SecurityScorecard on the Principles for Fair & Accurate Security Ratings: A Focus on Transparency
We recently worked with the US Chamber of Commerce and other security ratings organizations to release the Principles for Fair and Accurate Security Ratings.
As the Chamber of Commerce states, these ratings were development with the following goals in mind:
- Promote quality and accuracy in the production of security ratings
- Promote fairness in reporting
- Include a coordinated process for adjudicating errors or inaccuracies in reported content
- Establish guidelines for appropriate use and disclosure of the scores and ratings
We stand behind every word of these principles, and to prove it, we’re showing you exactly how we deliver on every word. This week’s focus is the principle of transparency.
“Transparency. Rating companies shall provide sufficient transparency into the methodologies and types of data used to determine their ratings, including information on data origination as requested and when feasible, for customers and rated organizations to understand how ratings are derived. Any rated organization shall be allowed access to their individual rating and the data that impacts a change in their rating.”
How SecurityScorecard Executes the Principle
“Transparency into the methodologies”
“Transparency into the types of data used to determine ratings”
SecurityScorecard collects various types of data on cybersecurity risk. The majority –about 80 percent– of the data used in scoring is collected by Threatmarket, our proprietary data collection engine. ThreatMarket collects data in the following ways:
- Scans the entire IPv4 space regularly,
- Operates a battery of sinkholes to track malware infections on client systems on a daily basis,
- Performs a variety of additional collection activities on a non-intrusive basis to identify weaknesses in an entity’s cybersecurity posture, such as open ports exposing services that should not be exposed, weak ciphers, out-of-date software with critical vulnerabilities, etc.
In addition, SecurityScorecard supplements its ThreatMarket data with additional data from public sources and from some third-party commercial sources.
“Information on data origination”
Our proprietary fingerprint engine is the full range of any corporations’ public IP address infrastructure not behind a firewall. Our proprietary matching engine takes all the risk signals and sensors we collect, matches them to a digital fingerprint to complete attribution. Reference our above listed patents for more detailed information.
“Access to Individual Rating and Data that impacts Rating Change”
SecurityScorecard provides free access to scores here. Additionally, vendors of existing SecurityScorecard customer can be invited to the platform. Read more about our collaborative vendor invite function here.
Check back into our blog to learn about how we deliver on the other five principles or read more about the principles in general.