S2PCI: The PCI Compliance Software helping to navigate the complex terrain of PCI DSS

Approach to Streamlining Documentation

In the rapidly advancing digital era, businesses face the task of safeguarding their customers’ payment data. Attaining and sustaining Payment Card Industry Data Security Standard (PCI DSS) compliance is a formidable challenge for many industries. This article delves into the intricacies of PCI compliance, highlighting the complexities faced by organizations and introducing our PCI compliance software solution, S2PCI,  designed to streamline the often-arduous documentation process.

The Challenge of PCI Compliance

The path to compliance is fraught with complexity. This complexity is not just in the interpretation and adherence to the standards themselves. It’s more basic than that. Organizations struggle to identify which Self-Assessment Questionnaire (SAQ) form is appropriate for them. This form has far-reaching implications, determining which requirements they need to meet.

Resource Allocation and Security Implications

The pursuit of PCI compliance demands a significant investment of time, financial resources, and skilled personnel. Striking a delicate balance between these investments and other pressing business priorities is an ongoing struggle for many organizations. Additionally, the consequences of failing to comply with PCI DSS can be severe, ranging from data breaches to fines and reputational damage, elevating the stakes and adding pressure to an already intricate process.

Navigating the PCI Compliance Landscape

The lack of in-house expertise further complicates the PCI compliance journey for organizations. The absence of knowledgeable personnel can make it challenging to navigate the path toward compliance, especially when it comes to determining the correct Self-Assessment Questionnaire (SAQ) form. The result is often a time-consuming and resource-intensive process with potential compliance gaps.

A Thoughtful Solution- Our PCI Compliance Software

In response to these challenges, we’ve launched our latest product, S2PCI to assist with this process. S2PCI is a PCI compliance software aimed at organizations falling under PCI compliance Levels 2-4. This is because Levels 2-4 are eligible to self-assess.

The following are the 4 levels of  PCI Compliance:

  • Level 1: Merchants processing over 6 million card transactions per year (Need a QSA to complete)
  • Level 2: Merchants processing 1 to 6 million transactions per year
  • Level 3: Merchants handling 20,000 to 1 million transactions per year
  • Level 4: Merchants handling fewer than 20,000 transactions per year

Exploring the Evaluation Workflow


Initiating the evaluation for the Card Acceptance Process (CAP).


Answering a series of questions to determine business type, compliance level, and the correct SAQ form.

Avoiding the waste of resources associated with completing  the wrong SAQ form

Assessment (SAQ):

Completing the online SAQ form, including any required notes.

Achieving a compliant or non-compliant status for the CAP.


Organizing the collection of supporting evidence or pursuing further action on non-compliant requirements.

Achieving a compliant or non-compliant status for the CAP after remediation is completed.

Outcomes of S2PCI


Leveraging built-in logic to discern the correct SAQ form.

Facilitating the completion of the SAQ form online, significantly reducing the time required.


Minimizing the risk of selecting the wrong SAQ form.

Ensuring documentation aligns precisely with PCI standards.


Providing a platform to document and track progress toward compliance standards.

Facilitating the systematic gathering of evidence for all requirements.


Organizing workload through automatic communications, an evaluation scheduler, and evidence collection.

More Than Checking the Compliance Box

SecurityStudio doesn’t just aim to sell a product but to contribute to the ongoing dialogue surrounding information security, and by extension, compliance. We acknowledge the many challenges of achieving PCI compliance, but we also encourage everyone to think beyond checking a compliance box. We intend to foster understanding, inspire discussions, and, most importantly, offer a practical solution that aligns with the broader goals of improving your information security posture, as well as securing payment data.

PCI Awareness Training Recommendation

Complementing the endeavor to streamline PCI compliance, we suggest anyone looking to expand their knowledge of PCI compliance consider the PCI Security Standards Council’s PCI Awareness Training. This training program is tailored for individuals wanting to enhance their understanding of PCI, particularly those within organizations obligated to adhere to the PCI Data Security Standard (PCI DSS).


The journey toward PCI compliance is undeniably challenging, but a thoughtful solution like S2PCI can significantly alleviate the burden. By simplifying the documentation process and providing a structured approach, organizations can not only meet compliance standards but also optimize their efforts. We encourage organizations to view PCI compliance as a critical aspect of their commitment to data security and operational integrity, not just a means to check the box. It’s just good business practice. As businesses continue to evolve in the digital landscape, thoughtful approaches to compliance become integral pillars of responsible and secure operations. If you’re interested in seeing a demonstration of our PCI compliance software, S2PCI, we’d love to show you in more detail! Book a demo with one of our team members, or watch the demonstration below.

MCSP- Managed Cybersecurity Service Provider

An MCSP is a managed services provider that provides cybersecurity and vCISO-type services but does not have its own SOC. Typically, it has a CISSP or vCISO on staff.

The Changing Landscape

For MSPs, the landscape is changing. A real apparent shift is happening in the IT industry. Attend any MSP event or conference and you will see over 80% of vendors providing some cybersecurity solution. As external threats, breaches, ransomware, and government mandates plague everyday business, the requirements for services that meet the needs of the business customer are changing. As a result, so are the expectations of what they provide. MSPs with the knowledge, tools, and resources necessary to effectively navigate the complex landscape of risk management and provide comprehensive cybersecurity services to their clients will find themselves leading the pack. Those who wait too long or continue with the status quo might find it harder to gain new customers, with the rise of the MCSP (Managed Cybersecurity Service Provider). To stay competitive, the new MSP will need a broader scope of services and expertise to effectively serve the changing landscape.

What’s Next for MSPs?

Today, there are MSPs and MSSPs. Though many MSPs may strive to become an MSSP, the requirement to build out an internal SOC and invest in the necessary facility, equipment, tools, etc. may be more than most will be able to achieve. Accordingly, the MCSP will enter to fill this gap. An MCSP is a specialized type of MSP that offers cybersecurity solutions and often provides virtual Chief Information Security Officer (vCISO) services in addition to traditional managed services. Unlike MSSPs, an MCSP does not have its own Security Operations Center (SOC) but does typically have a CISSP or vCISO on staff.

