The Principles for Fair & Accurate Security Ratings: A Focus on Confidentiality

SecurityScorecard is actively engaged to ensure our Security ratings align with the Principles for Fair & Accurate Security Ratings, published by the US Chamber of Commerce. As part of this effort we strive to educate the cybersecurity community on how our products align with these important principles.

This article is a continuation of a series of articles that describe how SecurityScorecard meets specific security rating principles as recommended by the US Chamber of Commerce. More specifically, this article provides an overview of how SecurityScorecard adheres to the principle of Confidentiality, which reads as follows:

Confidentiality: Information disclosed by a rated organization during the course of a challenged rating or dispute shall be appropriately protected. Rating companies should not publicize an individual organization’s rating. Rating companies shall not provide third parties with sensitive or confidential information on rated organizations that could lead directly to system compromise.

This principle focuses on aligning the key cybersecurity concept of confidentiality with the potentially sensitive data that may be presented by a security rating solution. The following sections provide additional detail on how SecurityScorecard aligns with the specific sections of the principle of confidentiality as recommended by the US Chamber of Commerce:

Section 1: Information disclosed by a rated organization during the course of a challenged rating or dispute shall be appropriately protected.

All information disclosed during a rating challenge or dispute is protected according to Confidentiality terms documented in the SecurityScorecard’s End User SaaS Agreement.

Section 2: Rating companies should not publicize an individual organization’s rating.

SecurityScorecard is committed to providing ratings for companies that is based solely on publicly and ethically sourced data. In principle, the rating data provided by SecurityScorecard is already in the public domain. Security Scorecard recognizes the sensitivity of the data represented in our rating system and works diligently to protected sensitive data from public disclosure. Efforts to protect information include information security controls within the platform and SecurityScorecard such as but not limited to role-based access.

Section 3: Rating companies shall not provide third parties with sensitive or confidential information on rated organizations that could lead directly to system compromise.

As discussed above, the data collected and presented by SecurityScorecard is publicly and ethically sourced. Because the data presented in our scorecards is available to potential hackers in the public domain, SecurityScorecard is focused on providing full and timely transparency not only to our customers, but also to any vendor of our customers’ or any rated company that wants access this information so they can address issues before an attacker learns about them out on their own. SecurityScorecard data is only available to users that have properly registered for our vendor risk management service. Any user that wishes to view the scorecard for their own company must go through a formal user onboarding process that ensures the user is an employee of the company they claim to represent. In addition, companies that license the service must adhere to contractual obligations that dictate the use of ratings they access with respect to their vendors, to ensure the information is not used to compromise the systems of another third party.