CyFun Tracker

Compliance Overview

CyberFundamentals Basic Level · 34 Controls · NIST CSF v1.1

Demo Mode

6

Compliant

13

Partial

8

Non-Compliant

7

Not Assessed

Overall Compliance
63%Overall
Compliant
Partial
Non-Compliant
Not Assessed
NIST CSF Function Scores
IDIdentify
7/947%
x
PRProtect
14/1773%
x
DEDetect
4/483%
x
RSRespond
1/315%
x
RCRecover
1/110%
x
Compliance Trend

Key Measures (13)

Mandatory controls derived from Belgian cyber incidents

PR.AC-1

Identities and credentials are issued, managed, verified, revoked, and audited

AutomatedPartially Compliant
78%
PR.AC-3(b)

Remote access is secured with multi-factor authentication (MFA)

AutomatedPartially Compliant
82%
PR.AC-4(a)

Access permissions and authorizations are managed

AutomatedPartially Compliant
75%
PR.AC-4(b)

Access to critical information is identified and managed

AutomatedPartially Compliant
68%
PR.AC-4(c)

Least privilege access is enforced

AutomatedNon-Compliant
45%
PR.AC-4(d)

Administrator privileges are not used for daily tasks

AutomatedNon-Compliant
35%
PR.AC-5(a)

Network integrity is protected with firewalls

Semi-autoCompliant
98%
PR.AC-5(b)

Network segmentation is implemented where appropriate

ManualNot Assessed
PR.IP-4

Backups of information are conducted, maintained, and tested

Semi-autoPartially Compliant
70%
PR.MA-1

Maintenance and repair of assets is performed and logged with approved tools

AutomatedCompliant
92%
PR.PT-1

Audit/log records are determined, documented, implemented, and reviewed

AutomatedCompliant
96%
DE.AE-3

Event data are collected and correlated from multiple sources

AutomatedPartially Compliant
80%
DE.CM-4

Malicious code is detected

AutomatedCompliant
97%
Critical & High Findings (8)
high

Improvement needed: Organizational cybersecurity policy is established and communicated

Draft a cybersecurity policy covering acceptable use, password requirements, incident reporting, and data handling. Have management approve it. Distribute to all employees and obtain acknowledgment. Review annually.

high

Improvement needed: Governance and risk management processes address cybersecurity risks

Establish a risk management process. Conduct a cybersecurity risk assessment at least annually. Document risk appetite and tolerance levels. Integrate cyber risks into overall business risk management.

high

Improvement needed: Threats, vulnerabilities, likelihoods, and impacts are used to determine risk

Maintain a risk register combining threats, vulnerabilities, likelihood, and business impact. Use a simple risk matrix (likelihood x impact). Prioritize mitigation based on risk scores. Review quarterly.

high

Improvement needed: Least privilege access is enforced

Audit all Global Administrator accounts — limit to maximum 2-4. Remove standing privileged access; use PIM for time-limited elevation. Restrict default user permissions in Entra ID. Disable self-service group creation if not needed.

high

Improvement needed: Administrator privileges are not used for daily tasks

Create dedicated admin accounts (e.g., admin-john@company.com) separate from daily-use accounts. Admin accounts should not have mailboxes or Microsoft 365 licenses. Use Privileged Identity Management (PIM) for just-in-time access.

+3 more findings