This online initiative is meant to enable users to not only identify cybersecurity strengths and weaknesses, but also compare their security status against other (anonymous) organizations that have a similar profile. BaaS also offers companies the ability to compare their cyber-readiness and compliance to ISF’s Standard of Good Practice for Information Security, ISO/IEC 27002 and COBIT 5 for information security, across a range of different environments and activities.
Unlike the ISF’s other resources, the BaaS facility will be available to any organization – the first time one of its tools has not been restricted to members. Subject to specific fees and conditions, after submission of single or batches of questionnaires, users will receive instant, real-time access to the benchmarking reporting facility, including an online analysis module and individual reports for questionnaires completed.
“Our BaaS tool is unrivaled as it provides organizations with an in-depth assessment of their security arrangements,” said Steve Durbin, global vice president of the ISF. “Benchmark results are available immediately – as soon as you submit your data you can receive results. This allows organizations to compare their performance against similar, anonymous organizations around the world.”
The BaaS portfolio contains several products. These include a quarterly Benchmark as a Service offer for £5,000 (~$8,000) per quarter, which provides unlimited usage of the ISF Benchmark as a Service during the specified three months, and an annual version that costs £12,000 (~$19,250) per year. That provides unlimited use of the ISF BaaS access across the enterprise, throughout the year.
“At a time when organizations are being asked to demonstrate their resilience to cyber threats by government, suppliers and customers alike, the ISF BaaS provides that objective analysis allowing you to measure both the effectiveness and value of your security investments,” said Durbin.
It’s likely that benchmarking efforts will grow, particularly as organizations wrestle with implementation of cloud services and the bring-your-own-device (BYOD) trends. And the ISF isn’t the only organization to offer benchmarking services, of course. The Center for Internet Security recently rebranded as Security Benchmarks, and it offers its members the CIS Configuration Assessment Tool (CIS-CAT), a Java-based tool that compares the configuration of target IT systems to CIS Benchmarks and reports conformance scores on a scale of 0–100.
“By discovering any lack of conformance to CIS Benchmarks, CIS-CAT offers enterprises a powerful tool for analyzing and monitoring the security status of information systems and the effectiveness of internal security processes,” CIS noted.