🎉 stefanos 23a is released. Read more →
Scoring Factor Sets [SFS]

Scoring Factor Sets

  • [0] Operating System and Workstation Environment: This includes considerations such as diskless or remote workstations, NFS/shared data, encryption of data on devices, storage of decryption keys, and remote logging.
  • [1] Administrator and Master Keys: We examine how administrator and master keys are handled, including second-level logging, tracing, access control, and key management.
  • [2] Backup and Disaster Recovery Plan: This area encompasses redundancy management, backup strategies, and disaster recovery planning to ensure business continuity.
  • [3] Authentication and Authorization: Our focus includes authentication services, third-party authentication, password checkers, LDAP schemes, profile management, and role-based access control.
  • [4] Data Storage and Handling: We investigate data storage solutions such as cloud storage (e.g., NAS, S3), API security, policies for data handling, backup procedures, document management, and data encryption methods.
  • [5] Networking and VPNs: This area covers zero-trust policies, independent review of information and network security, VPN configurations, and secure networking practices.
  • [6] Logging, Monitoring, and Incident Response: Our examination includes logging mechanisms (e.g., black boxes, honeypots), monitoring tools, antivirus software, alarm compliance monitoring, event reporting, and incident response procedures.
  • [7] Software Development Lifecycle: We assess the complete lifecycle of software development, from implementation to decommissioning, including design, deployment, CI/CD pipelines, and security auditing (e.g., API security).
  • [8] Secure Development Lifecycle and Risk Management: This area focuses on secure coding practices, risk management strategies, and compliance with relevant standards and regulations.
  • [9] Software Security Auditing: Our evaluation includes black-box testing, vulnerability assessments, penetration testing, and other software security auditing techniques.
  • [A] Cryptographic and Blockchain Infrastructure: We investigate the use of cryptographic technologies (e.g., encryption, digital signatures) and blockchain-based systems in IT infrastructure.
  • [B] Hardware-Oriented Security and IoT Auditing: This area covers hardware-specific security considerations, such as secure boot mechanisms, firmware updates, and auditing of Internet of Things (IoT) devices.
  • [C] Interfacing Protocols and APIs: Our examination includes the evaluation of interfacing protocols like MQTT, API-API interactions, trusted data exchange, mock APIs, and other related topics.
  • [D] Roles, Responsibilities, Authorities, and Security Policy: We assess internal policies, operational procedures, incident handling guidelines, and role-based access control to ensure clarity on responsibilities and authorities within an organization.
  • [E] AI-Oriented Ethics (Training and Implementation): This area focuses on the ethical considerations surrounding AI development, including data sourcing, model training, testing, and deployment practices.
  • [F] AI-Oriented Ethics (Live Systems): Our evaluation includes the examination of ethics in live AI systems, such as fairness, transparency, accountability, and potential biases.