To better assess the security posture of companies with delegated security controls, we now exclude findings in assets with delegated controls from the companies’ security ratings. These changes will also be applied to historical ratings.
This updated approach replaces and extends the Enhanced Ratings for Cloud Service Providers which became available in 2022.
- Company Types with Delegated Security Controls
- How Companies with Delegated Security Controls are Identified
- Findings Impact
- How Companies with Delegated Security Controls are Presented
Changes
- Findings in assets that are owned by the organization but are partially or fully controlled by their customers are excluded from the organization’s Bitsight rating.
These assets, as well as the corresponding findings excluded from the risk vector grades, are still visible in the Bitsight applications.
- Findings in assets identified as not having delegated controls (i.e., assets for which the company has full responsibility over security controls) will keep impacting the corresponding risk vector grade.
Previewing Entities with Delegated Controls
In December 2023, a phased rollout process is set for every two to three weeks. This rollout process will continue until this change has been applied to all identified companies in the Bitsight inventory.
You can see the current preview group and all companies previously classified as having delegated security controls in the Security Performance Management, Continuous Monitoring, and Insurance applications. Each group can be previewed for approximately two weeks before the change is released.
Frequently Asked Questions
- What happens to the rating of a company identified as having delegated security controls?
- What if I don’t agree with the delegated security controls classification?
- Can self-published entities qualify for delegated security controls?
- Is Bitsight updating the algorithm as part of this initiative?
- Will all companies Bitsight classifies as “Service Providers'' be reclassified as companies with delegated security controls?
- What happens to entities with Enhanced Ratings?
What happens to the rating of a company identified as having delegated security controls?
Some findings no longer impact the rating. See Findings Impact for details.
What if I don’t agree with the delegated security controls classification?
You can contact Bitsight Support or email delegated-controls@bitsight.com to dispute the classification.
Can self-published entities qualify for delegated security controls?
Yes. Since it is self-published (created by the companies themselves), their infrastructure is untouched. Only already attributed IPs and domains are identified as having delegated security controls.
Is Bitsight updating the algorithm as part of this initiative?
No. Delegated security controls are not part of a Ratings Algorithm Update. See Findings Impact for details.
Will all companies Bitsight classifies as “Service Providers'' be reclassified as companies with delegated security controls?
No, not all service providers will be reclassified. Currently, we apply the label “Service Provider'' to denote certain companies that are engaged in providing services to other companies. These companies own and operate infrastructure used by their customers, such as certificate signing or other cloud-based platforms. This does not mean that all these companies delegate the security of some of their assets to their customers.
There is substantial, but not total, overlap between this category of companies and that of companies that delegate control of devices connected to their network to other parties. As Bitsight looks to ensure that companies’ security controls are assessed as accurately as possible, certain companies previously labeled as Service Providers will be relabeled as having delegated security controls (and as a result, their ratings may change). Other companies labeled as Service Providers will retain this label and their ratings will be unimpacted.
What happens to entities with Enhanced Ratings?
Cloud Service Providers with Enhanced Ratings are removed from the Bitsight inventory. Subscriptions to those entities are automatically moved to the parent, which are now identified as having the assets with delegated controls.
Feedback
0 comments
Please sign in to leave a comment.