In June of 2017 the U.S. Chamber of Commerce posted the “Principles for Fair and Accurate Security Ratings,” a document supported by a number of organizations interested in the emerging market for measuring cyber risk. The principles provide a starting point for understanding the current state of security ratings and for establishing a shared baseline for assessing vendors in that market.
UpGuard’s Cyber Risk product abides by the guidelines of the principles for security ratings. This post will go through each of the principles and how UpGuard hews to the recommended practices.
Dispute, Correction and Appeal: Rated organizations shall have the right to challenge their rating and provide corrected or clarifying data. Rating companies should have an appeal and dispute resolution process. Disputed ratings should be notated as such until resolved.
Organizations discovering inaccuracies in the data underpinning their score can contact UpGuard directly via email or phone. UpGuard will respond within one business day to confirm the appropriate point of contact and begin a review of the issue to determine the solution.
Accuracy and Validation: Ratings should be empirical, data-driven, or notated as expert opinion. Rating companies should provide validation of their rating methodologies and historical performance of their models. Ratings shall promptly reflect the inclusion of corrected information upon validation.
UpGuard’s CSTAR score gathers data programmatically, ensuring that every vendor is given equal treatment in the assessment process. The data points gathered are best practices validated in countless manuals and similar assessment tools. In addition to comparing UpGuard’s performance to public breach data, UpGuard’s cyber risk research team compares our model’s performance against the thousands of cloud leaks they have discovered.
Model Governance: Prior to making changes to their security ratings methodologies and/or data sets, rating companies shall provide reasonable notice to their customers and clearly communicate how announced changes may impact existing ratings.
UpGuard notifies customers via email whenever there are changes to the data collection or scoring. UpGuard’s Cyber Risk product includes live chat to provide support as needed in preparing for those changes.
Independence: Commercial agreements, or the lack thereof, with rating companies shall not have direct impact on an organization’s rating; any rated organization will be able to see and challenge their rating irrespective of whether they are a customer of the rating company.
UpGuard’s rating methodology is blind to whether the rated entities are customers or not. Additionally, UpGuard has developed numerous free pieces of software that anyone can use to monitor their own score. Contacting UpGuard to address inaccuracies in scoring information is available to the public.
Confidentiality: Information disclosed by a rated organization during the course of a challenged rating or dispute shall be appropriately protected. Rating companies should not publicize an individual organization’s rating. Rating companies shall not provide third parties with sensitive or confidential information on rated organizations that could lead directly to system compromise.
All communication between UpGuard and rated entities remains confidential. Organizations that add extra information into their Cyber Risk instance to improve the usefulness of security ratings– for example, attaching a vendor assessment questionnaire– is private to that organization’s account. Similarly, UpGuard provides separate products to expand integrated risk management capabilities to cover internal systems, and that data is strictly the possession of the customer.
However, UpGuard does make the ratings derived from the public data accessible to anyone. Data on website misconfigurations, old software past its end of life, and open ports is not confidential. It is, at best, obscured. In reality, it is obscured only from the people who deserve to know the most– the customers who are at risk if those misconfigurations are exploited. Adversaries are well aware of how to automate the detection of vulnerable assets and how to prioritize those so as to pursue the lowest hanging fruit. UpGuard proudly publishes that information so people who are not cyber criminals are aware of the risks they incur when entrusting their data to those who do not deserve it.
Businesses looking to understand their risk, both from their own digital properties and from the practices of their third parties, will be well-served by the overarching values of transparency, consistency, and remediation in security ratings. As long as security ratings are sufficiently public, their value will be apparent through their ability to benefit those who utilize them. UpGuard’s CSTAR scores conform to the principles, while the UpGuard product line goes beyond what is required to make those scores more accessible and more extensible than ever before.