The U.S. Chamber of Commerce just issued “Principles for Fair and Accurate Security Ratings.”  These ratings are the first-of-its-kind guidelines for an emerging class of solutions that provide objective assessments of third-party security practices. These solutions complement traditional third-party risk management data gathering processes of vendor security questionnaires, attestation document reviews, and on-site assessments.

The principles are the result of a collaborative effort between large American financial and non-financial companies and the leading vendor security assessment companies such as RiskRecon. We at RiskRecon wish to thank the Chamber and these institutions for taking the lead in bringing key stakeholders together to establish practical guidelines.

What Is the Purpose?
The Chamber document itself states: “As security ratings continue to mature, more organizations in the public and private sectors leverage them in making business and risk decisions. As a key piece of a robust security evaluation program, security ratings based on accurate and relevant information are useful tools in evaluating cyber risk and facilitating collaborative, risk-based conversations between organizations.”

At RiskRecon, we share these same goals of producing useful insights to complement and dramatically improve any organization’s existing third-party risk management program.

What Are the Principles?
The collaborative process has produced six core principles:

  1. Transparency
  2. Dispute, Correction and Appeal
  3. Accuracy and Validation
  4. Model Governance
  5. Independence
  6. Confidentiality

The full description of each principle is available on the Chamber’s website.

RiskRecon’s Perspective
We’re pleased to see a growing recognition that third-party ratings and security assessment solutions should be “a key piece of a robust security evaluation program.” And we appreciate being just one of the few service providers asked to participate in this process.

We were active contributors to the process and believe principles like these are vital to ensuring appropriate buy-in and trust among the stakeholders involved in any third-party (and fourth-party) risk assessment program.

From our founding, we have adhered to the spirit of all six principles. And we also fundamentally believe that solutions must provide a high level of accuracy and “actionability” to ensure organizations can scale their program to address the changing IT landscape.

The Chamber’s principles align closely with how we at RiskRecon describe our solution capabilities:

  • Deep Transparency: 50 unique security measurements derived from our proprietary analysis and complete vendor IT profiling and asset mapping.

  • Accurate Evidence: all measurements result from our own direct, primary measurements of vulnerabilities, resulting in false positive rates under 1%.

  • Actionable Insights: not simply ratings but direct measurements, supporting evidence, insights, and recommended actions.

  • Continuous Collaboration: easily share our full assessment with your vendor without any time limits, vendor access fees, or other data constraints.

How to Obtain Your Security Assessment
The principles begin with transparency. So, if you wish to review your own organization’s complete report, please contact us via our website at www.riskrecon.com.

About RiskRecon
RiskRecon’s SaaS solution delivers transparent security measurements, analytics, and analyst-level insight to dramatically improve your third-party risk management program. By continuously monitoring an organization’s internet presence, we deliver accurate, actionable measurements to reveal each vendor’s “risk reality.” Learn more at www.riskrecon.com.