The MSP Evolution

MCSP is an attainable evolution or next step for the traditional MSP. Its core offering revolves around managing and safeguarding the information technology (IT) infrastructure and systems of its clients from cyber threats. This includes protecting networks, applications, endpoints, data, and other digital assets. The MCSP’s primary objective is to ensure the confidentiality, integrity, and availability of its clients’ information while mitigating risks and addressing vulnerabilities.

All in One- The MCSP

An MCSP fills a crucial role by combining managed services with cybersecurity expertise. By offering comprehensive cybersecurity services and vCISO guidance, you can help organizations of all sizes enhance their security posture and protect against evolving cyber threats, even without operating your own SOC. Just about any current MSP can obtain the knowledge and services necessary to evolve their business into an MCSP.

MCSP Badge for Credly
MCSP Partner Badge

If you’re looking to become an MCSP, we can help! As part of a partnership with SecurityStudio, we will help you become a certified MCSP and guide you on the path of becoming a Certified virtual Chief Information Security Officer (CvCISO).

Cybersecurity has never been more important than it is today. Not only is our information more at risk, but so is our privacy, and even our personal safety. Complexity and distraction have contributed to us “taking our eye” off the ball, and there’s no better time than now to act.

What is cybersecurity?

This is a confusing word for some people. Even cybersecurity experts have different explanations of what cybersecurity is.
Cybersecurity is Managing the risk of unauthorized disclosure, modification, and destruction of information through technical means.

The key is managing risk, not eliminating risk. Eliminating risk would require us to eliminate all our information and the electronics we leverage to create, transfer, access, and use it. No more laptops, no iPads, no mobile devices, no Internet, and no data. Obviously, this isn’t feasible, and neither is eliminating risk.

what is cybersecurity

Managing risk means we need to live with the fact that bad things can and will happen; therefore, detecting bad things early and having a prudent response are also important.

Why is cybersecurity more important than ever?

The simple answer is bad things are happening more often and the results are more impactful. We were riding a dangerous trend of increased incidents (ransomware, data breaches, etc.) prior to 2020:

  • Over the past 10 years, there were 300 data breaches involving the theft of 100,000 or more records.
  • There were 1,244 data breaches in 2018 and 446.5 million records were exposed.
  • There were 4.1 billion records exposed in the first six months of 2019 alone.
  • At the beginning of 2019, the World Economic Forum named cyber-attacks as one of the top five risks to global stability.

2020 has certainly been a year like no other, and things haven’t gotten better. The final numbers aren’t in for this year’s cybersecurity incidents, but we inherently know things have gotten worse. There are two primary reasons for higher risk in 2020; complexity and distraction.

Complexity is the greatest enemy of cybersecurity. Most business and home technology environments have gotten too complex to secure properly. Businesses and people struggle to know what things they’re securing, let alone how to secure them. At home the problem is getting worse with each new technology we add. In our lust for new technology and features, we’ve failed to slow down and think about the cybersecurity consequences of our choices. Technology complexity continues to explode with “smart” homes (Alexa, Google Home, Ring, etc.), “smart” cars, interconnected medical devices, and our 275 million “smart” phones.

In terms of impact, our lives have become so interconnected that we can no longer separate cybersecurity from privacy or physical safety.

2020 has been a debacle. We’ve never been more distracted. There are so many significant things going on, that many of us have taken our eye off the cybersecurity ball. COVID-19 flipped our world on its head. Offices closed, leading to an explosion of work-from-home. Schools closed, leading to an explosion in remote learning. Couple these events with health concerns, economic concerns, general uncertainty, and it’s understandable that cybersecurity becomes an afterthought.

If COVID-19 wasn’t a significant enough distraction, 2020 also brought real social justice issues, civil unrest, the presidential election, and disinformation campaigns that bombard our inboxes and social media feeds.

Complexity and life’s distractions in 2020 have made our digital lives a perfect attacker’s playground.

Why are cybercrimes on the rise? How did they evolve over time?

Cybercrimes are on the rise because the opportunities we give attackers are extensive and the return on the attacker’s investment has never been higher. It’s the perfect recipe for their success at our expense.

cybersecurity cybercrimes rise recipe for attacker success

We continue to increase opportunities for attackers through our incessant need for more technology, while at the same time, we’re distracted by life’s events. These things combine to make attacks easier and more successful, leading to increased profit and return for an attacker. The cycle repeats itself when attackers re-invest their profits into better and more frequent attacks.

In previous decades, attacks were less nefarious, and it wasn’t uncommon for an attacker to be motivated by bragging rights or showing off. Those days are long gone, and criminals are organized much like legitimate businesses. Businesses are in business to make money, and so are most attackers. 71% of all data breaches are financially motivated and 25% are motivated by espionage.

The attackers we should all be most concerned about are the ones who are motivated by money and power; these are often organized crime rings and nation-state attackers such as China, Russia, and Iran.

What is the impact of a cybercrime to your organization, team, and/or self?

The impact of cybercrime depends upon several factors; the nature of the incident, your ability to detect and respond to the incident, the intent of the attacker, and the attacker’s ability or skill to carry out their intent. The impact can range from a simple nuisance to bankruptcy, and in rare cases even death.

For small to mid-sized organizations (250-449) employees, the downtime from a data breach varies:

  • 43% reported 0-4 hours of downtime
  • 45% reported 5-16 hours of downtime
  • 12% reported 17-48 hours of downtime

Sadly, 56% of Americans don’t know what steps to take in the event of a data breach (including American businesses), an estimated 60% of small to mid-sized business fail within 12 months of experiencing a data breach, and in 2020 we read about the first (known) death related to ransomware.

The impact of cybercrime varies from low to severe. How low or how severe should not be left to chance because you can (and must) take steps to reduce your risk.

What can you do to protect your organization, your team, and yourself?

