Educause Security Discussion mailing list archives
Re: Cyber Security Scorecards
From: Kevin Reedy <kreedy () EXCELSIOR EDU>
Date: Tue, 20 Feb 2018 14:26:42 +0000
I've been 'graded' by BitSight - some of their metrics are great, while others are frustrating to say the least. They pay Akmai and other advertising giants to get browser strings and link that back to your IPs, so you are getting hits on out of date iOS and Android on the guest network, etc. They pay some of the larger DNS sinkholes to get data from there, which is at least actionable. In the end I'm glad to not have to worry about the score, but if the market continues to grow it will impact the way guest wireless and testing machines are deployed - the response they gave me was to have a separate IP space for those items, which isn't ideal in most cases. -Kevin From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Lovaas,Steven Sent: Monday, February 19, 2018 9:50 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Cyber Security Scorecards We did go with BitSight, getting creative with funding to give better insight into our own risk profile for the variety of regulatory schemes. It's been a really nice tool for showing progress (and its lack) in a number of areas. I was able to get a bit more funding the second year to add some third-party evaluations as well, as we're beefing up our process of cloud vendor vetting. Steve ================================ Steven Lovaas University Information Security Officer Colorado State University steven.lovaas () colostate edu<mailto:steven.lovaas () colostate edu> 970-297-3707 Mit der Dummheit kämpfen Götter selbst vergebens. ================================ ________________________________ From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> on behalf of Madl, Michael <michael.madl () INDWES EDU<mailto:michael.madl () INDWES EDU>> Sent: Monday, February 19, 2018 5:52:54 AM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] Cyber Security Scorecards We looked at BitSight. Great product but cost was over 10K a year. If I had the budget I would have definitely gone with them. From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Patrick McElhinney Sent: Monday, February 19, 2018 12:41 AM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: [SECURITY] Cyber Security Scorecards Hi All, We are starting to look at some options in the cyber scorecard space to try and get some extra inputs into our Vendor Risk Management processes. Some of the players we are exploring include: * SecurityScorecard * BitSight Security Ratings * Upguard CyberRisk * FICO® Enterprise Security Score Profile (QuadMetrics) Has anyone else dipped a toe into this market and have any recommendations, or Pros\Cons on any of the players in the market? With Thanks, Patrick PATRICK McELHINNEY Senior Security Specialist IT Services - Resources Division The University of Newcastle (UoN) University Drive Callaghan NSW 2308 Australia CRICOS Provider 00109J [The University of Newcastle]<http://www.newcastle.edu.au/> [http://s.uon.nu/img/vert-divider.png] [http://s.uon.nu/img/ranking.png] [Website]<http://s.uon.nu/l/1> [Blog]<http://s.uon.nu/l/2> [Facebook]<http://s.uon.nu/l/3> [Twitter]<http://s.uon.nu/l/4> [YouTube]<http://s.uon.nu/l/5> [http://s.uon.nu/img/1x1white.png]
Current thread:
- Cyber Security Scorecards Patrick McElhinney (Feb 18)
- Re: Cyber Security Scorecards Madl, Michael (Feb 19)
- Re: Cyber Security Scorecards Lovaas,Steven (Feb 19)
- Re: Cyber Security Scorecards Kevin Reedy (Feb 20)
- Re: Cyber Security Scorecards Lovaas,Steven (Feb 19)
- Re: Cyber Security Scorecards Madl, Michael (Feb 19)