LEVEL 1:  Small organizations that are not governed by compliance or regulation requirements, and medium organizations without an existing security program.

‍LEVEL 2: Medium organizations with an existing security program that are in need of maturation.

‍LEVEL 3: Medium and large organizations that are regulated or have compliance requirements.As your client progresses, you can easily move them to the next level up, opening up additional controls that go deeper.

The cost of a validated assessment varies between $5,000 and $60,000 or more depending on the amount of time our analyst spends onsite, travel expenses, and other consulting services provided. Organizations with multiple locations and/or sub-entities will naturally have a larger, more expensive scope of work.

This answer varies depending on the level of assessment and the client’s technical expertise. Estimate more time for clients that require hand holding as these meetings will be much more involved.

LEVEL 1:  1.5 to 5 hours

LEVEL 2: 3 to 5 hours

LEVEL 3: 6 to 12 hours

‍TIP: Remember that the roadmap only shows the false responses from the assessment. Assuming this is where you want to focus, you can start your update by reviewing evidence for the "done" tasks. If you agree that the control was implemented in satisfactory way, then leave the task as is. Then move to "in progress" tasks and then to "not started" tasks. If you believe controls to be implemented already for these, then add a note, attach evidence, and move these items to the done column.

Our rule of thumb is to update our client’s assessment quarterly. This keeps the current assessment reasonably up to date reducing the catch up time you will need. 3 months is also a good increment of time for task completion on your client’s side.

Client involvement is all about expediency. If our client has a low level of technical expertise, there may not be a lot of utility in having them try to fill out the assessment without your hand holding. That would prove an exercise in frustration. Additionally, they may not be savvy enough to process the assessment results or to complete tasks in the roadmap. This type of client presents an opportunity for a partner to build a close-knit relationship based on trust.For clients with a high level of technical expertise, the roadmap can be configured so that client-partner meetings become check-ins to review and mark off assigned items. This type of client is highly independent and requires less of your time.

Self-assessments are not validated assessments. They are a self-diagnostic exercise that works to inform the client on their current information security posture. That being said, exaggerated or inaccurate responses in a self-assessment can still be very damaging. It can hide risk, leading to a misappropriation of resources. In some cases, it can ultimately lead to non-compliance if the self-assessment was conducted in preparation for a particular audit.

The standard for self-assessment should be that if called upon, you can defend the response and provide evidence to support it.

The type of evidence required is completely dependent on the control being assessed. For example, if you are assessing security policy then a copy of the security policy would be adequate evidence. If you are assessing firewall configurations, then a screenshot of the configuration would be adequate evidence.

We advise all partners to spend time building a shortlist of required documentation that can be passed to the client ahead of the assessment. This allows the client adequate time to find these resources, and saves the analyst time while on-site. This documentation can be stored in the Documents tab or attached locally in the assessment.In general, you will want to ask for any security policies they have, especially in the following areas:
‍
Acceptable Use
‍
Risk Management

Governance

Security Committee Charter

Asset Management

PCIAccess Controls

On average, the review of evidence takes between 2 and 3 hours. We advise analyst to review evidence before and after collecting assessment response.  For assessment updates, the review of evidence takes between 45 minutes to an hour. You will want to verify any changes in policy that the client reports.

S2Org is built on the premise of assessment transparency. The more exposure our client has to the expected controls (and where they fall short), the easier your task will be in explaining what is needed to secure their information.

‍Do clients need their own user licenses?There are two different types of client licenses.

The first license is read-only. This is very limited and can only be used to present assessment results to the client. The read-only license is suited for one-off projects that have a distinct start and end date.

The second license is for premium client users who will play a role in the management of their information security program. This license empowers them to make assessment changes, build a roadmap, and track changes on the dashboard. The premium license is well suited for ongoing work that requires client involvement over time.