Findings Impact of Delegated Security Controls

Companies identified as having delegated security controls are impacted in the following manner:

How does this classification work?

• Findings in assets with delegated controls are excluded from the risk vector grade depending on the type of delegated control.
• Findings that are excluded from the risk vector grade of an entity due to delegated controls are also excluded from the parent’s entity risk vector grade.
• Findings in assets without delegated controls continue to be included in the risk vector grade.
• Ratings may not necessarily improve. Both positively and negatively contributing findings are excluded from the risk vector grades.

Is Bitsight updating the algorithm as part of this initiative?

Impact on Risk Vectors

Refer to the following table outlining how risk vectors are impacted by findings for each delegated control type:

What happens to the rating of a company identified as having delegated security controls?

Impact on Assets

What happens to assets (domains and IPs) and the corresponding findings that do not impact the rating?

The same set of assets (domains and IPs) continue to be attributed to the company and visible in the Bitsight applications, even if some of the assets are identified as having delegated security controls.

Refer to the Attribution and Assets tabs in the Infrastructure page of the Security Performance Management application to see which assets are classified as having (or not having) delegated controls.