The most important thing for all of us is to understand and apply basic cybersecurity principles. The most basic principle starts with risk management. Cybersecurity is risk management. In order to manage risk, you and I must understand (assess) it. Find a good, fundamental risk assessment, and do it. You’ll need to assess risk personally (at home), in your third-party/vendor relationships (the people you share information with), and within your organization.

How can SecurityStudio help?

SecurityStudio is dedicated to our mission of fixing the broken cybersecurity industry by helping people with simple, inexpensive (even free), and effective information security risk management tools.

  • Organization risk management starts with the S2Org tool, used by thousands of organizations of all sizes across all industries.
  • Third-party/vendor risk management starts with our S2Vendor tool; integrated, organized, and automated (without taking shortcuts).
  • Personal risk management (at home) starts with our S2Me tool; 100% free and simplified for everyday people.
  • Work at home risk management starts with our S2Team tool; the most cost-effective insight into employees’ real information security habits.

If complexity is the worst enemy and if cybersecurity is risk management, then we all need simple and affordable risk management tools for everyone to build the best defense, detection, and response capabilities possible.

SecurityStudio is here to help, always dedicated to #MissionBeforeMoney.


Estimate your score or book free demo today

As an Information Security (“Cybersecurity”) consultant Risk Assessments are essential; providing a quick and efficient method for me to get a view of what security measures your organization has adopted well, and what it has not.

For some of my customers, the Risk Assessment is the first step to building an effective Information Security or Risk Management program from the ground up – for others, it’s a way to validate or identify improvements to the program they already have in place. Regardless of your organization’s maturity or size, performing a Risk Assessment is extremely valuable – and you don’t have to hire an Information Security consultant to do one. This, with the insufficient number of InfoSec professionals available in the market today, is essential!

In case you’re new to Cybersecurity Risk Assessments, I’ll cover the basics first: why these cyber risk assessments are important, and how they can help you. Then I’ll review some of the free Cybersecurity Risk Assessment tools that are available out there today.

Why Cyber Risk Assessments are Important

We live in a connected world, and threats to your organization’s Information Resources and technology are imminent. Attackers have built a $1.5 trillion-dollar business identifying internet-accessible vulnerabilities and if you don’t actively secure your technology, they will find you and take advantage of your systems. This is no longer a question, but the reality – if you have an organization with systems connected to the internet, you MUST actively work to secure them, and that’s what “cybersecurity” is all about.

Cybersecurity is essentially managing risks to your organization’s Information Resources; whether these consist of protected patient data, sensitive banking transactions, or the network infrastructure that allows your personnel to keep working effectively.

Peter Drucker has said “You can’t manage what you don’t measure.” It’s largely true, but there are some that would object. Instead, I prefer this quote from Evan Francen, CEO of FRSecure, “You can’t manage what you don’t know you have.” And that includes risk – you need to know what your risks are before you can figure out what to do about them.

Every piece of technology introduces some degree of risk, especially if it is connected to the internet. Conducting a Risk Assessment allows you to identify the threat sources to these technologies and the likelihood and impact to your organization associated with these threats. As such, risk is commonly calculated like so:

Likelihood X Impact = Risk

That seems simple enough, but how do you assign a value to likelihood and impact to make that calculation? How do you efficiently identify all the thousands of potential threats to the technology within your organization? And how do you use that information to actually reduce the risks your organization faces? That’s where a Risk Assessment is invaluable.

So, if you want to improve the security of the technology and data within your organization, you need to know what the risks are to your technology and data. And the best way to identify risk, is by conducting a Risk Assessment.

How a Cybersecurity Risk Assessment Tool Can Help You and Your Organization

Besides knowing what your risks are, you also need to understand the severity of the risks posed to your Information Resources, and whether they are high or low risk. Trust me, presenting a large list of “risks” to your CEO to “do something about” isn’t going to go over well. You need to be smart about it, and a Risk Assessment can help you do just that. Most Risk Assessments will not only give you some sense of priority (high risk vs low risk), but also give you an idea of what you can do to address those risks.

If you’re an IT Manager (of managing the information technology risk assessment tools) you may even already have a wish list of security improvements you’d like to implement within your organization. And if you are struggling to get approval for these projects, a Risk Assessment may make the difference.

The Risk Assessment will help you to communicate which of those security improvements will make the most difference to the security of the organization and help you explain to the CEO what they will get out of the additional money and resources you’re asking them to spend on the problem.

A Cyber Risk Assessment helps to break down the risks to your organization’s Information Resources in a way that they can be prioritized, are actionable, and that executives can understand.

Cybersecurity Risk Assessment Tools

Above I touched on why risk assessments are important and how they can help your organization. To break it down, a good risk assessment will help you do the following:

  • Identify threats to your organization’s Information Resources
  • Objectively evaluate the level of risk posed by these threats
  • Provide an action plan for effective risk reduction
  • Provide cybersecurity risk assessment tools to aid in communicating the organization’s risks to executive management

So, let’s take a look at some of the free Cybersecurity Risk Assessment Tools out there that can help you achieve these things.

Security Risk Assessment Tool (SRA Tool)

The SRA Tool is very popular because it is provided by the U.S ONC in collaboration with the HHS Office for Civil Rights (OCR) to help healthcare providers conduct a security risk assessment as required by the HIPAA Security Rule. OCR does not require that you use their tool, nor do they ensure that use of their tool will make you compliant with HIPAA, but it’s a free tool, and a good starting point. So, let’s dive in.

The tool is downloadable from (, and has significantly improved with the October 2018 update.

Here’s an outline of the risk assessment process:

  1. Download & Install
  2. Pick where to save the assessment file
  3. List the location(s) you’re assessing and any vendors and assets to include (optional)
  4. Complete the assessment (required)
    1. Complete the multiple-choice questions
    2. Select the vulnerabilities that apply to your organization
    3. Assess the threats associated with each vulnerability
  5. View/output your report (PDF)

Firstly, about the locations, information assets listing, and vendor listing (3). These are entirely optional in the tool; however, you do need to know and track your assets and vendors (BAAs) to be compliant with HIPAA (164.310(d)).

