchmark.
  • Threats: Modeled on the MITRE ATT&CK framework, these benchmarks focus on assessing IT assets against known cybersecurity threats.

For both, requirements and threats, a tenant can select one, multiple or all to become the benchmark for a specific challenge - providing the option to slice challenges as needed by the tenant's organization.

Scope elements

Challenges in vucavoid can be applied to various types of scope elements from your meta model:

  • Requirements-Based Challenges: Can be benchmarked against any type of asset in scope.
  • Threat-Based Challenges: Limited to benchmarking IT assets in your meta model against threats.

Potential use cases

Challenges can be used for all use cases that involve the assessment of requirements and/or threats. See the following table for non-exhaustive list of requirements.

Use case Comment
Internal audit Running an internal audit for a specific set of requirements, for example to check on the implementation of a requirements that belong to a specific domain or category in a specific scope of the tenant's meta model, can be significantly supported by a vucavoid challenge.Selecting the audit-relevant requirements and scope elements, auditors and auditees have a major improvement in transparency and expectaton management when an audit scope is planned as a challenge.
Pre-audit for external audit For upcoming audits, like ISO audits (e. g. ISO 27001, ISO 9001 or ISO 22301) both, requirement- and threat-based challenges are a great tool to prepare internally.By selecting requirements of a specific standard as the benchmarkig element and the audit-relevant scope of the meta model, organizations can effectively do a dry run of the upcoming audit. Also, challenge data can be shared with external auditors (offline, e. g. via screen-sharing) or online by inviting the auditor to the tenant and only make the user account a watcher (see further below) for the specific challenge.
Client assessments Using requirements that are coming from a specific client engagements (contracts, SLAs) as the benchmark and service-related meta model parts as the scope can effectively provide a client with an assuring report on the compliance posture of a tenant's organization.This feature can also come in very handy when going for tenders/ request for proposals (RFPs), effectively providing insights in the current coverage of the compliance requirements.
Readiness assessment/Fitgap Any other kind or subset of requirements can easily be benchmarked against the scope of choice/relevance.This could be regulatory requirements, upcoming laws, upcoming client contracts or standards (for certification or attestation).

Since, challenges also have a direct support for creation of findings, risks and controls, they are not isolated assessments but integrate into the overall compliance management of a tenant.

vucavoid challenges: Overview of challenges in vucavoid (demo data).
vucavoid challenges: Overview of challenges in vucavoid (demo data).

Challenge Attributes

vucavoid's Challenges are defined by a set of attributes, ensuring detailed documentation and management of each challenge.

Challenge Basics

  • Title: Assign a unique and descriptive title for clear identification.
  • Type: Select between Requirement-based or Threat-based challenges, which determines the benchmarking elements.
  • Description: Provide a brief overview of the challenge’s primary purpose.
vucavoid challenges: Challenge basics
vucavoid challenges: Challenge basics

Challenge Timing

  • Starts at: Define the start date for the challenge period.
  • Ends at: Set the end date, ensuring it is future-dated and after the start date.
  • Deadline: Establish a deadline for the assessment of assigned slots.
  • Is recurring: Indicate if the challenge repeats, and if so, define the recurrence interval.
  • Select interval (for recurring challenges): Choose from options like Monthly, Quarterly, Biannually, and Annually.
vucavoid challenges: Challenge timing
vucavoid challenges: Challenge timing

Benchmark Elements

  • Requirements (for Requirement-based challenges): Choose the relevant requirements to benchmark against.
  • Threats (for Threat-based challenges): Select specific threats from the MITRE ATT&CK framework for assessment.
vucavoid challenges: Benchmark elements for a challenge in vucavoid. Here for the challenge type 'Requirements'.
vucavoid challenges: Benchmark elements for a challenge in vucavoid. Here for the challenge type 'Requirements'.

Requirements can be selected by filtering and searching for them just like in the overview of requirements themselves.

vucavoid challenges: Selecting requirements as benchmark elements for a specific challenge (demo data).
vucavoid challenges: Selecting requirements as benchmark elements for a specific challenge (demo data).

Scope Elements

  • Capabilities: Define the scope through direct or indirect selection of elements via capabilities.
  • Objects: For Requirement-based challenges, include various object types. For Threat-based challenges, only IT assets are applicable.
vucavoid challenges: Scope elements for a challenge in vucavoid. Here for the challenge type 'Requirements'. If type 'Threat' is selected, only IT assets are applicable.
vucavoid challenges: Scope elements for a challenge in vucavoid. Here for the challenge type 'Requirements'. If type 'Threat' is selected, only IT assets are applicable.

Meta model elements, in the below example IT assets, can be selected by filtering and searching for them just like in the overview of the meta model elements themselves.

vucavoid challenges: Selecting  IT assets (exemplary) as scope elements for a specific challenge (demo data).
vucavoid challenges: Selecting IT assets (exemplary) as scope elements for a specific challenge (demo data).

Challenge Status

  • Status: Displays the current state of the challenge, with possible statuses including Initial, In Progress, Final, and Archived.
vucavoid challenges: Challenge status
vucavoid challenges: Challenge status

Challenge Management

  • Owner: Appoint the individual responsible for overseeing the challenge.
  • Assessors: Assign assessors for the challenge, or default to the owner or SMEs if not specified.
  • Watchers: Read-only access to the specific challenge.
vucavoid challenges: Challenge management
vucavoid challenges: Challenge management

Slots

Slots in vucavoid challenges represent individual assessments within a broader challenge, where scope elements are evaluated against benchmark elements.

vucavoid creates one slot for each unique match of a benchmark and a scope element. See the following exmaple for more clarity.

