A rigorous and transparent security labeling methodology

LEET Security. A rigorous and transparent security labelling methodology

The rating guide reflects in detail the procedures and more than 1300 practices which are analyzed to determine the rating of the security levels provided by suppliers in each service.

The model is based on a supervised self-declaration , which means that it is the ICT service provider itself which chooses the level where it wants to rate their service, and it must complete a memory defining how it meets the practices required for that level, which is audited by LEET Security to verify that the proposed level is adequate.

The rating methodology is the first system that adeheres to the standard UNE 71381:2016 Information technology. Cloud Computing. Labelling systems that defines the requirements for labelling systems, like LEET Security.

Procedure

The procedure, following acceptance of the conditions by the supplier, is developed in the following phases:

Training of supplier on the grading scheme and its components as well as the stages of the process.
Once received the memory by the supplier, it is assessed in detail and subject to a partial scope audit, requesting additional information if required, and assigning the resulting score level of service qualification.
During the year of validity following the qualifying activity, LEET Security monitors market trends, incidents, etc., that could change the rating.
One year after qualifying, and by a similar process, the renewal with the corresponding rating is granted or denied.

Follow up

The follow-up to ensure that the required conditions are maintained during the period of validity, is performed based on three additional control mechanisms:

1. Perform random audits.

2. Digital surveillance, including incident/compain notification channel for users of rated services.

3. Obligation for the provider to notify LEET Security about any circumstance or modification that may affect the rating.

In either case, LEET Security would proceed with a reassessment in order to determine whether maintenance or modification of the rating levels granted to the service.

Score

The ratings consist of 3 letters, which define the level of qualification obtained by the supplier for the particular service on the three fundamental dimensions of Confidentiality, Integrity and Availability of information. All grades are registered and published on the website of LEET Security and through its diffusion channels.

Both, the specific measures implemented by qualified service provider, as the general characteristics of the supplier, are taken into account to grant these rating levels and to ensure that it is a reliable supplier and finally implements measures to ensure resilience served (because given the fact that no one is immune to an incident, the most important thing is to assess the resilience of the service).

Rating levels

All the practices included in the rating guide are classified into 5 levels, from A+ to D; the 'D' level already demands meeting basic safety measures and corresponding to level 'A+' for best possible package os measures at the current time. Thus, the “A+” level' is reserved for those services that manage highly confidential information (such as industrial or national secrets) or very stringent availability requirements (such as critical infrastructures).

To achieve a certain level you must meet all the practices required for the same, based on the maxim that "security is only as strong as its weakest link". This implies that if a service complies with all necessary practices to achieve the level B, except for one, which reaches practices for level C, the final grade will be a C.

By displaying the LEET stamp, the provider guarantees that the qualified service implements a management system and security mechanisms.

This score is not global; relevant measures for the three fundamental dimensions of information security are evaluated: Confidentiality, Integrity and Availability. Thus, the rating assigned by LEET Security consists of three letters: the first indicates the reliability of service in terms of the Confidentiality, Integrity is assessed by the second and the third measures the availability, always provided specifically for the qualified service.

There are also additional qualifiers that correspond to compliance with specific regulations:

- '+LOPD L/M/H' Indicates compliance with LOPD requirements for low / medium / high criticality personal data.

- '+PCIDSS' Indicates compliance with PCI DSS

- '+ENS L/M/H' Indicates compliance with Spanish National Security Scheme requirements for low / medium / high critical systems.

- And soon, we will add '+DPCoC' indicating compliance with European Data Privacy Code of Conduct for cloud providers.

You can also meet the nonspecific rating: PASSED. This means that the service at least meets all controls relevant to Level D in the three dimensions, although the provider does not want to show levels explicitly. In this case, the executive summary of the levels can be consulted in the section of qualified services, associated with the respective registry number, or access it by clicking on the stamp shown on the website of the service provider.



Appreciation:

LEET Security’s rating system, developed since 2010 and continually evolving, is recognized by the European Agency for Network and Information Security (ENISA) and Instituto Nacional de Ciberseguridad (INCIBE), as trust mechanism.

Rating methodology adeheres to the standard UNE 71381:2016 Information technology. Cloud Computing. Labelling systems

enisaincibe