Technical Infrastructure Security Landscape Assessment

Assess the completeness of your technical security lanscape for completeness and how it compares to market best practices.

A new tool in the battle for information security!

What's it all about

//

A brand new tool in the battle for information security

TISLA is a tool to assess the completeness of your technical information security landscape containing a 350+ question survey based on market best practices. The tool is built in Microsoft® Excel and can be downloaded on this site. The usage of the assessment is free of charge, but please take notice of the licensing terms.

At the moment the TISLA tool is leans a bit towards On-Prem and IaaS enviromnents. In the near future more security solutions for PaaS of full SaaS cloud solutions will be added.

//

The assessment covers a wide range of different technologies

The assessment is divided into 6 main categories in which security techniques are logically grouped. Of course, you do not want anyone who fills in the questionaire to immediately know what the total score is. That is why a separate Excel file has been created for each main group, which can be issued to the subject matter experts for completion. The completed lists can then be easily imported into the tool. Below you’ll find the six main area’s with their respective technologies.

1) Application Security

Web Application Firewall
Secure Software Development
Privacy by Design

2) Perimeter Security

NextGen DNS
NextGen Firewall
(Reverse) Proxy
Vulnerability Management

3) Detection & Response

Intrusion Detection
Intrusion Prevention
Active Response
Deception Technology
Security Logging
Monitoring

4) Identity, Access & Privileges

Network Access Control
Identity & Access Management
Privileged Access Management

5) EndPoint Protection

Antivirus & Malware Protection
Mobile Device Management
Email Security
Patch Management
Other EndPoint Security

6) Data Security

Data Loss Prevention
Backup & Recovery
Encryption

Beside these 6 main areas/categories there is a seventh category that contains some questions that didn’t fit in the above six, but still can be considered important for your infrastructure security

//

Everything relates to risk!

Everything in the tool is related to risk. You can do this assessment for your entire ICT environment. The condition for doing so is that you put in the risc value of your system with the most sensible and/or critical data, because most of the time the entire infrastructure must be able to protect this data.

The tool gives you all freedom to set your companies risk level. So it is entirely up to you to use this in a responsible way. The company risk is used to make an estimate of which risk there is in your technical infrastructure security landscape. It also provides an indicator of how urgent action for improvement is needed. This is a “free” interpretation from the makers of the tool based on experience in the information security world.

//

Questionairs based on market best practices

Each of the six area’s contain questionaires about the technologies / equipment belonging to that category. The questions are in 95% of the cases “YES / NO / DON’T KNOW” questions. Questions answered with don’t know yield a small punishment by by subtracting points from the result because you ought to know what your infrastructure can or cannot do. If you don’t know, Google for it and you might learn something.

A very small portion of the questions are % questions where you have to enter your best estimate to complete the question. The questions can easily be answered by clicking selectors.

//

Built with security in mind

Not only did we want to make something new, we also had to mke sure the tool is secure in both gathering the information and limiting the sharing of the result. Most CISO’s will need their subject matter specialists to complete the questionaires without them seeing / knowing the overall result. Thats why there are separate Microsoft ® Excel files for each of the six main categories. They can be sent to the experts and can be easily imported after they are completed. So only you will see the overall result.

//

Continuous improvement with TISLA

TISLA can be used to keep continuous improvement going. It can be part of the PDCA (Plan Do Check Act) cycle to create a continuous loop of improvement. Just incorporate periodical TISLA assesments in your existing ISMS (Information Security Management System) and you will have a permenent way to keep your tecnical information security landscape up to date and on the highest level necessary for your environment.

//

Join the team, share knowledge and be part of something special

The TISLA tool is build and maintained by a group of security enthousiasts. It is our goal to update the contents an questions at least once a year to keep up with market developments. You can join the team by joining the TISLA workspace on SLACK: https://tisla.slack.com

We need you and your expertise to optimise this tool and to keep up with market development. So please feel free to join the team.

//

Support the TISLA core team

The TISLA team and website fully depends on volunteers, but maintaining this site and everything that comes with it isn’t for free. If you like what we do, please support us and buy us a cup of coffee on https://www.buymeacoffee.com/tislatoolorg or clikc the button in the footer of this page.