Häufig gestellte Fragen

~~Contact~~Kontaktdaten ~~details~~für ~~in case you have any questions:~~Fragen: KSV1870 Nimbusec GmbH office@nimbusec.com +43 (732) / 860 626 Kaisergasse 16b, 4020 Linz

Table of contentsInhaltsverzeichnis

~~What~~Welche ~~are~~Vorteile ~~the~~haben ~~benefits for customers?~~Kunden?
~~What~~Was ~~does~~kostet ~~the~~das CyberRisk Rating byvon ~~KSV1870 cost?~~KSV1870?
~~Where~~Wo ~~can~~kann ~~the~~das CRR beverwendet ~~used?~~werden?
~~Why~~Warum doerhalte Iich ~~get~~eine aAnfrage ~~request~~für ~~for~~ein aCyberRisk ~~cyberrisk rating?~~Rating?
~~How~~Wie ~~does~~funktioniert ~~the~~der ~~cyberrisk~~CyberRisk ~~rating process work?~~Rating-Prozess?
IsGibt ~~there~~es aeine ~~time~~Frist, ~~limit~~bis byzu ~~which~~der eine Bewertung eingereicht werden muss?

Ist es möglich, dass mehr als eine Person an ~~assessment~~der ~~must~~Bewertung ~~be submitted?~~arbeitet?
IsMuss itdie ~~possible~~Bewertung ~~for~~auf ~~more~~einmal ~~than~~abgeschlossen ~~one person to work on the assessment?~~werden?
DoErhalte ~~you~~ich ~~have~~meine toAntworten, ~~complete~~einschließlich ~~the~~einer ~~assessment~~Bewertung ~~all at once?~~später?
~~Will~~Wer Ibekommt ~~receive~~sonst mynoch ~~answers~~die ~~including a valuation later?~~Antworten?
~~Who~~Müssen ~~else~~die ~~gets~~Antworten ~~the~~für ~~answers?~~jeden Kunden bereitgestellt werden?
DoWerden ~~the~~die ~~answers~~Antworten ~~have~~vorübergehend ~~to be provided for each client?~~gespeichert?
~~Are~~Wie ~~the~~wird ~~answers~~die ~~saved~~Vertraulichkeit ~~temporarily?~~

meiner

~~How~~eigenen isInformationen ~~the confidentiality of my own information guaranteed?~~gewährleistet?

WhatWelche areVorteile thehaben benefits for customers?Kunden?

~~Users~~Nutzer ~~of the~~des CyberRisk ~~Rating~~Ratings byvon KSV1870 ~~receive~~erhalten aeinen ~~standardised~~standardisierten ~~process~~Prozess tozur ~~rate~~Bewertung ~~all~~aller ~~service~~Dienstleister, ~~providers,~~Lieferanten ~~suppliers~~und ~~and~~anderer ~~other~~Dritter ~~third~~in ~~parties~~Bezug ~~concerning~~auf ~~their~~ihre ~~cyber~~Cyber-Sicherheit. ~~risk.~~Bewertete ~~Rated~~Unternehmen ~~companies~~erhalten ~~receive~~einen aneffizienten, ~~efficient,~~objektiven ~~objective~~Prozess, ~~process~~der ~~that~~nur ~~only~~einmal ~~needs~~im toJahr bedurchgeführt ~~carried~~werden ~~out~~muss, ~~once~~um aihr ~~year~~Cyber-Risiko toallen ~~disclose~~interessierten ~~their~~Kunden ~~cyber~~offenzulegen. ~~risk~~Durch toden ~~all~~veröffentlichten ~~interested~~Standard ~~customers. Through the published standard of the~~des "~~Kompetenzzentrum~~Kompetenzzentrums Sicheres Österreich" ~~rated~~können ~~companies~~bewertete ~~can~~Unternehmen ~~positively~~ihr ~~influence~~Cyber-Risikomanagement ~~their~~positiv ~~cyber~~beeinflussen. ~~risk~~Alle ~~management.~~Unternehmen ~~All~~erhalten ~~companies~~kostenlos ~~receive~~eine aRichtlinie, ~~guideline,~~um ~~free~~ihr ofeigenes ~~charge,~~Cyber-Risiko ingezielt ~~order~~und tostrukturiert bezu ~~able~~reduzieren. toDiese ~~reduce~~Richtlinie ~~their~~wird ~~own~~kontinuierlich ~~cyber~~von ~~risk~~Österreichs inanerkanntesten aExperten ~~targeted~~gepflegt ~~and~~und ~~structured~~an ~~manner.~~neue ~~This~~technische ~~guideline~~Anforderungen isangepasst. ~~continuously~~Die ~~maintained~~österreichische byWirtschaft ~~Austria's~~wird ~~most~~widerstandsfähiger, ~~recognised~~indem ~~experts~~das ~~and~~Cyber-Risiko ~~adapted~~ihrer toLieferketten ~~new~~reduziert ~~technical~~wird. ~~requirements.~~Dies ~~Austria's~~bildet ~~economy~~die ~~becomes~~Grundlage ~~more~~für ~~resilient~~die bynotwendige ~~reducing~~Digitalisierung, ~~the~~um ~~cyber~~unsere ~~risk~~internationale ofWettbewerbsfähigkeit ~~its~~zu ~~supply chains. This is the basis for the necessary digitalisation to maintain our international competitiveness.~~erhalten.

