Description of the solution
One of the tool’s outputs is a security rating. This is an evaluation of the security level of a company within the industry, with ratings ranging from A (best) to F (worst). The rating is calculated on a logarithmic scale, thanks to which it is easier to compare large companies with an extensive infrastructure with smaller ones that have, for example, only one domain.
The overall rating is a combination of rating algorithms divided into 10 levels: network security, DNS health, patching cadence, endpoint security, IP reputation, application security, cubit score, hacker chatter, information leak and social engineering. An inventory is created of the shortcomings found in each of the ten areas. This is then divided into categories (high, medium, low, informational severity and positive signals). Each shortcoming is described, and a possible measure is put forward.
The security rating is updated once a day and its history and changes over time can be tracked, so it is possible to see whether a company’s status is getting better or worse, as well as its response to new vulnerabilities, standards and recommendations in service configuration (such as encryption algorithms). The chart shows the company’s level, the average for the given industry and the overall range of values in the industry. The history is also an event log that lists each new or resolved event.
Apart from monitoring its own security level, the SecurityScorecard can also be used to manage suppliers’ risks, as it allows the ratings of other companies to be viewed in the same way. The platform likewise offers the possibility of inviting a vendor, who then gets free access to the rating of their own company. A final detailed report is created for each company and includes the following information:
- An overview of all factors assessed with the number of shortcomings found.
- A graph of the rating over the past 30 days.
- A summary of the most critical findings.
- An evaluation of all factor categories that includes a final score, a list of all areas monitored, and the number of findings for each.
The SecurityScorecard can be integrated into the GRC tool, that being both the company’s own data and data from vendors. The GRC tool then synchronizes the data obtained from the questionnaires with the ratings for the vendors, the vulnerabilities and SecurityScorecard data.
The SecurityScorecard can also place the identified vulnerabilities into categories or sections of security standards or legislation, specifically
- ISO/IEC 27001:2005,
- NIST 800-171,
- NIST Cybersecurity framework Version 1.1,
- PCI DSS Version 3.1,
- SIG and SIG Lite
How is it implemented?
The solution’s implementation is very simple. Since the company continuously receives data on a large number of companies, all that is necessary is to gain access data to the platform, and then the company can display its own ratings or those of its vendors, or, if needs be, the ratings of other companies (partners, etc.). The cost of the solution depends on the number of suppliers monitored (access to your own company is always free).
Data is acquired in the following steps:
- Ascertaining the assets - the company’s publicly available digital assets.
- Scanning of the assets - both active and passive - stored in the Threat market database, allowing the current and past status to be analysed.
- Measuring cybersecurity - consistently measures a wide range of methods for scanning and monitoring cybersecurity.
- Asset attribution - assets assigned and grouped by the company that owns them.
- Rating - on the platform, comparing with companies in their industry, or integration into a GRC platform.