s2score evaluations

S2org is the best tool for auditing your security. Period.

Request an audit today

how we assess Your risk

Take a look below and let us know if you have any questions! 

Level 1
Level 2
Level 3

Risk and Management Process

Risk Decisions

Actionable Executive Decision Making

Comprehensive Risk Management

Infosec Risk Defined & Documented

Risk Tolerance Defined & Clear

Risk Identified & Prioritized

Threats Identified & Documented

Tolerance Informed By Infrastructure/ Sector

Level 1
Level 2
Level 3

Evacuation Procedures

Employee Training

Formalized Policies and Procedures

Emergency Response Plan

Security Excercizes Conducted

Background Checks

Physical Security

Areas Of Refuge

Formal Facility Threat Analysis Bi-Annual

Regular Facility Threat Assesments

Internal Technology
Level 1
Level 2
Level 3

Firewall Routing

Data Loss Prevention

DMZ Network

Malware Traffic Review

Egress Traffic Restrictions

Network-Based Traffic Intrusion Prevention

Multiple Internet Circuits / Multiple ISP's

Redundant Firewall

Web Content Filtering

External Technology
Level 1
Level 2
Level 3

Blacklist & Whitelist

Isolated Internal Networks

Firewall Auditable Change Control

Formal Firewall Change Approval

Documented Firewall Review Schedule

Network-Based Traffic Intrusion Prevention Systems

Internet Facing Systems Hardening Documentation

Unauthorized Firewall Changes / Incident Management Process

Additional Internet Protection and DMZ Servers

Egress Traffic Filtering Specifically Authorized

Common questions

1. What clients should do what level of assessment?
LEVEL 1:  Small organizations that are not governed by compliance or regulation requirements, and medium organizations without an existing security program.

LEVEL 2: Medium organizations with an existing security program that are in need of maturation.

LEVEL 3: Medium and large organizations that are regulated or have compliance requirements.As your client progresses, you can easily move them to the next level up, opening up additional controls that go deeper.
2. What do you charge for an assessment project?
The cost of a validated assessment varies between $5,000 and $60,000 or more depending on the amount of time our analyst spends onsite, travel expenses, and other consulting services provided. Organizations with multiple locations and/or sub-entities will naturally have a larger, more expensive scope of work.
3. How long should we spend updating the assessment?
This answer varies depending on the level of assessment and the client’s technical expertise. Estimate more time for clients that require hand holding as these meetings will be much more involved.

 1.5 to 5 hours

3 to 5 hours

6 to 12 hours

TIP: Remember that the roadmap only shows the false responses from the assessment. Assuming this is where you want to focus, you can start your update by reviewing evidence for the "done" tasks. If you agree that the control was implemented in satisfactory way, then leave the task as is. Then move to "in progress" tasks and then to "not started" tasks. If you believe controls to be implemented already for these, then add a note, attach evidence, and move these items to the done column.
4. How often do we meet with clients?
Our rule of thumb is to update our client’s assessment quarterly. This keeps the current assessment reasonably up to date reducing the catch up time you will need. 3 months is also a good increment of time for task completion on your client’s side.
5. How involved should we (the client)  be?
Client involvement is all about expediency. If our client has a low level of technical expertise, there may not be a lot of utility in having them try to fill out the assessment without your hand holding. That would prove an exercise in frustration. Additionally, they may not be savvy enough to process the assessment results or to complete tasks in the roadmap. This type of client presents an opportunity for a partner to build a close-knit relationship based on trust.For clients with a high level of technical expertise, the roadmap can be configured so that client-partner meetings become check-ins to review and mark off assigned items. This type of client is highly independent and requires less of your time.
6. How thoroughly should we spot check self-assessments?
Self-assessments are not validated assessments. They are a self-diagnostic exercise that works to inform the client on their current information security posture. That being said, exaggerated or inaccurate responses in a self-assessment can still be very damaging. It can hide risk, leading to a misappropriation of resources. In some cases, it can ultimately lead to non-compliance if the self-assessment was conducted in preparation for a particular audit.

The standard for self-assessment should be that if called upon, you can defend the response and provide evidence to support it.
7. What type of evidence should we require? How long will reviewing evidence take?
The type of evidence required is completely dependent on the control being assessed. For example, if you are assessing security policy then a copy of the security policy would be adequate evidence. If you are assessing firewall configurations, then a screenshot of the configuration would be adequate evidence.

We advise all partners to spend time building a shortlist of required documentation that can be passed to the client ahead of the assessment. This allows the client adequate time to find these resources, and saves the analyst time while on-site. This documentation can be stored in the Documents tab or attached locally in the assessment.In general, you will want to ask for any security policies they have, especially in the following areas:

Acceptable Use

Risk Management


Security Committee Charter

Asset Management

PCIAccess Controls

On average, the review of evidence takes between 2 and 3 hours. We advise analyst to review evidence before and after collecting assessment response.  For assessment updates, the review of evidence takes between 45 minutes to an hour. You will want to verify any changes in policy that the client reports.
8. Why is your solution accessible by clients?
S2Org is built on the premise of assessment transparency. The more exposure our client has to the expected controls (and where they fall short), the easier your task will be in explaining what is needed to secure their information.

Do clients need their own user licenses?There are two different types of client licenses.

The first license is read-only. This is very limited and can only be used to present assessment results to the client. The read-only license is suited for one-off projects that have a distinct start and end date.

The second license is for premium client users who will play a role in the management of their information security program. This license empowers them to make assessment changes, build a roadmap, and track changes on the dashboard. The premium license is well suited for ongoing work that requires client involvement over time.

Everything we need to build a world class network, security and connectivity.


Every solution we employ has been vetted by industry experts.


We keep the effectiveness of our solutions simple and easy to manage.


Our solutions truly cover your needs plus some.


We are a brand that is built on being the best.


We take care of every client quickly and efficiently.


DeSoto.io not only ensures it's clients, we ensure our efforts.

More information