Delegated Security Controls Overview Ingrid Delegated security controls distinguish assets controlled by the company from assets controlled by the company’s customers.In the normal course of business and as a natural consequence of their business model, a company may delegate the control of the devices connected to their network to other parties, generally customers or the public. These companies may provide internet access or network resources-as-a-service, conduct internet scanning or threat research, or perform other business activities that place some aspects of cyber security beyond the companies’ control. See company types with delegated security controls.Findings in assets controlled by the company’s customers stop impacting the rating of the company. To better assess the security posture of companies with delegated security controls, we exclude findings in assets with delegated controls from the companies’ security ratings. The same enterprise Bitsight ratings algorithm with the same set of risk vectors are used. This means that if you monitor or do business with them, you can consider their Bitsight rating to be a better measurement of their external security performance as a result of this updated approach.Need to dispute a delegated security controls classification?Contact Bitsight Support or email the Bitsight Delegated Controls team.How Companies with Delegated Security Controls are IdentifiedTo identify companies with delegated security controls, we apply machine learning models with rule-based systems along with human curation. For those companies, we identify assets (domains and IPs) without delegated controls. All the other attributed assets are classified as having delegated controls. Our goal is to continuously increase the quality of the asset classification process to provide ratings that better reflect the security performance of entities with delegated controls.Can self-published companies qualify for delegated security controls?Self-published companies qualify for delegated security controls since their infrastructure is untouched as they are created by the companies themselves. Only already attributed IPs and domains are identified as having delegated security controls.All of an entity’s rating tree ancestors that are identified as having delegated controls are also classified as having delegated controls. This can include: The direct parent entity. The parent of the parent. All direct parents up to the top parent entity in the tree. This is a direct consequence of the Bitsight infrastructure attribution process in the sense that all infrastructure attributed to a specific entity is also attributed to the tree ancestors of the entity.Company Types with Delegated Security ControlsTypes of businesses that can be considered to have delegated security controls: Internet Service Providers Companies that provide internet access to a significant number of residential or business customers. Internet Research Companies involved in internet scanning and indexing, malware research, threat research, or similar activities that look like those of malicious attackers. Network Services Data centers, server colocation, infrastructure as a service (IaaS), server virtualization, virtual private network (VPN), or traffic proxying services. Platform-as-a-Service (PaaS) Companies that have control from the OS on down. They allow their customers to install their own applications and content within a tightly controlled environment. How Companies with Delegated Security Controls are PresentedCompanies with delegated security controls are identifiable in the applications by a shield icon and label. Identify them in the following pages: Company Overview & Security Rating Timeline Navigation Options SPM App: Dashboards ➔ Company Details CM App: Vendor Risk ➔ Overview Insurance App: Client Risk ➔ Overview The Ratings Tree. The Attribution and Assets pages include the Has Delegated Controls field. The Findings page indicated by the Impacts Risk Vector Grade field that is set to No: Delegated Control. Navigation Options SPM App: Risks ➔ Findings CM App: Vendor Risk ➔ Findings Insurance App: Client Risk ➔ Findings ResourcesBitsight Blog, “Bitsight Delivers Enhanced Analytics on IT Infrastructure Service Providers” November 21, 2023: Published. Related articles Finding Behavior How is the Web Application Headers Risk Vector Assessed? Security Incidents Risk Vector TLS/SSL Finding Remediation & Remediation Verification Attack Surface: Infrastructure Feedback 0 comments Please sign in to leave a comment.