IAPP Webinar Extended Q&A
For those of you who joined SecurityScorecard and our customer Allstate at the IAPP Webinar on Assuring Data Privacy and Security Compliance, we greatly appreciate the lively audience! We were happy to share some of our experiences in the information security space and even happier to hear the unique insights from Derek Morford and Adriana Novielli at Allstate.
With over 400 registrants, we did not have time to get through all the audience questions during the Q&A session, so we thought we’d take time to answer a few more of those questions in this post.
Does use of something like security scorecard create reasonable diligence to monitoring suppliers appropriately over time for security?
Yes, SecurityScorecard takes a continuous monitoring approach where any company in the platform monitored in real time continuously on an ongoing basis. Data analytics is stored on a historical basis so users can go back in time to view performance history. This data is actively used by customers to serve as evidence of due care for third party or compliance party.
What is the minimum number of people needed to implement a vendor program?
It really depends on the demands from the business, the volume of companies that require diligence, and so on.
Do you categorize your vendors by risk only, or some other manner, say, industry, service, etc.?
There are several ways to categorize and bucket your vendors. Each company buckets vendors slightly differently based on their specific needs. One example is bucketing by level of criticality, but we do see customers bucketing into other types of groups such as : by department, by business function, by use-case, or all of the above. Put simply, how categorize vendors depends heavily on the needs of the business.
How does Security Scorecard get the information needed to determine a grade?
The majority –about 80 percent– of the data used in scoring is collected by Threatmarket, our proprietary data collection engine. ThreatMarket collects data in the following ways:
- Scans the entire IPv4 space regularly,
- Operates a battery of sinkholes to track malware infections on client systems on a daily basis,
- Performs a variety of additional collection activities on a non-intrusive basis to identify weaknesses in an entity’s cybersecurity posture, such as open ports exposing services that should not be exposed, weak ciphers, out-of-date software with critical vulnerabilities, etc.
In addition, SecurityScorecard supplements its ThreatMarket data with data from public sources and from some third-party commercial sources.
Where will the presentation be shared?
If you missed our IAPP Webinar on Assuring Data Privacy and Security Compliance? Click here to view the recording.