The rating guide reflects in detail the procedures and more than 1300 practices which are analyzed to determine the rating of the security levels provided by suppliers in each service.
The model is based on a supervised self-declaration, which means that it is the ICT service provider itself which chooses the level where it wants to rate their service, and it must complete a memory defining how it meets the practices required for that level, which is audited by LEET Security to verify that the proposed level is adequate.
The rating methodology is the first system that adeheres to the standard "UNE 71381:2016 Information technology. Cloud Computing. Labelling systems" that defines the requirements for labelling systems, like LEET Security.
The procedure, following acceptance of the conditions by the supplier, is developed in the following phases:
The ratings consist of 3 letters, which define the level of qualification obtained by the supplier for the particular service on the three fundamental dimensions of Confidentiality, Integrity and Availability of information. All grades are registered and published on the website of LEET Security and through its diffusion channels.
Both, the specific measures implemented by qualified service provider, as the general characteristics of the supplier, are taken into account to grant these rating levels and to ensure that it is a reliable supplier and finally implements measures to ensure resilience served (because given the fact that no one is immune to an incident, the most important thing is to assess the resilience of the service).
The follow-up to ensure that the required conditions are maintained during the period of validity, is performed based on three additional control mechanisms:
Perform random audits.
Digital surveillance, including incident/compain notification channel for users of rated services.
Obligation for the provider to notify LEET Security about any circumstance or modification that may affect the rating.
In either case, LEET Security would proceed with a reassessment in order to determine whether maintenance or modification of the rating levels granted to the service.
All the practices included in the rating guide are classified into 5 levels, from A+ to D; the 'D' level already demands meeting basic safety measures and corresponding to level 'A+' for best possible package os measures at the current time. Thus, the “A+” level' is reserved for those services that manage highly confidential information (such as industrial or national secrets) or very stringent availability requirements (such as critical infrastructures).
To achieve a certain level you must meet all the practices required for the same, based on the maxim that "security is only as strong as its weakest link". This implies that if a service complies with all necessary practices to achieve the level B, except for one, which reaches practices for level C, the final grade will be a C.
This score is not global; relevant measures for the three fundamental dimensions of information security are evaluated: Confidentiality, Integrity and Availability. Thus, the rating assigned by LEET Security consists of three letters: the first indicates the reliability of service in terms of the Confidentiality, Integrity is assessed by the second and the third measures the availability, always provided specifically for the qualified service.
+PCI, implying that the service complies with PCI DSS v3.1.
+ENS/c, indicating compliance with RD 311/2022, which regulates the National Security Scheme.
+C4V, indicating compliance with the Cybersecurity Capacity Building model for the Value Chain, in accordance with the ENSI
+PRIV, is awarded after verification of compliance with all practices linked to data protection regulations, and in particular with the General Data Protection Regulation and the LOPDGDD, in accordance with the level of qualification obtained.
You can also meet the nonspecific rating: PASSED. This means that the service at least meets all controls relevant to Level D in the three dimensions, although the provider does not want to show levels explicitly. In this case, the executive summary of the levels can be consulted in the section of qualified services, associated with the respective registry number, or access it by clicking on the stamp shown on the website of the service provider.