How does your solution maintain compliance with applicable laws and ethical standards?
SecurityScorecard’s methodologies are based on security research practices that are widely utilized in the industry. All of the information we obtain is by non-intrusive methods and we follow all appropriate standards and best-practices in our own collection efforts as well as require our data partners to do the same. For more information, download our legality white paper.
What security controls does you application have in place?
- We use the SecurityScorecard platform continuously monitor our cyberhealth
- We encrypt data in transit and at rest
- We manage all of our infrastructure passwords through a system vault that ensures easy fast rotation along with password strength
- We centralize our AAA services through LDAP and use multi-factor for all platform infrastructure
- We segregate and isolate our network (firewalls and private networks) and limit access (inner circle is 5 SRE(s), middle circle is teach leads, outer circle is engineering as a whole)
- We log all systems and service actions for audit
- We do periodic penetration tests using 3rd party providers
- We conduct regular control audits
How can I be assured findings don’t end up in the wrong hands?
SecurityScorecard’s data is collected from our own proprietary data collections processes as well as from open source and commercial threat intelligence feeds. The signals that we collect are public on the internet, meaning all of our information is collected via non-intrusive methods using broadly accepted security research methodologies. We follow appropriate disclosure and notification protocols. Since the information that we collect is obtainable from commercial and open source providers and is public on the internet, companies should assume that findings in the SecurityScorecard platform are obtainable by nation-state, cyber criminal, and other black hat individuals and organizations by their own mechanisms and resources. We take measures to ensure that only validated security & risk management and other practitioners have access to our platform.
How do you handle vulnerabilities and notifications?
We offer free access to the platform so that any company can, effectively, become notified of vulnerabilities in their own infrastructure found by SecurityScorecard and work to resolve their publicly observable security issues. Our platform’s automation capabilities are non-intrusive and can discover but does not exploit vulnerabilities. Where possible, in instances where our security researchers find a high risk, exploitable vulnerability (ie open access to a critical infrastructure asset like a dam or power grid control system) that could create a public safety issue we will notify the operator directly of that vulnerability.