Cyber Security Scorecard

Security Scorecard, a CAAT to measure the effectiveness of security controls

Benchmark your organisation’s cyber security posture

“If you can measure it, you can manage it.”


The Security Scorecard is a computer aided audit tool (CAAT) that provides continuous visibility, via dashboards and cyber security reports, of how your business is tracking against  an ‘Essential 8’ nationally and internationally recognised security controls proven to mitigate at least 85% of targeted cyber attacks. 

cyber security report showing security controls monitoring

Fig 1.0 Huntsman Security Scorecard – visibility of Security Controls status


What the Security Scorecard delivers to your business

  • Continuous measurement of cyber security posture – a cyber health check report
  • IT Security Controls Monitoring – visibility of performance against key security controls, including trends over time
  • Cyber Security KPIs – assurance that you are improving resilience to cyber threats

Watch this short video to get a  product overview


The Eight key Security Controls and why they are important 

Application WhitelistingApplication Whitelisting

What it covers: Only authorised applications and code should be allowed to execute.
Why it’s important: By only allowing pre-approved applications and executables to run, the ability of malware to affect the system is severely curtailed.  Whitelisting also provides a greater defence against malicious code which may not yet be detected by gateway and end-point scanning technologies.  A whitelist-based approach to application/executable security also has the benefit of restricting users from running unauthorised or unlicensed software in the environment.


Restrict Administrative PrivilegesRestrict Administrative Privileges

What it covers: Ensures that access to administrative accounts is restricted to authorised personnel and that use of those accounts is limited to only those activities which are absolutely necessary.
Why it’s important: When administrators use privileged accounts to perform general duties, the risk of malware infection and dispersal is significantly higher as privileged accounts operate with a higher ambient security level than normal user accounts.  In addition, those accounts may have the ability to change the configuration of the wider infrastructure or provide an attacker with the ability to move laterally within the network.


Patch Operating SystemsPatch Operating Systems

What it covers: Patch /mitigate computers and devices with ‘extreme risk’ vulnerabilities within 48 hours. Use the latest version of the operating system.
Why it’s important: Malicious software often gains access and propagates through the use of known software vulnerabilities.  Operating system vulnerabilities are often used to install backdoors for later use by the attacker, elevate privileges to gain access to sensitive information, or capture information from users by pretending to be legitimate software.


Patch ApplicationsPatching Applications

What it covers: Ensures that allocation software has had all relevant vendor-supplied patches applied.
Why it’s important: Malicious software often gains access and propagates through the use of known software vulnerabilities.  Application vulnerabilities are often used to gain unauthorised access to all data to which the user account would legitimately have access, and also for the execution and propagation of malicious software such as ransomware which impacts data to which the user has write access.


Disable untrusted Microsoft Office macrosDisable Untrusted Microsoft Office Macros

What it covers: Microsoft Office macros should be prevented from executing.
Why it’s important: Office documents containing macro code from external sources are an extremely high risk.  Macros run with the ambient security privilege of the user that opened the document, and are a common vector for downloading and executing additional malicious payloads from the Internet.  By disabling macros, any embedded malicious code remains dormant even if the user opens the document.


User Application HardeningUser Application Hardening

What it covers: User applications should be hardened against common vectors for attack such as through untrusted code executing in web browsers.
Why it’s important: Web browsers and other applications can convey malicious code in a variety of formats for execution directly on the end-point or in a virtualised machine.  Commonly exploited software such as Adobe Flash has been used as an attack vector for many years, and online advertising networks can be used to facilitate distribution of malicious code via banners.  It is recommended to disable the ability for end-points and other systems to execute Flash and other commonly compromised content delivery mechanisms.


MFAMulti-Factor Authentication (MFA)

What it covers: Requiring multiple factors makes it harder for an attacker to use credentials by requiring additional elements in order to complete an authentication to the system.
Why it’s important: By brute-forcing or guessing passwords, or gaining unauthorised knowledge of a password, an attacker can often gain complete control of a user’s account.  Users also often use the same password for multiple services or applications, which can result in significant damage.  By enforcing the use of multiple factors, knowledge of just a password does not give an attacker access.


Daily backup of important dataDaily backup of important data

What it covers: Application and user data, system configurations and other critical parts of infrastructure should be regularly backed up, stored offline, and tested to ensure its effectiveness.
Why it’s important: When preventative controls have failed, often the only recourse is to restore data from a backup.  These backups should be taken regularly to ensure coverage of the latest state of the business and stored separate from the main infrastructure to guard against cyber-attack (e.g. encryption by ransomware) and physical threats (e.g. fire, flood and theft). Backups should also be tested to ensure that a recovery is achievable in the event they are needed.


How the Security Scorecard fits into your operation

The IT Security Scorecard provides security KPIs by simply gathering data from ongoing security operations and through direct connections to systems and configuration interfaces to automatically establish weak points, policy failures and vulnerabilities to the most common attack types.


What Security Scorecard Solutions could help your business?

The functionality of the Security Scorecard forms the underpinnings of our ACSC Essential Eight compliance solution and the Executive Cyber Scorecard.  Additionally it includes many of the controls recommended by members of the Five Eyes Community:


UK Government – NCSC Top 10

North America – NSA Mitigation Strategies

New Zealand – NZ Cert Critical Controls 2018

Canada – CSE Top 10 Security Actions

Centre for Internet Security (CIS) Controls


Download the Security Scorecard Overview

Security Scorecard Overview

Explore how to implement the Security Scorecard

Request a demo / speak with the teamAccess ResourcesDownload  Scorecard Brochure