LEET Security. A rigorous and transparent security labelling methodology

The rating guide reflects in detail the procedures and more than 1100 controls which are analyzed to determine the rating of the security levels provided by suppliers in each service.

The model is based on a supervised self-declaration , which means that it is the ICT service provider itself which chooses the level where it wants to rate their service, and it must complete a memory defining how it meets the controls required for that level, which is audited by LEET Security to verify that the proposed level is adequate.

The rating methodology is the first system that adeheres to the standard UNE 71381:2016 Information technology. Cloud Computing. Labelling systems that defines the requirements for labelling systems, like LEET Security.

Procedure

The procedure, following acceptance of the conditions by the supplier, is developed in the following phases:

Training of supplier on the grading scheme and its components as well as the stages of the process.
Once received the memory by the supplier, it is assessed in detail and subject to a partial scope audit, requesting additional information if required, and assigning the resulting score level of service qualification.
During the year of validity following the qualifying activity, LEET Security monitors market trends, incidents, etc., that could change the rating.
One year after qualifying, and by a similar process, the renewal with the corresponding rating is granted or denied.

Follow up

The follow-up to ensure that the required conditions are maintained during the period of validity, is performed based on three additional control mechanisms:

1. Perform random audits.

2. Digital surveillance, including incident/compain notification channel for users of rated services.

3. Obligation for the provider to notify LEET Security about any circumstance or modification that may affect the rating.

In either case, LEET Security would proceed with a reassessment in order to determine whether maintenance or modification of the rating levels granted to the service.

Score

The ratings consist of 3 letters, which define the level of qualification obtained by the supplier for the particular service on the three fundamental dimensions of Confidentiality, Integrity and Availability of information. All grades are registered and published on the website of LEET Security and through its diffusion channels.

Both, the specific measures implemented by qualified service provider, as the general characteristics of the supplier, are taken into account to grant these rating levels and to ensure that it is a reliable supplier and finally implements measures to ensure resilience served (because given the fact that no one is immune to an incident, the most important thing is to assess the resilience of the service).

Appreciation:

LEET Security’s rating system, developed since 2010 and continually evolving, is recognized by the European Agency for Network and Information Security (ENISA) and Instituto Nacional de Ciberseguridad (INCIBE), as trust mechanism.

Rating methodology adeheres to the standard UNE 71381:2016 Information technology. Cloud Computing. Labelling systems

enisaincibe