WhatWas doeskostet thedas CyberRisk Rating byvon KSV1870 cost?KSV1870?

~~Companies~~Unternehmen, ~~that~~die ~~are~~bewertet ~~rated~~werden, domüssen ~~not~~keine ~~have~~Kosten totragen. ~~bear~~Derzeit ~~any~~wird ~~costs. Currently, the~~das CyberRisk Rating isnur ~~only~~für ~~offered~~große ~~for~~Unternehmen ~~large~~und ~~companies~~kritische ~~and~~Infrastrukturen ~~critical~~angeboten. ~~infrastructure.~~Wenn IfSie ~~you~~an ~~are~~weiteren ~~interested~~Informationen ininteressiert ~~more~~sind, ~~information,~~beantworten wewir ~~will~~gerne beIhre ~~happy to answer your questions.~~Fragen.

WhereWo cankann thedas CRR beverwendet used?werden?

~~The~~Das CyberRisk Rating byvon KSV1870 isbasiert ~~based~~auf onden ~~the~~Anforderungen ~~requirements~~des ofCyber-Risiko-Schemas ~~the Cyber Risk Scheme of the~~des "~~Kompetenzzentrum~~Kompetenzzentrums Sicheres Österreich". ~~These~~Diese ~~requirements~~Anforderungen ~~were~~wurden ~~defined~~von byführenden ~~leading~~Cyber-Risiko-Managern ~~cyber~~österreichischer ~~risk~~Unternehmen ~~managers~~aus ofallen ~~Austrian~~Bereichen ~~companies~~der ~~from~~kritischen ~~all~~Infrastruktur ~~sectors~~sowie ofVertretern ~~critical~~des ~~infrastructure~~Bundesministeriums ~~and~~für ~~representatives~~Inneres ofdefiniert. ~~the Federal Ministry of Internal Affairs. The~~Das CyberRisk Rating ~~can~~kann ~~therefore be used~~daher in ~~every~~jeder ~~industry~~Branche ~~and~~und ~~economic~~jedem ~~sector~~Wirtschaftssektor verwendet werden, in ~~which~~denen aneine ~~assessment~~Bewertung ofdes ~~the~~Cyber-Risikos ~~cyber~~von ~~risk of companies~~Unternehmen - ~~especially~~insbesondere ~~suppliers~~von Lieferanten - iserforderlich ~~necessary.~~
Inist.

