As a part of our initiative with the the US Chamber of Commerce to release the Principles for Fair and Accurate Security Ratings, SecurityScorecard is setting education of these principles as its next action item.
We recently took a deep dive into the principle of Transparency, and this week we’re continuing our series by analyzing the principle of Dispute, Correction, and Appeal, which reads:
“Dispute, Correction and Appeal: Rated organizations shall have the right to challenge their rating and provide corrected or clarifying data. Rating companies should have an appeal and dispute resolution process. Disputed ratings should be notated as such until resolved.”
This principle –like its counterparts– is focused on promoting quality and accuracy of security rating, fairness in reporting, and (most directly) a coordinated process for adjudicating errors or inaccuracies in reported content. Breaking down each section of this principle, we’re able to see how the SecurityScorecard platform puts each part of this principle into practice.
Section 1: Rated organizations shall have the right to challenge their rating and provide corrected or clarifying data.
In rare instances, a rating may not be fine-tuned enough to reflect the security posture; this can happen when a digital asset is attributed to a company it shouldn’t be attributed to. (For example, a service provider who is also being attributed the IP ranges of its customers.)
SecurityScorecard allows any company to provide this corrected or clarifying data about their digital assets in order to correct the company’s rating. (For those who have not had a chance to read about how our platform works, in the first stage onboarding a new company into the SecurityScorecard platform, our team looks at a variety of resources to determine what digital assets belong to a company ranging from github account to domains and so on.)
This can be done easily by indicating that there are adding missing IPs or removing incorrect IPs on the Digital IP footprint main page and IP inventory tab.
Users can click the “Add Asset” button to add missing IPs.
Users can click the “Remove” link next to any incorrect IPs.
Additionally, for assets such as SSL certs or for websites, companies can email our Customer Success department to resolve this.
Section 2: Rating companies should have an appeal and dispute resolution process.
Within the platform in the “Your Scorecard” tab, there is also an option to indicate that a company would like to resolve/refute an issue or request a recalculated score based on a recent resolution of an issue.
Users can click the Resolve button in the lower right of each issue listing.
Section 3: Disputed ratings should be notated as such until resolved.
Additionally, In most instances, corrections are being performed by a vendor, and our platform encourages a collaborative environment wherein the vendor is actively engaging with its customer and keeping them up to date on remediation actions and resolutions. Read more about our collaborative features here. Additionally, in the event of a recalculation request, ratings are updated within 24 hours.
Want to learn more? Check our post about Security Ratings or our Focus on Transparency post.