CDCAT® - Cyber Defence Capability Assessment Tool

• CDCAT is the unique decision support system which allows a company to dynamically and proactively tackle its cyber security needs through business risk appetite analysis.
• CDCAT is updated on a quarterly basis with information drawn from multiple international sources not readily available to the private/public sector.
• CDCAT makes it easier for an organisation to manage their own cyber risk strategy and provides simple steps to improve cyber defence capabilities.
• CDCAT provides cyber professionals with the tools to build effective business cases for vital updates. Worst case scenario modelling outlines the potential cost to an organisation of not implementing the recommended change and suffering a breach. This is measured against the costs of enacting the change. These forecasts are based on the data provided during the assessment.
• CDCAT supports continuous security improvements for organisations and supply chains - as threats, consequences and risk appetites change. Through integrating multiple evolving reference standards, e.g. ISO 27000-series, it provides a framework for the assessment and integration of new technologies, e.g. cloud, mobile, digital applications, etc. supporting an up-to-date assessment.
• CDCAT provides organisations with a way to report back to key stakeholders that they are addressing sector based vulnerabilities and proactively targeting cyber defence weak spots.
• CDCAT calculates the overall business preparedness scores and defines a number of reports to support the analysis and assessment of the business improvements required.
• Cost savings can be driven through adopting an efficient risk management approach utilising the recommendations made in the CDCAT report.
• Visible, effective cyber security is an enabler for a thriving business.
• CDCAT covers all four levels of the Defence Cyber Protection Partnership (DCPP) 

CDCAT is constructed to include the full sets of best practice controls including ISO/IEC27001:2013, the US’s NIST Cyber Security Framework, UK’s 10 Steps to Cyber Security and Cyber Essentials – of which all are mapped onto a framework. This framework is uniquely constructed as a matrix from the standard cyber life cycle of Assess, Deter, Protect, Detect and Respond, mapped against the ITIL lifecycle of Service Strategy, Service Design, Service Transition and Service Operation.

The overarching requirements of Service Continuous Improvement and Governance are also included. This framework has 145 controls and all are considered when a CDCAT assessment is scoped.

The Controls considered, and from a wide variety of sources, including unique ones from NATO, are ranked according to their importance and frequency of use in delivery of security. The threat intelligence involved is regularly and frequently updated to ensure that it truly reflects today’s environment and not just the recent past.

From this combination, CDCAT identifies the most important controls that have been proved to be most effective against the current threats and then assesses how effectively they have been implemented.

The tool is used to provide a set of the most effective controls, usually the top 15 – 20 to perform a rapid assessment baseline called CDCAT Classic. This set can be augmented with additional controls to suit a particular organization and threat profile. If the effectiveness of this set of controls is repeatedly checked as threat, vulnerabilities or business contexts change, it can provide a very high level of assurance against attacks. This provides the CDCAT Dynamic Risk Management™ approach at pace.

Firstly the scope of the system to be assessed is defined.  This could range from a whole organization, to one main information system down to a single laptop. The risk tolerance for the system is agreed i.e. how much business risk is acceptable for the defined system. This determines the controls and the level of maturity required to be effective against the current threats.

An initial self-assessment is carried out by the organization in preparation for the full assessment.

The assessment itself takes between one and two hours. This requires the people who know the workings of the system well to be interviewed by either a trained internal assessor or an externally appointed assessor. It is this speed of assessment that empowers effective decision making on cyber defences and risk tolerance.

If a control is not in place or is not being implemented effectively, this is viewed as vulnerability and will adversely affect the capability of the organization to withstand attack.