Using the Tool
With MSAT, you can create multiple Business Risk Profiles (BRPs) and Assessments from the main menu. First, you create a profile by answering a few basic questions about your organization. Then you perform a Defense-in-Depth (DiD) assessment. DiD refers to the concept of layered defenses, which include operational, technical, and organizational aspects of your environment. The scores for the assessment you perform make up what is known as a Defense-in-Depth index.
Once you complete your assessment, it can be uploaded anonymously to a secure MSAT web server, which will allow you to view a full report. In addition to viewing the full report, uploading gives you access to the Compare function. To keep track of your progress over a period of time, you can use the Compare function to compare two of your own assessments. You can also compare your results with those of other companies that have uploaded their assessment reports anonymously. The only identifiable information collected by the report is your company name, which shows up on the assessment report. If you would rather keep your company name private, simply use a fictitious name.
The tool itself is simple to use and covers the major security areas that you might be interested in evaluating. The questions are related to the following major profile categories, as shown in Figure 1.
- Basic information
- Infrastructure security
- Applications security
- Operations security
- People security
Figure 1 Major profile categories.
At the end of the assessment, you can save a comprehensive report as an HTML file. You can easily modify your business risk profile, or change the answers to your questions and then save the report.
From the Tools menu, you can choose Glossary, as shown in Figure 2. The glossary is helpful when you start the assessment and are unclear on certain terms or acronyms. The glossary is also included at the end of the detailed printed report, but you can’t peek at any information in the report until you’ve completed all the answers to all the questions. That’s why the glossary is accessible through the menu.
Figure 2 MSAT glossary.