Delegated security controls distinguish assets controlled by the company from assets controlled by the company’s customers.
What challenge are we tackling and what is our solution?
In the normal course of business and as a natural consequence of their business model, a company may delegate the control of the devices connected to their network to other parties, generally customers or the public. These companies may provide internet access or network resources-as-a-service, conduct internet scanning or threat research, or perform other business activities that place some aspects of cyber security beyond the companies’ control. See company types with delegated security controls.
Findings in assets controlled by the company’s customers stop impacting the rating of the company. To better assess the security posture of companies with delegated security controls, we exclude findings in assets with delegated controls from the companies’ security ratings. The same enterprise Bitsight ratings algorithm with the same set of risk vectors are used. This means that if you monitor or do business with them, you can consider their Bitsight rating to be a better measurement of their external security performance as a result of this updated approach.
- Company Types with Delegated Security Controls
- How Companies with Delegated Security Controls are Identified
- Findings Impact of Delegated Security Controls
- How Companies with Delegated Security Controls are Presented
To learn more or dispute a delegated security controls classification, contact Bitsight Support or email the Bitsight Delegated Controls team.
What if I don’t agree with the delegated security controls classification?
Company Types with Delegated Security Controls
There are the types of businesses that can be considered to have delegated security controls:
- Internet Service Providers: Companies that provide internet access to a significant number of residential or business customers.
- Internet Research: Companies involved in internet scanning and indexing, malware research, threat research, or similar activities that look like those of malicious attackers.
- Network Services: Data centers, server colocation, infrastructure as a service (IaaS), server virtualization, virtual private network (VPN), or traffic proxying services.
- Platform-as-a-Service (PaaS): Companies that have control from the OS on down. They allow their customers to install their own applications and content within a tightly controlled environment.
Which companies are included and excluded from this approach?
Resources
Bitsight Blog, “Bitsight Delivers Enhanced Analytics on IT Infrastructure Service Providers”More information is available here:
Feedback
0 comments
Please sign in to leave a comment.