Leet Security Rating Guide
Name of the programme: Leet Security Rating Guide
Governing of the standard: Leet Security
Accreditation Body/Bodies: Leet Security
Scope: Security and resilience.
Cloud-relevance: Not Cloud specific
Type of certifiable organisation: Any – SaaS, PaaS, IaaS
Type of trust models applicable: Third party assessment
Is the certification proprietary or open: Open (with some rights reserved)
Programme, status (operational, in development): Operational
The following text is based on information received from Leet Security:
Rating system created by leet security is based on the typical five levels from A to E (being A the best case) which are assigned to three dimensions of security for each service rated: confidentiality, integrity and availability (CIA).
I this way, the rating of a service will have the form of three letters set, i.e. ‘BDC’ meaning that the service has a rating of ‘B’ regarding confidentiality, a ‘D’ in relation to integrity, and an ‘C’ in availability.
Criteria analysed by the rating methodology are divided into 14 chapters:
- Information security Management Program
- System Operation
- Personnel Security
- Facility Security
- Third-party processing
- Malware protection
- Network controls
- Monitoring Access control
- Secure development
- Incident handling
Validating compliance with specific laws, regulations and standards is one of the most direct applications of rating. All best practices regarding ITC services outsourcing require clients to perform due diligence for assuring that service being acquired meets the needs of the client regarding compliance. In this field, if there is a rating level that implies compliance with any law, regulation or standards is straightforward for an organization to know when a service meet those requirements simply checking that the rating assigned is equal or higher than the rating level.
For this reason leet security rating system has established special levels for different standards compliance. In the initial version of the methodology there are two special levels for compliance:
- ‘+’ that shows that service is compliant with Spanish privacy Law 15/1999 and regulatory development, RD 1.720/2007
- ‘*’ that implies that service is compliant with PCI DSS v2.0