Posted on Jan 16, 2018
Our initiative with the US Chamber of Commerce to release the Principles for Fair and Accurate Security Ratings started with defining and publishing the principles, and now SecurityScorecard is fostering this initiative by continuing to educate current and future users of our product about how we adhere to these principles.
We recently took a deep dive into other areas of these principles and this week we’re continuing our series by analyzing the principle of Independence, which reads:
Independence: “Commercial agreements, or the lack thereof, with rating companies, shall not have direct impact on an organization’s rating; any rated organization will be able to see and challenge their rating irrespective of whether they are a customer of the rating company.”
This principle --like its counterparts-- focuses on promoting quality, accuracy, and independence of security rating, fairness in reporting, and (most directly) a coordinated process for adjudicating errors or inaccuracies in the reported content. Breaking down each section of this principle, we’re able to see how the SecurityScorecard platform puts each part of this principle into practice.
Section 1: Commercial agreements, or the lack thereof, with rating companies, shall not have direct impact on an organization’s rating.
A foundation principle of SecurityScorecard is that ratings must be fully independent and free of any commercial bias. SecurityScorecard ratings ensure independence and fairness via a rating system that provides a level playing field for all rated companies, regardless of an existing commercial agreement between the rated company and SecurityScorecard.
Furthermore, SecurityScorecard uses statistical methods that ensure that similar companies are rated consistently. To facilitate a fair and meaningful evaluation of cybersecurity risk, SecurityScorecard categorizes companies into buckets by industry and the company size in terms of IP footprint; these groups are referred to as cohorts. SecurityScorecard determines a company’s industry using publicly accepted, externally-managed data repositories. SecurityScorecard determines a company’s size by the number of digital assets assigned to the company. Aligning ratings for every company with its cohorts ensures that companies are compared apples-to-apples and that commercial agreements with SecurityScorecard do not influence ratings.
Section 2: Any rated organization will be able to see and challenge their rating irrespective of whether they are a customer of the rating company.
SecurityScorecard provides the ability of any rated company to view their company’s scorecard. A companion article titled SecurityScorecard on the Principles for Fair & Accurate Security Ratings: A Focus on Dispute, Correction, and Appeal provides additional detail on the topic of how a company can challenge a rating.
With hackers finding new ways to attack third-parties in hopes of infecting a larger organization, the third-party ecosystem is more fragile than ever before.
The purpose of IT security risk assessment is to determine security risks to your company’s critical assets, and how much funding and effort should be used in their protection. Get started with SecurityScorecard’s step-by-step guide to managing your cyber risk.
No waiting, 100% Free
Get your free scorecard and learn how you stack up across 10 risk categories. Answer a few simple questions and we'll instantly send your score to your business email.