Documentation
Support
In this article
Example Control Category Breakdown Using This ModelCommunication Strategy
Home
Control Evaluation

Journey Based Ranking System

Edited

Bento Assurance HQ ranks individual chunks of your security program on five levels.

  1. Foundation

    • Description: Basic controls are in place to address minimum requirements. These are the essential, non-negotiable protections every organization needs to operate safely.

    • Example Language: "You have the core protections needed to prevent basic risks. This is a great starting point, but there’s more we can do to strengthen your security posture."

    • Focus: Basic account setup, foundational policies, initial security checks (e.g., onboarding/offboarding procedures without extensive automation).

  2. Enhanced Control

    • Description: More comprehensive controls are implemented beyond the basics, including some level of automation and integration.

    • Example Language: "We’ve moved beyond the basics and are starting to put safeguards in place that improve efficiency and security."

    • Focus: Adding a directory service like JumpCloud, introducing SSO for core applications, and ensuring audit trails are in place.

  3. Integrated and Tracked

    • Description: Controls are integrated and tracked consistently, with clear processes and more robust management.

    • Example Language: "We’re now able to see and track your security activity more closely, which helps us maintain a higher level of control and response."

    • Focus: Consistent use of directory services, automation (e.g., SCIM), detailed tracking for audit purposes, and secure offboarding processes.

  4. Advanced and Adaptive

    • Description: Advanced controls with adaptive security practices tailored to the client’s specific needs and risk profile.

    • Example Language: "Your systems are now equipped with advanced security practices that adapt to emerging risks, keeping you ahead of the curve."

    • Focus: Implementation of device trust, advanced SSO integrations, real-time monitoring, and automated response mechanisms.

  5. Proactive Resilience

    • Description: Controls are fully optimized, enabling proactive defense and resilience against complex threats.

    • Example Language: "You’re now at a level where security is not only a protection but an advantage. Your systems are resilient and ready to respond to any threat."

    • Focus: Full zero-trust architecture, comprehensive automation, detailed monitoring and alerting, continuous improvement processes, and alignment with leading security frameworks.

Example Control Category Breakdown Using This Model

For each control category (e.g., Access Control, Incident Response, Network Security), assign the client a level based on their current implementation. Here’s how it might look in practice:

Access Control (AC1 Example):

  • Foundation: Simple onboarding/offboarding procedures with manual tracking.

  • Enhanced Control: Core directory service (JumpCloud) implemented; basic SSO configured.

  • Integrated and Tracked: Use of SCIM automation, consistent tracking and auditing of onboarding/offboarding.

  • Advanced and Adaptive: Device Trust implemented, regular audits of access logs, automated offboarding.

  • Proactive Resilience: Full zero-trust access model with adaptive controls and continuous monitoring.

Communication Strategy

For each client, provide a one-sentence summary per category. For example:

  • "In Access Control, you’re currently at the Integrated and Tracked level, which means we have robust processes for tracking access and ensuring that only the right people have it."

  • "Our next steps will focus on achieving Advanced and Adaptive status, where we’ll add device trust and additional automation."