Overall, the tool is very easy to use for someone already familiar with risk management practices and processes. The assessment is divided into seven sections, and each section is split into three parts: multiple choice, vulnerability selection, and a vulnerability risk assessment. Most of the multiple-choice questions are fairly easy to understand, your organization is either following the requirement, or not. There are some questions that are more complex, however; with multiple answers that require deeper reading, and this is where the on-screen tips provided in the tool are helpful.

security risk assessment basics

The multiple-choice questions are used to determine which vulnerabilities may apply to your organization; but since the questions alone may be insufficient to determine whether a vulnerability applies to your organization, you are required to choose those that apply. I really wish these selections defaulted to “selected” rather than not, as I believe this would be less confusing.

Once you select your vulnerabilities, then you are asked to assess the likelihood and impact of each of the threats associated with the selected vulnerabilities. An inexperienced person may be tempted to click “Next” past the vulnerability selection; however, this is the most valuable aspect of the reports produced at the end, so it really must be completed in full for any vulnerability that applies.  The challenge with the risk assessment, if you’ve never done one, is accurately determining whether your organization has a Low, Moderate, or High likelihood for experiencing the threat, and the level of impact (Low, Moderate, High) if it did. At this point you may need to reach out to an experienced risk management consultant.

security risk assessment workforce
security risk assessment risk likelihood and impact

The reports shown at the end only reflect the results of the risk assessments completed for each of the applicable vulnerabilities. For example, in my test I completed the multiple-choice questions but only selected a couple of vulnerabilities in each section to do the full risk assessment on. And although all of my questions are listed in the full risk assessment report, only the vulnerabilities I did the assessment on are included in the risk chart at the top.

SRA risk report

Overall, while easy to use, I feel that the SRA Tool has two problems:

  1. It doesn’t provide enough guidance for organizations new to performing risk assessments in determining the likelihood and potential impact of threats
  2. It doesn’t allow the user to update or change any of their responses once a section or the full assessment is complete. Meaning that if you want to change any of your responses later on, you’ll have to start at the beginning.


TraceInsight has developed an online-based version of the SRA Tool. Their revision to the controls provides you with an easy user interface and some nice-looking reports. While their tool is setup in the same way as the SRA Tool, I prefer how they divided the multiple-choice questions and the threat assessment phases.

trace insights security risk assessment

I also appreciate that when selecting the identified threats, they’ve used the statement “This threat is applicable to my organization”, making it much clearer what you’re doing in this phase. The same challenge exists; however, in that you probably need some prior experience with risk management to confidently assign the correct values to the likelihood and impact for each threat identified.

trace insight threats

Like the SRA Tool, you’re able to view your results on-screen or export a PDF.

Compared with the SRA Tool, TraceSRA is very similar with a slightly nicer interface for identifying the risks and performing the cyber risk assessment. One advantage is that you’re able to update your answers even after the assessment is complete; which is extremely handy for any risk manager. Since the tool is cloud-based, you do sacrifice the privacy that the format of the locally-installed SRA Tool provides, but since TraceSRA does not provide an interface for listing your locations, assets, and vendors, this information isn’t terribly sensitive.

risk breakdown by threats and risk rating severity



From, “The PRAM is a tool that applies the risk model from NISTIR 8062 and helps organizations analyze, assess, and prioritize privacy risks to determine how to respond and select appropriate solutions. The PRAM can help drive collaboration and communication between various components of an organization, including privacy, cybersecurity, business, and IT personnel.”

It helps organizations meet obligations of Circular A-130 and other relevant policies.

The NIST PRAM tool is a combination of documentation and spreadsheets (XML format) designed to help organize and direct a cyber risk assessment to your organization based on NISTIR 8062. This tool is probably the most time-intensive of the tools I’m reviewing, but also allows you to thoroughly assess each aspect of your organization. As such, I’ll just provide a high-level description of each of the parts included in the tool.

  • Worksheet 1: Framing Business Objectives and Organizational Privacy Governance
    • Describes two tasks for you to complete, used to describe and define your organization and its privacy needs.
  • Worksheet 2: Assessing System Design; Supporting Data Map
    • Provides instructions and a spreadsheet for you to determine the threats to your organization’s data actions that should be assessed. This is done by defining the organization’s privacy capabilities and related systems, products, and services; and determining other factors for consideration.
  • Worksheet 3: Prioritizing Risk
    • Builds on the work done in Worksheet 2 to assess the risk to your organization by determining the likelihood and impact of the threat to the organization. Impact is split into Noncompliance, direct business, reputational, and cultural, and other potential costs. Values assigned to the likelihood and impact are used to calculate the risk to each data action. Risks are then prioritized based on those posing the greatest risk to the organization.
  • Worksheet 4: Selecting Controls
    • Building on the work done in Worksheets 2 and 3, you’ll identify improvements to the highest-risk data actions to create your remediation action plan, and determine the residual risk remaining.
  • Catalog of Problematic Data Actions and Problems
    • Provides a list of common problematic data actions for use in your risk assessment.

FSSCC’s Automated version of the FFIEC Cybersecurity Assessment Tool

FFIEC: (Guides)
FSSCC: (Automated tool)

About FFIEC CAT: “In light of the increasing volume and sophistication of cyber threats, the Federal Financial Institutions Examination Council (FFIEC) developed the Cybersecurity Assessment Tool (Assessment) to help institutions identify their risks and determine their cybersecurity preparedness. The Assessment provides a repeatable and measurable process for financial institutions to measure their cybersecurity preparedness over time.”

On its own, the FFIEC Assessment is very difficult to use as they don’t provide a questionnaire or any fillable anything to complete and use to generate reports; luckily, the Financial Services Sector Coordinating Council (FSSCC) has created an automated spreadsheet with these features to help you out. However, you may still want to visit the FFIEC website to reference their user guide and other useful information and tools such as the mapping to NIST (National Institute of Standards) CSF.

If you’re in the financial sector, this is the assessment tool you should start with. The assessment consists of two parts: determining your organization’s “Inherent Risk Profile” and assessing the maturity of your organization’s security program.