Example (simplified)

The following benchmark elements are part of a challenge:

Case 1: Requirement-based challenge

Title Cluster Objective Object type relevance
User Access Audits Conduct regular audits of user access rights and remove unnecessary access promptly. IT asset (Overall)
Endpoint Protection Implement endpoint protection solutions to secure all devices accessing the network, including mobile devices. IT asset (Endpoints), IT asset (Mobile device)

Case 2: Threat-based challenge Any MITRE ATT&Ck based threat in vucavoid consists of tactics and (sub-) techniques of the chosen MITRE ATT&CK version. As of now, all techniques create a match with any IT asset.

The following scope elements are part of a challenge:

Title Type
Enterprise Resource Planning (ERP) System IT asset - Application
iPhone corporate inventory IT assets - Mobile devices
Lenovo ThinkPads IT asset - Endpoint

Note: For a threat-based challenge, only IT assets are allowed as scope elements.

The following slots would be created in the above setup of a requirement-based challenge:

Slot ID Benchmark Scope
1 User Access Audits Enterprise Resource Planning (ERP) System
2 User Access Audits iPhone corporate inventory
3 User Access Audits Lenovo ThinkPads
4 Endpoint Protection iPhone corporate inventory
5 Endpoint Protection Lenovo ThinkPads

The following slots would be created in the above setup of a threat-based challenge: *

Slot ID Benchmark Scope
1 Technique Enterprise Resource Planning (ERP) System
2 Technique iPhone corporate inventory
3 Technique Enterprise Resource Planning (ERP) System
  • Assumption: The tenant-individual threat that has been selected for the challenge entails only one technique.

Each slot would then be rated by the assigned assessor(s) in terms of its fulfilment degree:

  • No fulfilment
  • Partial fulfilment
  • Complete fulfilment

For each slot, the assessor(s) can provide a rationale as well as links to controls, findings and risks - or create new (if access roles match).

vucavoid challenges: Overview of automatically generated slots for a challenge in vucavoid (demo data).
vucavoid challenges: Overview of automatically generated slots for a challenge in vucavoid (demo data).

Attributes of Slots

For each slot, the assessor(s) can see detailed information about the benchmark and the scope element. Also, if even more information is needed, the assessor(s) can click on the benchmark or scope elment's name in the slow row (in the challenge's slot overview).

Each slot needs at least one assessor but can also have multiple ones. Assessors can be changed until the slot is finalized. It is apparent who decided on the last assessment for a specific slot from the slot overview.

The main attribute of a slot, naturally, is the assessment value, decided by the assessor(s) whether the scope element fully, partially or not complies with the benchmark element.

vucavoid challenges: Overview of all attributes for a specific slot in vucavoid (demo data)
vucavoid challenges: Overview of all attributes for a specific slot in vucavoid (demo data)

Completing Slots

  • Finalization Process: Once the assessment is completed, slots can be finalized by the assessor, indicating compliance or identifying issues.
  • Reopening: A finalized slot can be reopened for reassessment until the overall challenge is finalized.

Starting a Challenge

Initiating a challenge in vucavoid involves several key steps to ensure proper setup and execution.

  • Preparation: Before starting, ensure all attributes, scope, and benchmark elements are defined.
  • Activation: Navigate to the challenge's detail view and click the "Start" button. Confirm in the modal dialog to initiate the challenge.
  • Slot Creation: Starting the challenge automatically generates slots based on the scope and benchmark elements.
  • Task Assignment: Each slot generates a task in vucavoid for the assigned assessors to complete their evaluations.
vucavoid challenges: Modal confirmation to initialise a challenge and generate the assessment slots.
vucavoid challenges: Modal confirmation to initialise a challenge and generate the assessment slots.

Additional Information

This section provides extra insights and best practices for effectively utilizing challenges in vucavoid:

  • Strategic Use of Challenges: Leverage challenges to systematically assess and improve your organization's compliance and security posture. Challenges can be particularly useful for preparing for certifications or audits.
  • Regular Review and Updates: Continuously monitor and update the scope and benchmarks of challenges to reflect any changes in organizational objectives, regulatory environment, or threat landscape.
  • Collaborative Assessment: Engage a diverse group of assessors, including SMEs and stakeholders from different departments, to gain comprehensive insights during the challenge assessments.
  • Actionable Insights: Use the results from challenges to identify areas for improvement, formulate action plans, and track progress over time.
  • Documenting and Sharing Findings: Maintain thorough documentation of each challenge and its findings. Share insights and lessons learned with relevant teams to foster a culture of continuous improvement and compliance awareness.

By following these guidelines, organizations can maximize the benefits of vucavoid Challenges in maintaining a strong and compliant operational environment.

Previous
Threats

Cookie Use on Our Site

To ensure the smooth functioning of our website, we use a limited number of cookies. These cookies are essential for providing you with the services available on our website and to use some of its features. Here is a brief overview:
  • vucavoid_session: This cookie is essential for user authentication. It ensures that your session is secure and recognizes you as you navigate through our site.
  • XSRF-TOKEN: This cookie is critical for website security. It helps protect against cross-site request forgery attacks.
  • latest_marketing_banner_visible_{MARKETING_BANNER_ID}: This cookie simply remembers if you have seen our latest site banner, enhancing your browsing experience without tracking your personal data.

These cookies are strictly necessary to deliver the website, and therefore, we do not require your consent to place these cookies. For more information, please visit our Privacy Policy.