~~particular,~~

Vorwiegend ~~operators~~sind ofBetreiber ~~essential~~wesentlicher ~~services~~Dienste ~~are~~gemäß ~~legally obliged under Section~~§ 11 ~~(1)~~Abs. 1 (2) in ~~conjunction~~Verbindung ~~with~~mit ~~Annex~~Anhang 1 NISV togesetzlich ~~take~~verpflichtet, ~~appropriate~~angemessene ~~security~~Sicherheitsvorkehrungen ~~precautions~~im ~~with~~Umgang ~~regard~~mit toDienstleistern, ~~their~~Lieferanten ~~dealings~~und ~~with~~anderen ~~service~~Dritten ~~providers,~~zu ~~suppliers~~treffen. ~~and~~Das ~~other third parties. The present~~vorliegende CyberRisk Rating byvon KSV1870 ~~aims~~zielt atdarauf ~~fulfilling~~ab, ~~this~~diese ~~requirement~~Anforderung zu erfüllen (~~monitoring~~Überwachung ofvon ~~suppliers~~Lieferanten ofeiner anEnergiegruppe ~~energy~~oder ~~group~~eines ~~or an airport)~~Flughafens), ~~but~~ersetzt ~~does~~jedoch ~~not~~nicht ~~replace~~den ~~the~~notwendigen ~~necessary~~Nachweis ~~proof~~eines ofBetreibers anwesentlicher ~~operator~~Dienste ~~of essential services according to~~gemäß § 17 ~~para.~~Abs. 3 NISG (= ~~comprehensive~~umfassende ~~audit~~Prüfung ofeines Betreibers wesentlicher Dienste, wie z. B. einer Energiegruppe oder eines Flughafens selbst).

Warum erhalte ich eine Anfrage für ein CyberRisk Rating?

Cyber-Risiken wie IT-Sicherheit, Datenschutz und Geschäftskontinuität gewinnen aufgrund der Digitalisierung zunehmend an ~~operator~~Bedeutung. ofMit ~~essential~~dem ~~services,~~CyberRisk ~~such~~Rating asbietet anKSV1870 ~~energy~~einen ~~group~~transparenten, orzeitsparenden anProzess ~~airport~~zur ~~itself).~~Bewertung von Unternehmen in diesen Dimensionen an. Diese Bewertung ist oft aufgrund der DSGVO oder des NIS-Gesetzes erforderlich.

Als bewertetes Unternehmen tragen Sie keine Kosten und erhalten ein objektives Bild Ihres eigenen Cyber-Risikos.

WhyWie dofunktioniert Ider getCyberRisk a request for a cyberrisk rating?Rating-Prozess?

Die Bewertung besteht aus einer Beurteilung basierend auf 25 Anforderungen des öffentlich zugänglichen KSÖ Cyber ~~risks~~Risk ~~such~~Schema. asInformationen ITzum ~~security,~~KSÖ ~~data~~Cyber ~~protection~~Risk ~~and~~Schema ~~business~~finden ~~continuity~~Sie ~~are~~unter ~~becoming~~https://www.kuratorium-sicheres-oesterreich.at. ~~increasingly~~Nach ~~significant~~Abschluss ~~due~~der toBewertung ~~digitalisation.~~
~~With~~werden ~~the~~die ~~CyberRisk~~positiv ~~Rating,~~beantworteten ~~KSV1870~~Anforderungen ~~offers~~von aeinem ~~transparent,~~unabhängigen ~~time-saving~~Experten ~~process~~überprüft. toDieser ~~evaluate~~Experte ~~companies~~weiß innicht, ~~these~~welches ~~dimensions.~~
~~This~~Unternehmen ~~assessment~~bewertet ~~is often required due to the DSGVO or the NIS law.~~
~~As a rated company, you bear no costs and receive an objective picture of your own cyber risk.~~wird.

HowGibt doeses theeine cyberriskFrist, ratingbis processzu work?der eine Bewertung eingereicht werden muss?

~~The~~Ja, ~~rating~~nach ~~consists~~der ofEinladung anmüssen ~~assessment~~Sie ~~based~~die onBewertung 25innerhalb ~~requirements~~von of14 ~~the~~Tagen ~~publicly~~abschließen. ~~available~~Wenn ~~KSÖ~~Sie ~~Cyber~~mehr ~~Risk~~Zeit ~~Scheme.~~benötigen, ~~You~~um ~~can~~die ~~find~~Fragen ~~information~~zu onbeantworten, ~~the~~kontaktieren ~~KSÖ~~Sie ~~Cyber~~bitte ~~Risk~~das ~~Scheme~~CyberRisk-Service-Team atunter ~~https://www.kuratorium-sicheres-oesterreich.at.~~
~~After finishing the assessment, the positively answered requirements are verified by an independent expert. This expert does not know which company is being assessed.~~cr@nimbusec.com

IsIst therees amöglich, timedass limitmehr byals whicheine Person an assessmentder mustBewertung be submitted?arbeitet?