To determine your Inherent Risk Profile, you’ll select a risk level for a variety of criteria across five domains:

  1. Cyber Risk Management & Oversight
  2. Threat Intelligence & Collaboration
  3. Cyber security Controls
  4. External Dependency Management
  5. Cyber Incident Management and Resilience

I found selecting the risk level to be very easy in this tool, as they’ve provided clear and objective categories for each of the selections available.

risk level moderate

From this information, the tool will recommend a maturity level for your organization, it may consist of several levels, such as in my example:

inherent risk profile

Next, you’ll complete the assessment to determine your organization’s current maturity level in each of the five domains. The assessment consists of nearly 500 statements which you must determine whether your organization complies with, does not comply with, or does not apply to your organization. The scale and complexity of the assessment may prove to be an obstacle for some people and organizations; in which case you may wish to hire an audit or consulting organization to help you interpret and complete this part of the assessment.

cyber risk assessment report

Once the cyber risk assessment is complete, there are several useful charts to view your results in.

The Assessment Factor charts allow you to select a desired target for each domain, here you have the option to set it to whatever target you like, but the tool will remind you of it’s recommendation based on your completion of the Inherent Risk Profile.

cyber risk assessment factors

The level you select is used to place the red-dotted line on the charts for each domain, showing you how your current maturity level compares. In my example, there’s still a lot of work to do!

cybersecurity controls

The Component charts break each domain down by component instead. The red-dotted line will be placed in the same location that you previously selected.

d3 security controls

Overall, if you’re a financial services organization, this is probably the best self-assessment for you. Due to the length and complexity of the assessment; however, you’ll probably need a risk management professional to complete it effectively.

CISA – Cyber Resilience Review (CRR): Self-Assessment


About: “The CRR is a no-cost, voluntary, non-technical assessment to evaluate an organization’s operational resilience and cybersecurity practices… The assessment is designed to measure existing organizational resilience as well as provide a gap analysis for improvement based on recognized best practices.”

The Cyber Resilience Review (CRR) is derived from the CERT Resilience Management Model (CERT-RMM), developed by Carnegie Mellon University’s Software Engineering Institute. The CRR is targeted at service organizations; that is, organizations which utilize their assets (people, information, technology, and facilities) to provide specific critical services or products.

The CRR Self-Assessment consists of a 41-page questionnaire (fillable PDF), which is then used to generate a detailed report of about 150 pages (PDF). The questions are divided into ten (10) domains:

  1. Asset Management
  2. Controls Management
  3. Configuration and Change Management
  4. Vulnerability Management
  5. Incident Management
  6. Service Continuity Management
  7. Risk Management
  8. External Dependencies Management
  9. Training and Awareness
  10. Situational Awareness

Each domain consists of a collection of questions related to required activities, followed by maturity ranking. To achieve a maturity level greater than MIL1, the organization must be performing all listed practices and all maturity level requirements for that level and any level below it.

Here’s a brief description of the Maturity Indication Levels (MIL):

  • MIL0 – Incomplete: none or some of the requirements are followed in practice
  • MIL1 – Performed: all of the requirements are followed in practice
  • MIL2 – Planned: practice and policies are documented and supported by stakeholders
  • MIL3 – Managed: practices are adequately staffed and funded, overseen by management, and periodically reviewed for risk
  • MIL4 – Measured: practices are periodically evaluated and monitored for effectiveness
  • MIL5 – Defined: practices are consistently defined and practiced across all organization units

To complete the assessment, DHS (U.S. Department of Homeland Security) recommends that you involve multiple people from across your organization. These members should represent a variety of different functional areas, including: business, operations, security, technology, and maintenance.

The assessment is designed to be completed in a single day; but the PDF will allow you to save your progress, so it certainly doesn’t have to be.

Overall, I really like how this assessment is laid out. The questions are simple to answer (yes/incomplete/no), and each question offers tooltips to help clarify the question and clearly lay out the requirements for a “yes” answer – so there’s not much left to interpretation. With a general understanding of how the maturity levels work I think most organizations should be able to complete this assessment and benefit from the reports with little-to-no outside support.


assest management


screen tips

Also, the report and visuals generated from the assessment are overall clear and effective. They’ve used an intuitive color scheme that very quickly gives you a good idea of how you scored and what areas your organization needs to work on.

CRR performance summary
crr mil

The CRR report is mapped to NIST CSF and provides a gap analysis chart for NIST Cyber Security Framework (NIST CSF) as well.

nist cybersecurity framework

So, if you have a service organization looking to increase your cybersecurity and improve your organization’s resilience, I would definitely recommend checking out this assessment.

S2 Org


About: Developed by SecurityStudio, the S2 Org assessment is a fit for any organization, regardless of size or industry. The cyber risk assessment was originally developed by FRSecure’s founder, Evan Francen, and used for FRSecure’s S2SCORE assessments for 10 years. SecurityStudio has now branched off to develop products that any organization can use to improve the information security of their organization.

The S2SCORE assessment is designed to assess the cyber risk to all aspects of Information Security within your organization. The S2SCORE score is based on a scale of 300-850 (modeled after the credit score), with 300 being rated as Very Poor (High Risk) and 850 as Excellent (Low Risk). The assessment is divided into four phases: Administrative, Physical, Internal Technical, and External Technical. While primarily question-based, the assessment also gives you the option to import Internal and External vulnerability scan results for a more accurate picture of your current security profile.

securitystudio current cyber risk assessment

Each phase can be completed and scored independently of the others, enabling you to assess all or a subset of controls to your organization. Each phase is additionally broken up into control groups, allowing you to easily see where your organization is strong or weak at a glance.

securitystudio phase1 administrative controls

For each control statement, you simply select True, False, or N/A. The developers have even built in a quick switch to mark all questions relevant to the group with the same answer in a simple click; making the 600+ statements surprisingly quick to get through. Additionally, you can create accounts for multiple team members to work on the assessment together. When any person updates the assessment, their name and a date stamp will be recorded on screen.

review policies information security

You can really tell that the team at SecurityStudio has put a lot of effort into making the assessment easy to navigate, by adding features such as filters for incomplete questions, and multiple methods of navigating this otherwise very in-depth assessment.

