# Cyber Health
source: https://developer.mastercard.com/onboard-risk-check/documentation/data-providers/cyberhealth/index.md

**Cyber Risk Ratings** of a merchant's online environment. The diagram outlines a five-step process of how cyber-security and cyber performance is evaluated, with each step visually represented by an icon and connected sequentially by arrows:

* Discover Systems : Identifies and catalogs the merchant systems.
* Assess CyberSecurity -- Evaluates current cyber-security measures.
* Assess Value at Risk -- Determines the financial impact of potential cyber threats.
* Produce Risk Assessment -- Generates a formal risk assessment report.
* Rate Cyber Performance -- Scores or rates the merchant's cyber performance.

![](https://static.developer.mastercard.com/content/onboard-risk-check/uploads/how-it-works-ma.png)

* The overall **Cyber Risk score** is determined by evaluating over 40 criteria across **9 security domains**. The impact of all vulnerabilities is analyzed to produce the cyber risk rating. It enables a non-intrusive assessment of cyber risk for the merchants that you wish to onboard. The API will provide the ratings in both numerical as well as alphabetical scale. The cyber-security risk performance is rated on a scale of 0.0 -- 10, with 10 being the best rating. The A -- F grading scale is overlayed on top of the numeric ratings that separates performance into five bands as shown below.

| **Grade** | **Rating range** |
|-----------|------------------|
| A         | 8.5 -- 10        |
| B         | 7.0 -- 8.4       |
| C         | 5.5 -- 6.9       |
| D         | 4.0 -- 5.4       |
| F         | 0.0 -- 3.9       |

* **Malicious Code Detected** checks for malicious code added by unwanted actors. This will be provided as 'True' or 'False'.

* **Security Domain Ratings**: A portfolio level view of performance across 9 security domains assessed. This enables rapid visibility into portfolio level performance by security domain, enabling identification of portfolio strengths and weaknesses. The Security Domain ratings will follow the same grade and rating range explained above.

  * **Software Patching**: The Software Patching domain enumerates systems that are running end of life, unsupported and vulnerable software.

  * **Application Security**: The Application Security domain assesses each web application for essential, observable application security practices that are leading indicators of the quality of the application security program.

  * **Web Encryption**: The Web Encryption domain analyzes the effectiveness of encryption implementations, determining if they are properly configured to prevent errors, use secure protocols and apply minimum key lengths necessary to ensure communication privacy.

  * **Network Filtering**: The Network Filtering domain analyzes the company networks and systems for the presence of unsafe network services and Internet of Things (IoT) devices. Proper control of the services exposed to the Internet is a basic security practice, as unsafe network services and IoT devices are a common vector for compromising systems and networks. Enterprises should limit the systems and services exposed to the Internet to those that are safe and necessary.

  * **Breach Events**: The Breach Events domain summarizes the data loss events the organization has experienced. Recent data loss events indicate gaps in the data loss protection program. Organizations with data loss events occurring consistently over time very likely have ineffective data loss prevention programs and material gaps in their information security program.

  * **System Reputation**: The System Reputation domain enumerates systems owned by the company that appear in reputable intelligence sources that contain alerts on systems that appear to be compromised or are exhibiting malicious behavior.

  * **Email Security**: The Email Security domain assesses the use of authentication and encryption controls necessary to ensure that email messages are not spoofed and that communications are private.

  * **DNS Security**: The DNS Security domain assesses the use of controls to prevent unauthorized modification of domain records resulting in domain hijacking. This domain also enumerates the DNS hosting providers to determine the level of fragmentation.

  * **System Hosting** : The System Hosting domain analyzes the hosting practices of the organization, enumerating the hosting providers and the countries that systems are hosted in. It is essential to ensure that systems are hosted in reputable countries and that the host country data privacy laws are obeyed.