SECURITY SCORING MATRIX

Quantitative Risk Assessment Framework

SCORING CATEGORIES (Weighted)

1. INFRASTRUCTURE SECURITY (25%)

• Network Segmentation (0-10 points)
• Endpoint Protection (0-10 points)
• Cloud Configuration (0-10 points)
• Physical Security (0-5 points)

2. DATA PROTECTION (20%)

• Encryption at Rest/Transit (0-10 points)
• Data Classification (0-5 points)
• Backup & Recovery (0-5 points)
• Data Loss Prevention (0-5 points)

3. IDENTITY & ACCESS (20%)

• Multi-Factor Authentication (0-10 points)
• Privileged Access Management (0-10 points)
• User Lifecycle Management (0-5 points)
• Role-Based Access Control (0-5 points)

4. GOVERNANCE & COMPLIANCE (15%)

• Policy Documentation (0-10 points)
• Regulatory Compliance (0-10 points)
• Third-party Risk Management (0-5 points)
• Security Training (0-5 points)

5. OPERATIONAL SECURITY (20%)

• Monitoring & Alerting (0-10 points)
• Incident Response (0-10 points)
• Vulnerability Management (0-10 points)
• Patch Management (0-5 points)

SCORING SCALE

• 0-25: Critical Risk (Immediate intervention required)
• 26-50: High Risk (Significant improvements needed)
• 51-75: Medium Risk (Gaps require addressing)
• 76-90: Low Risk (Minor improvements suggested)
• 91-100: Optimal (Industry best practices)

CALCULATION FORMULA

Total Score = Σ(Category Score × Weight)