Once the assessment is complete, you’re provided with a variety of report options, downloadable in PDF format. Additionally, if you continue to update your responses over time, you can measure your organization’s progress over time on the Organization Dashboard.

securitystudio organization dashboard
securitystudio action plan

In addition to the basic reports, the team at SecurityStudio is working to make additional reports available with mapping to other common standards such as HIPAA, NIST CSF, ISO 27000-1, and others, for a fee.

S2Org also includes the ability to add multiple physical locations or sub-entities to your organization, and the ability to manage the risks identified from the assessment in an interactive Security Roadmap.

company profile securitystudio
location comparison

The Security Roadmap is one of the features I’m the most excited about. As you complete the assessment the tool automatically creates a remediation roadmap customized to your organization. As a free member you are limited to view and export the roadmap, while the pro membership will allow you to actively update and modify the Roadmap within the tool. Currently, you can customize your Roadmap by defining priority levels, target dates, tags, and work effort for each recommendation; additionally, you can update your progress and make notes relevant to your remediation activities. You can effectively use this tool as a risk register or action plan for your organization, updating it as each task is completed.

security roadmap
security roadmap advice

Despite the length of the cyber risk assessment overall, the S2 Org is still my favorite tool to use. The simplified questions, ease of use interface, variety of reports, and customized roadmap really make this tool a great way to manage your security program.

Ease of Use Easy Easy Complex Moderate Easy Easy
Knowledge Required Intermediate Intermediate Experienced Intermediate Familiar Familiar
Download/Cloud DL Cloud DL DL DL Cloud
Latest Version October 2018 October 2018 March 2019 August 2017 February 2016 Updated every 2
Reports, more Screen, PDF Screen, PDF No YES PDF Screen, PDF, Excel
Change answers NO YES YES YES YES YES
Team Management YES YES n/a n/a n/a YES

Estimate your score or book free demo today

This is an interesting dilemma, and a question I hear regularly.  It goes like this:

“We have a lot a vendors that don’t want to fill questionnaires out at all.  What do vendors think of SecurityStudio?”

My answer to this is always the same…

3 or 4 years ago, when vendor risk management programs were largely nonexistent, vendors would push back on security questionnaires.  They would dodge, avoid, argue irrelevance, hide, ignore, answer cryptically, lie (in some cases, yes they do), get answers wrong, etc.  Basically everyone was trying to avoid having to fill out any information about security programs.

Now that we’re a few years down the road, vendors are used to this, especially in any regulated industry or anyone that works with healthcare orgs, finance, etc.  We’re a vendor, and we expect our customers to ask us about our security. 

So at this point, if I have a vendor that doesn’t want to give up information about their security, that’s a GIANT red flag for me. 

There are only a few reasons for not being forthcoming to a customer or prospect:

  • What the vendor does is highly sensitive, and they have to protect that information from everyone, including customers.
  • The vendor is a big enough company that they don’t need to respond to prospective customers.
  • A security program isn’t in place or the vendor doesn’t know how to answer the questions.

Each scenario is bad for me as a risk manager:

  • Even if you say you’re highly secure, it’s my responsibility to make sure.  So in scenario one, they would still have to have something they can provide me as evidence they know what they’re doing.  From my side, I can’t just take their word for it.  So give me something.
  • Although they’re a huge company (i.e. AWS, Microsoft, Google) they still pose a risk to us.
  • If they avoid/resist, give excuses, or want to argue about why they don’t need to provide us any information, I assume they don’t have a security program.

When deciding if you should “fire” a vendor, there are many things to consider:

  • Someone in your organization likely wants to do business with this vendor.
  • It could be a significant deal for your organization.  That adds pressure to push them through.
  • How significant is the risk and what could happen to you if they get breached?

There are many more factors obviously, but the point is that it is usually extremely hard to fire a vendor that the business wants to work with.  If you have the authority to pull that trigger, then I would advise using it sparingly.  We enlist the business to help us get the assessment results back if needed, and we prefer to push them into remediation rather than firing them.  SecurityStudio makes remediation really easy, so we prefer to just build remediation plans they can work on.  That way everyone is winning!

I would only fire a vendor if all these questions get answered “yes”:

  • They simply won’t give us information.
  • They argue and avoid enough that they give me the sense that they don’t have a security program.
  • The business has alternative vendors that they can use, and they are ok with the firing.

Short of that, we opt for remediation, or if the vendor won’t cooperate at all, then we opt to have the business waiver the vendor.  That way as a risk manager I can show that I did my due diligence but that the business decided to pursue the relationship anyway.  This is more than just CYA, it’s an important part of the partnership between security and the business.  We don’t want to shut them down, we just want to manage our risk.  They have the right to accept the risk of a vendor that won’t cooperate.  (document, document, document)

The feedback we get regarding vendor willingness to use SecurityStudio has been really good.  Yes, we have definitely seen the same types of patterns (avoidance, arguing, ignoring) but that’s what SecurityStudio is built to overcome.  Automated reminders, questions written in common language, an appealing interface, etc. all contribute to a positive experience for vendors too.  So yes, they have to do something, but the feedback we’re getting is that vendors like the way SecurityStudio works for them. Make it easier for yourself and company, and schedule your demo for SecurityStudio today!


Estimate your score or book free demo today

Within a busy organization, vendor risk management (VRM) can feel like an ideal concept, but can also seem far out of reach.  Armed with a vendor risk management checklist and VRM software, like SecurityStudio, and establishing a vendor risk management program is well within grasp and can take less time, energy, and resources than expected.  The first step to creating a VRM program is to develop a plan.

1. Develop a Plan

The first step in creating a VRM program is to create a plan.  Simple enough, especially with a VRM software program like SecurityStudio.  The great thing about using a program like SecurityStudio is that the vendor risk management workflow is already built in along with most communication.  Everything is centrally located in the program, and vendors move from one phase to the next with everything in plain view.  Most quality VRM programs include a classification phase, and then vendors are typically assessed followed by a treatment plan.  Then there’s steps to repeat the process.  With a plan like this the risk manager (administrator) will need to surround themselves with a quality team to execute the plan.

