Educause Security Discussion mailing list archives
Any thoughts on BitSight Security Ratings/Scores?
From: Jeff McCabe <j-mccabe () TAMU EDU>
Date: Wed, 8 Oct 2014 18:07:38 +0000
Colleagues, Some on our campus have expressed concern over the current practices of BitSight Tech (https://service.bitsighttech.com/my-company/) in their reporting/comparisons/ratings of an institution's information or network security. They look at publically available information off the network and supposedly report adware, botnets, etc. and generate a score for your institution's level of security (basic, intermediate, advanced) with a comparison to your industry group. One of the concerns expressed here is that there is no validation and this could falsely besmirch the reputation of a public university. For example, at a public university, the public can go to certain places and use their personal devices (which might be infected). These public areas might be isolated so as not to be of concern to the rest of campus network but would appear to BitSight as a higher risk situation than they actually are. Their approach might seem to have more value for a relatively homogeneous and highly controlled business environment as opposed to a public university. Have any of you taken a look at this (your "score")? Do you have any concerns? (Their comparison of athletic conferences - http://www.zdnet.com/us-universities-at-greater-risk-for-security-breaches-than-retail-and-healthcare-bitsight-7000032843/ ) Best regards, Jeff
Current thread:
- Any thoughts on BitSight Security Ratings/Scores? Jeff McCabe (Oct 08)