~~Yes,~~Jeder, ~~after~~der ~~the~~über ~~invitation,~~ein ~~you~~Benutzerkonto ~~have~~mit toBerechtigungen ~~complete~~für ~~the~~das ~~assessment~~CyberRisk-Portal ~~within~~unter 14dem ~~days.~~
IfFirmenkonto ~~you~~verfügt, ~~need~~kann ~~more~~die ~~time~~Bewertung todurchführen. ~~answer~~Allerdings ~~the~~gilt ~~questions,~~nur ~~please~~die ~~contact~~erste ~~the~~Person, ~~cyberrisk~~die ~~service~~mit ~~team~~dem byAusfüllen ~~cr@nimbusec.com~~.

der

Bewertung

Isbeginnt, itals possibleAnsprechpartner forfür moredie than one person to work on the assessment?

~~Anyone who has a user account with rights to the CyberRisk portal under the company account is able to complete the assessment.~~
~~However, only the first person to start filling out the assessment is considered the contact person for the assessment.~~Bewertung.

Do you have to complete the assessment all at once?

No. It is important to be prepared for the answers to the requirements, or to be able to consider them well.
This also facilitates and speeds up the verification process. The more precisely a fulfilled requirement is described, the fewer questions the assessor will have to ask.
The requirements and questions for the assessment are published by the Kuratorium Sicheres Österreich (KSÖ) and can be downloaded/viewed there: https://kuratorium-sicheres-oesterreich.at/wp-content/uploads/2020/09/CRR-Schema-Policy-2020.pdf

WillErhalte Iich receivemeine myAntworten, answerseinschließlich includingeiner aBewertung valuation later?später?

~~Yes.~~Ja. ~~After~~Nach ~~completing~~Abschluss ~~the~~der ~~assessment,~~Bewertung ~~you~~müssen ~~must~~Sie ~~download~~einen ~~and~~Report ~~keep~~herunterladen aund ~~package~~aufbewahren, ~~consisting~~das ofaus ~~the~~den ~~details~~Details ofder ~~the~~Bewertung ~~assessment.~~besteht. ~~The~~Der ~~package~~Report ~~will~~wird ~~contain~~folgende ~~the~~Informationen ~~following~~enthalten:

~~information:~~
-

CyberRisk Rating-Zertifikat + Signatur

Vollständige Details zur CyberRisk ~~Rating~~Rating-Bewertung, ~~Certificate~~einschließlich der Antworten des Prüfers + ~~Signature~~
-Signatur.

Details zur CyberRisk ~~Rating~~Rating-Bewertung ~~Assessment~~ohne ~~Details~~Antworten ~~complete,~~des ~~including examiner responses~~Prüfers + ~~signature.~~
-Signatur

~~CyberRisk Rating Assessment Details without assessor answers + signature~~

Who else gets the answers?

The rating itself can be purchased by all clients. Only the rating score is shown. However, the customer can request the details of the rating. Here you can decide individually whether the requested data is released or not.

Do the answers have to be provided for each client?

No. You only have to complete the assessment for the first enquiry of a customer and max. once a year.

Are the answers saved temporarily?

You can take the time you need to answer the assessment. Click on "Save and continue" to save the answer temporarily. You can then close the browser window or log out and continue at a later time.

How is the confidentiality of my own information guaranteed?

Confidentiality is ensured by the fact that Nimbusec never passes on your details to third parties. Within the rating process, all commissioned data processors are obliged to maintain confidentiality. In contrast to common questionnaires, Nimbusec clients only receive the CyberRisk rating without further details. In the event of an external audit or a request from our client, you decide whether you wish to pass on your details to the auditor or to our client. If yes, the CyberRisk Rating provides you with a standardised, machine-readable data package that can be processed efficiently. If not, you can refer to the validated CyberRisk Rating.