Companies that, in the normal course of business, delegate the control and allow their customers or the public to control some aspects of security for some of their IT assets can be classified as companies with delegated security controls. These companies may provide internet access or network resources-as-a-service, conduct internet scanning or threat research, or perform other business activities that place some aspects of cyber security beyond the companies’ control.
To more accurately assess the security posture of companies with delegated security controls, we exclude findings in assets with delegated controls from the companies’ security ratings. The same enterprise Bitsight ratings algorithm with the same set of risk vectors are used. This means that if you monitor or do business with them, you can consider their Bitsight rating to be a better measurement of their external security performance as a result of this updated approach.
- Company Types with Delegated Security Controls
- How Companies with Delegated Security Controls are Identified
- Findings Impact
- How Companies with Delegated Security Controls are Presented
Company Types with Delegated Security Controls
The following types of companies may have delegated security controls:
- Internet Service Providers: Companies that provide internet access to a significant number of residential or business customers.
- Internet Research: Companies involved in internet scanning and indexing, malware research, threat research, or similar activities that look like those of malicious attackers.
- Network Services: Data centers, server colocation, infrastructure as a service (IaaS), server virtualization, virtual private network (VPN), or traffic proxying services.
- Platform-as-a-Service (PaaS): Companies that have control from the OS on down. They allow their customers to install their own applications and content within a tightly controlled environment.
How Companies with Delegated Security Controls are Identified
To identify companies with delegated controls, we apply machine learning models with rule-based systems along with human curation. For those companies, we identify assets (domains and IPs) without delegated controls. All the other attributed assets are classified as having delegated controls. Our goal is to continuously increase the quality of the asset classification process to provide ratings that more accurately reflect the security performance of entities with delegated controls.
All of an entity’s rating tree ancestors that are identified as having delegated controls are also classified as having delegated controls. This can include:
- The direct parent entity.
- The parent of the parent.
- All direct parents up to the top parent entity in the tree.
This is a direct consequence of the Bitsight infrastructure attribution process in the sense that all infrastructure attributed to a specific entity is also attributed to the tree ancestors of the entity.
Depending on the delegated control types of the company, findings in assets with delegated controls may still impact the risk vector grade.
- Findings that are excluded from the risk vector grade of an entity due to delegated controls are also excluded from the parent’s entity risk vector grade.
- Findings in assets without delegated controls continue to impact the risk vector grade.
- Ratings may not necessarily improve. Both positively and negatively contributing findings are excluded.
Refer to the following table outlining risk vectors impacted by findings for each delegated control type:
|Delegated Control Type
|Risk Vectors Impacted by Findings in Assets with Delegated Controls
|Internet Service Provider