2. Assemble your Team

As with any vendor risk management program, the risk manager will want a group of professionals to help with inventorying vendors and classifying them.  Talking to your team members and making sure that everyone is onboard will help with participation, and most importantly that they are given context as to how important information security and this particular vendor risk management checklist are to the organization. Team members can lose focus as to how important their role is partly due to the tedious nature of tracking down information.  Putting a date on task also helps with motivating people with completing them.

3. Determine a Timeline

Putting a timeline on tasks for both the team members and vendors helps with moving the process along.  If there’s not a timeline, then it’s easy for the vendor risk management program to be put to the side.  Software programs, such as SecurityStudio, have built-in timelines, but the due dates and timelines can be customized if needed. 

4. Inventory of Vendors

Taking inventory of the organization’s vendors is a key step in becoming defensible.  Whether the organization is using a software program or a spreadsheet, there needs to be a list of vendors that can pose a possible risk in order to be defensible.  This would seem like common sense, but in a lot of situations where organizations don’t utilize a vendor risk management software program, there are incomplete, inaccurate, or outdated spreadsheets floating around in employees’ inboxes.  This alone could make a case for software program like SecurityStudio, where all vendors are located in one centralized location. 

5. Designating a Relationship Owner

The security analyst, risk manager, administrator of the program, or whoever is assigned these responsibilities (usually the same person) is not necessarily the right person who would have access to contact information or would have direct vendor information to accurately answer classification questions.  Generally, the person who works directly with the vendor will be able to answer the questions most accurately.  Of course, this can vary between organizations.

6. Categorizing/Classifying Vendors

Classifying and Categorizing vendors is arguably the most important stage of any VRM program.  VRM programs will measure the risk of each vendor, and with software programs like SecurityStudio, this is done efficiently and objectively.  The decisions made at this stage will set the tone and precedence for all future stages.  In short, if you’re going to get one stage right, this is the one.  An assessment is sent based on this classification.

7. Assess your Vendors

After the classification stage, an assessment is sent based on the results.  This is especially true for vendor software programs like SecurityStudio.  Assessments vary in length and scope based on classification, but it’s best practice to have binary answers to assessment questions of either true, false, or N/A.  If a vendor does have a conditional answer they will be able to explain the answer in another stage (usually during remediation).  Having binary answers to assessments will create a stronger, more objective, assessment. 

8. Establish your Threshold

As vendors start completing assessments, it becomes time to establish best practices if the organization hasn’t already done so.  For whatever method your organization chooses to assess vendors, there should be a minimum threshold as to how much risk the organization wants to take on.  In SecurityStudio, where the scoring is based on a scale similar to a credit score, the program has a recommended threshold, but organizations are able to set their own threshold based on objective results.  Whichever method is chosen, it’s best practice to apply the same standards for all vendors or vendors within a set industry. 

9. Choosing a Treatment Plan

Once the assessment results come back, then it’s up to the organization to determine what to do with the results.  At times it’s a matter of just approving the results, but if the results are not as favorable as expected, then an organization should have a plan in place.  This is another sample of a situation where best practices should be established. If a vendor is far too risky to work with, or if the organization wants to give the vendor a chance to improve their results, there should be clear plan.  In programs, such as SecurityStudio, it’s relatively easy to look back on assessment results, and then choose a plan based on them. 

10. Objectively Repeat the Process

Vendor risk management is a never-ending process, and the VRM program needs to be repeatable in order to be effective at all.  Business relationships change and morph over time, so it would only make sense that the VRM program should adjust to these changes.  Not only would business relationships change over time, but VRM practices will update with time.  Updating the VRM program as new threats present themselves is just as important.  With programs like SecurityStudio, the changes in security practices and updates will be automatic and seamless.

This is what happened in the infamous case of Target Data Breach in 2013 and the vendor risk management checklist is something that might have prevented it.

If you want an easy-to-use automated workflow that evaluates all third-party vendors and brings your weakest links to the surface, schedule a demo with us today!


Estimate your score or book free demo today

What is NIST CSF?

NIST CSF is voluntary guidance based on existing standards, guidelines, and practices to help organizations better manage and reduce information security risk. Another benefit is an increased level of communication around information security with both internal and external organizational stakeholders. The National Institute of Standards and Technology (NIST) developed the Cybersecurity Framework (CSF) because of Presidential Executive Order 13636, which was signed in 2013. 

NIST CSF 1.0 vs. NIST 1.1

The first version of the NIST CSF has served us well since its adoption in 2014.  5 years have passed, and the threat landscape has not been stagnant.  Because of this a new version, v1.1, was adopted in 2018.  Much of the framework still resembles the original v1.0 framework with changes to language that more clearly states the control(s) intent. 

There are some additional categories added to v1.1 that are a result of the current emerging threats facing many organizations.  Supply Chain Risk Management ID.SC (Vendor Risk Management) is an area that certainly deserves to be formally addressed by the new framework.

There are 5 sub-categories that fall under ID.SC.  Let’s dig a little into each category and look at what this means from a practical standpoint.

Supply Chain Risk Management (ID.SC)

“The organization’s priorities, constraints, risk tolerances, and assumptions are established and used to support risk decisions associated with managing supply chain risk. The organization has established and implemented the processes to identify, assess and manage supply chain risks.”

Translation – Your organization formally addresses the risks associated with using 3rd party vendors to support your business initiatives.  The process is formal and has structure to ensure you evaluate all vendors, not just the ones you feel are important.

