Security Scorecard

​​​​​​​​​​​​​​​​​​​​​​​Security Scorecard

The SecurityScorecard is a platform that enables the evaluation of an organization's level of security on the Internet. It is provided as SaaS and offers continuous non-invasive monitoring of the company.​

 
 



Our story

After completing an audit of a company working in fintech, we uncovered irregularities and the associated security risks on the part of suppliers who did not have the necessary level of security management, process maturity and technological security in areas associated with delivering the services to our client.  ​

These suppliers were regularly audited, they had valid certification to a recognized security standard and passed the client’s basic compliance checklist. The risks associated with compromising or leaking our client’s data were high. The measures on the supplier side and, at the same time, on our client’s side were designed to address the issue of how to effectively identify those suppliers causing the greatest risk whilst not investing in regular audits of every supplier. 
We designed a process for the client that assessed suppliers for potential security threats and the impacts on business processes. We modified the requirements and definitions in contracts that compel contractors to take on greater responsibility as concerns cybersecurity. We designed process and technical measures to manage the lifecycle of access to the company’s infrastructure. Last but not least, we recommended monitoring the security hygiene in the contractors’ infrastructure using the SecurityScorecard tool. 
The SecurityScorecard provides a clear list of security risks on the part of the monitored company’s suppliers. The SecurityScorecard automatically classifies this list according to the level of severity detected. Because potential risks are being continuously monitored and classified, the client can assess how the suppliers take care of the security in their own infrastructure, such as systems, their configuration, the level of certification and encryption, updates, etc. 
Thanks to the SecurityScorecard service, we improved the client’s supplier assessment system. The outputs from this system are now used at the supplier assessment level in the client’s purchasing process, as well as being one of the inputs in the supplier risk management process. An interesting point when using this information is clients can even use it to monitor the security levels of their own subsidiaries.

Description of the solution 

One of the tool’s outputs is a security rating. This is an evaluation of the security level of a company within the industry, with ratings ranging from A (best) to F (worst). The rating is calculated on a logarithmic scale, thanks to which it is easier to compare large companies with an extensive infrastructure with smaller ones that have, for example, only one domain. 
The overall rating is a combination of rating algorithms divided into 10 levels: network security, DNS health, patching cadence, endpoint security, IP reputation, application security, cubit score, hacker chatter, information leak and social engineering. An inventory is created of the shortcomings found in each of the ten areas. This is then divided into categories (high, medium, low, informational severity and positive signals). Each shortcoming is described, and a possible measure is put forward. 
The security rating is updated once a day and its history and changes over time can be tracked, so it is possible to see whether a company’s status is getting better or worse, as well as its response to new vulnerabilities, standards and recommendations in service configuration (such as encryption algorithms). The chart shows the company’s level, the average for the given industry and the overall range of values in the industry. The history is also an event log that lists each new or resolved event. 
Apart from monitoring its own security level, the SecurityScorecard can also be used to manage suppliers’ risks, as it allows the ratings of other companies to be viewed in the same way. The platform likewise offers the possibility of inviting a vendor, who then gets free access to the rating of their own company. A final detailed report is created for each company and includes the following information: 
  1. An overview of all factors assessed with the number of shortcomings found. 
  2. A graph of the rating over the past 30 days. 
  3. A summary of the most critical findings. 
  4. An evaluation of all factor categories that includes a final score, a list of all areas monitored, and the number of findings for each. 
The SecurityScorecard can be integrated into the GRC tool, that being both the company’s own data and data from vendors. The GRC tool then synchronizes the data obtained from the questionnaires with the ratings for the vendors, the vulnerabilities and SecurityScorecard data. 
The SecurityScorecard can also place the identified vulnerabilities into categories or sections of security standards or legislation, specifically 
  • GDPR,
  • HIPAA, 
  • ISO/IEC 27001:2005, 
  • NIST 800-171, 
  • NIST Cybersecurity framework Version 1.1, 
  • PCI DSS Version 3.1, 
  • SIG and SIG Lite 
  • TISAX. 

How is it implemented? 

The solution’s implementation is very simple. Since the company continuously receives data on a large number of companies, all that is necessary is to gain access data to the platform, and then the company can display its own ratings or those of its vendors, or, if needs be, the ratings of other companies (partners, etc.). The cost of the solution depends on the number of suppliers monitored (access to your own company is always free). 
Data is acquired in the following steps: ​
  1.  Ascertaining the assets - the company’s publicly available digital assets. 
  2. Scanning of the assets - both active and passive - stored in the Threat market database, allowing the current and past status to be analysed. 
  3. Measuring cybersecurity - consistently measures a wide range of methods for scanning and monitoring cybersecurity. 
  4. Asset attribution - assets assigned and grouped by the company that owns them. 
  5. Rating - on the platform, comparing with companies in their industry, or integration into a GRC platform. ​

Advantages

  • We are a well-established Czech security company that has been successfully operating on the market for over 30 years.
  • We listen to our clients and tailor our services to their needs and time demands.
  • Our team is made up of specialists with extensive experience in development and ethical hacking. 
  • We closely follow modern trends in development, security and technology. 
  • When analysing source code, we place an emphasis on manual reviews that uncover more bugs than regular automated solutions. 
  • We make it possible to carry out comprehensive security audits by combining several security disciplines.
  • We have built our services on many years of experience and time-tested standards.​

References

We are more than happy to share our experience in projects for major organizations, just ask.​
 

Contact us​


Check: 



​​