Companies identified as having delegated security controls are impacted in the following manner:
How does this classification work?
- Findings in assets with delegated controls are excluded from the risk vector grade depending on the type of delegated control.
- Findings that are excluded from the risk vector grade of an entity due to delegated controls are also excluded from the parent’s entity risk vector grade.
- Findings in assets without delegated controls continue to be included in the risk vector grade.
- Ratings may not necessarily improve. Both positively and negatively contributing findings are excluded from the risk vector grades.
Is Bitsight updating the algorithm as part of this initiative?
Delegated security controls are unrelated to Ratings Algorithm Updates.
Impact on Risk Vectors
Refer to the following table outlining how risk vectors are impacted by findings for each delegated control type:
What happens to the rating of a company identified as having delegated security controls?
Delegated Control Type | Impact on Risk Vector |
---|---|
Internet Service Provider | All findings in delegated assets are excluded from the risk vector grades. |
Internet Research |
Findings in delegated assets are excluded from the risk vector grades except for the following risk vectors: |
Network Services | All findings in delegated assets are excluded from the risk vector grades. |
Platform-as-a-Service |
Findings in delegated assets are excluded from the risk vector grades except for the following risk vectors: |
Impact on Assets
What happens to assets (domains and IPs) and the corresponding findings that do not impact the rating?
The same set of assets (domains and IPs) continue to be attributed to the company and visible in the Bitsight applications, even if some of the assets are identified as having delegated security controls.
Refer to the Attribution and Assets tabs in the Infrastructure page of the Security Performance Management application to see which assets are classified as having (or not having) delegated controls.
- March 13, 2024: Published.
Feedback
0 comments
Please sign in to leave a comment.