To more accurately assess the security posture of companies with delegated security controls, we now exclude findings in assets with delegated controls from the companies’ security ratings. These changes will also be applied to historical ratings.
This updated approach replaces and extends the Enhanced Ratings for Cloud Service Providers which became available in 2022.
- Company Types with Delegated Security Controls
- How Companies with Delegated Security Controls are Identified
- Findings Impact
- How Companies with Delegated Security Controls are Presented
- Findings in assets that are owned by the organization but are partially or fully controlled by their customers are excluded from the organization’s Bitsight rating.
These assets, as well as the corresponding findings excluded from the risk vector grades, are still visible in the Bitsight applications.
- Findings in assets identified as not having delegated controls (i.e., assets for which the company has full responsibility over security controls) will keep impacting the corresponding risk vector grade.
Previewing Entities with Delegated Controls
In December 2023, a phased rollout process is set for every two to three weeks. This rollout process will continue until this change has been applied to all identified companies in the Bitsight inventory.
You can see the current preview group and all companies previously classified as having delegated security controls in the Security Performance Management, Continuous Monitoring, and Insurance applications. Each group can be previewed for approximately two weeks before the change is released.
Frequently Asked Questions
- What happens to the rating of a company identified as having delegated security controls?
- What if I don’t agree with the delegated security controls classification?
- Can self-published entities qualify for delegated security controls?
- Is Bitsight updating the algorithm as part of this initiative?
- What happens to entities with Enhanced Ratings?
What happens to the rating of a company identified as having delegated security controls?
Some findings no longer impact the rating. See Findings Impact for details.
What if I don’t agree with the delegated security controls classification?
Can self-published entities qualify for delegated security controls?
Yes. Since it is self-published (created by the companies themselves), their infrastructure is untouched. Only already attributed IPs and domains are identified as having delegated security controls.
Is Bitsight updating the algorithm as part of this initiative?
No. Delegated security controls are not part of a Ratings Algorithm Update. See Findings Impact for details.
What happens to entities with Enhanced Ratings?
Cloud Service Providers with Enhanced Ratings are removed from the Bitsight inventory. Subscriptions to those entities are automatically moved to the parent, which are now identified as having the assets with delegated controls.