ID.SC Subsection NIST Language Explained
ID.SC-1 Cyber supply chain risk management processes are
identified, established, assessed, managed, and agreed toby organizational stakeholders
Executive management requires that Vendor Risk
Management processes be established. They support thiswith resources (money and staff) needed to properly
manage. They communicate this requirement through
governance (policies).
ID.SC-2 Suppliers and third-party partners of information
systems, components, and services are identified,
prioritized, and assessed using a cyber supply chain risk
assessment process
Every vendor has been identified and classified (based
on potential risk to you) regardless of the goods\services
supplied.  They should be evaluated with the same
criteria initially with more scrutiny applied based on risk levels introduced.
ID.SC-3 Contracts with suppliers and third-party partners are
used to implement appropriate measures designed to
meet the objectives of an organization’s cybersecurity
program and Cyber Supply Chain Risk Management Plan.
You can use contracts to ensure 3rd party suppliers meet your information security requirements which might be more stringent than their own internal requirements.
ID.SC-4 Suppliers and third-party partners are routinely assessed using audits, test results, or other forms of evaluations
to confirm they are meeting their contractual obligations.
In ID.SC-2 above, you initially evaluate 3rd party vendors and assign a risk level.  That process should be repeated on a regular (annual) basis. You can focus on the higher risk vendors but you need to consider ALL vendors, even the low-risk ones.
ID.SC-5 Response and recovery planning and testing are
conducted with suppliers and third-party providers
High-risk vendors, ones that could cause grave harm to
your organization, should be tested for response and
recovery assurances. You don’t want their lack of
planning and preparedness to negatively affect your

OK, Now what?

Once you determine that you will follow these sound information security principals, you will need a way to do so.  Traditionally, questionnaire forms and spreadsheets were used to track vendor risk. Because of the explosion of 3rd party vendor use, this process is no longer a viable solution.

SecurityStudio allows you to address the new NIST cybersecurity framework – Supply Chain Risk Management (ID.SC) guidelines.  The once cumbersome process is greatly simplified, efficient and thorough, which puts you in a defensible position.

If you need help, contact us! If you would like a SecurityStudio demo, schedule a demo today!


Estimate your score or book free demo today

Part of any vendor risk management program involves putting together a list of vendors.  Sometimes this information can be scattered across an organization, and it takes some real wrangling to collect it all.  This is why software programs like SecurityStudio are convenient- because they help create a centralized list of vendors that are easy to update as necessary.  Here are key places to look for your full list of vendors:

1. Accounts Payable Specialist

The Accounts Payable Specialist is the first place that most people look for vendors.  This is probably the most practical place to look, primarily because most companies have to stay on top of their bills.  The Accounts Payable Specialist will have all the company invoices, and in most instances have the most comprehensive list of vendors. 

2. Internal Bookkeeping Software

Sometimes if the company is small enough, all the company debits and credits are collected in a software program and updated by either an accountant or someone who assumes this role.  Usually, this type of program is managed by an Accounts Payable Specialist, but this isn’t always the case in all circumstances.

3. Department Heads

Occasionally, not all vendors will provide an invoice.  What about that free software that employees install on their computers?  This is still considered a vendor and poses a risk.  The department head would know the day to day tasks of their employees and would have a better idea as to what’s installed on their computers and other contact with vendors.

4. Tax Forms

Maintaining a current list of vendors is imperative to any vendor risk management program, but keeping a historical list of vendors is ideal.  Even though the company may not have business transactions with a previous vendor, there’s a good chance that information is kept on file with the vendor and still poses a risk.  Chances are good that this information will be stored on tax forms, so this is an ideal place to look for historical vendor information.

5. Bank Statements

Bank statements are a snapshot of invoices paid and is an excellent source to look up vendors.  The information may not be complete, but it’s still a way to locate vendors that may be flying under the radar. 

6. Credit Card Statements

While not all vendors are going to be included on a credit card statement or even be paid via credit card, it’s still a good place to look for one of those one-off vendors that aren’t necessarily used very often, but still poses a risk. 

If you want an easy-to-use automated workflow that evaluates all third-party vendors and brings your weakest links to the surface, schedule a demo with us today!


Estimate your score or book free demo today

First, let’s start with the question, “why do I need to manage all vendors?”

We get asked this question all the time.  If you have a vendor risk management program, then it’s likely you aren’t managing all your vendors (just the high-risk ones, or even a subset of those).  The logic of focusing on the vendors that really matter seems rational, but here are some potential issues that arise with it:

  • How are you deciding which ones to manage?
  • Are you accounting for all the ways your vendors can impact you? 
  • Are you just managing the handful of vendors that you directly share confidential data with?
  • Is there a specific trigger you use to pick vendors to manage?  (sharing PHI for example)

From both a vendor risk and a defensibility standpoint, all those methods fall short.  If you are using a manual process to manage VRM, this may be all you can accomplish given resource constraints and other priorities.

But, what happens if a breach happens within a different vendor that has access to information but hasn’t hit your radar?  Or, what happens if the relationship with a vendor changes but you don’t know it changed? 

There are many reasons to manage all vendors consistently.  Here are a few:

  1. You are accounting for more risk.
  2. You can catch relationship changes and act accordingly.
  3. You can show that you have a consistent process.

All the above reasons make you more defensible should something bad happen.  And let’s be honest, you have hundreds of vendors- some of them have been breached, and some of them may be actively breached right now.

SecurityStudio makes it really easy to manage all vendors, as any good software should.  Something that is basically impossible to do with a manual/spreadsheet process can be made very simple with a decent software solution.

Let’s make sure we clarify that I’m NOT saying all vendors go through the same end-to-end process.  I’m saying account for them all, and once they are classified let their classification bucket (low, medium, or high risk) determine their path.

So where do you get the full list?  Finance is the best place.  You should be able to request a list of every vendor you have paid in the last 6 or 12 months from finance. This can be a large list.  In our experience, 75% of those vendors will be low risk, which is ok. With SecurityStudio, each low risk vendor can be processed in 2 minutes per year.

So enlist finance to help.  They can export a csv or xls file.  Any good software, including SecurityStudio, should be able to import your vendor list.  In this way, you can go from your current process to a mature VRM program basically overnight.

To get your easy-to-use automated workflow that evaluates all third-party vendors and brings your weakest links to the surface, schedule a demo with us today!


Estimate your score or book free demo today