Understanding Grades for Targets Scanned in a Data Scan
When performing data scans, you may notice that the risk grid assigns grades ranging from A+ to F for scanned targets, such as IP addresses, bank account numbers, or other types of data. This article explains the rationale behind these grades to help you better understand the risks associated with different data types.
Written by Liam Downward
Updated at December 27th, 2024
- User Manual
- Agents
- The Cyber Risk Assessment Process
- API Documents
- General Questions and Troubleshooting
- The Cyber Risk Assessment Process (Video Tutorials)
- Sales and Prospecting Articles
- CYRISMA Partner Portal Access
- Glossary
- CYRISMA Change Log
- Support Ticket SLA
- Onboarding Framework
- PSA Integrations
- Billing Questions
- Self Onboarding Guide
Table of Contents
1. What Does an A+ Grade Indicate?
An A+ grade typically reflects that the scanned item is low-risk when considered on its own. For example:
Standalone IP Addresses:
An IP address on its own generally poses minimal risk because it lacks meaningful context. If someone were to access just the IP address without any accompanying information (e.g., internal network access or related credentials), it would not be particularly valuable or dangerous.
The A+ grade here indicates that while it’s helpful to locate IP addresses within your files for organizational or operational purposes, these items are not inherently high-risk from a customer data standpoint.
2. What Does an F Grade Indicate?
An F grade signifies that the scanned item represents a high-risk data type that could be exploited, even on its own.
Example: Bank Account Numbers
A bank account number carries significant risk if exposed because:
- It includes critical financial details such as prefixes and account identifiers.
- A malicious actor could potentially use it to access or exploit financial systems, especially when combined with additional information.
3. Why Do Grades Differ So Much?
The disparity between grades like A+ and F arises because of the context and standalone risk of the data type:
- A+ Data: Items like IP addresses, when exposed without other supporting information, are unlikely to lead to significant harm.
- F Data: Items like bank account numbers are inherently sensitive and can lead to exploitation even without additional context.
This grading system is designed to prioritize remediation efforts on items that pose the highest risk to security and privacy.
4. Practical Implications
The grading system serves as a guideline for assessing and addressing risks:
- Low-Risk Items (A+): Use these grades to identify data that may need further context for business or operational purposes but does not require urgent action.
- High-Risk Items (F): Focus remediation efforts on securing or removing this data to minimize the potential for breaches or exploitation.
5. Summary
The grades in the risk grid are assigned based on the potential impact of exposing the scanned target:
- A+ Grade: Low-risk items that have minimal standalone value (e.g., IP addresses).
- F Grade: High-risk items that are inherently sensitive and exploitable (e.g., bank account numbers).
Understanding these grades helps you prioritize your security efforts and maintain robust data protection practices.
