SecurityScorecard is the most comprehensive security risk ratings platform, providing the security posture of 1m+ enterprises worldwide. It continuously monitors the cybersecurity health of organisations by identifying public facing vulnerabilities that create a security risk. Use cases include self monitoring, peer benchmarking, third party risk management and cyber insurance .
- Instantly identifies vulnerabilities, active exploits and advanced threats
- Protects your business and strengthens your security posture
- Gives insight into what a hacker sees
- View the security posture of your vendors and partners
- Provides and maintains compliance with regulations and standards
- Insight into Cyberhealth of potential mergers or acquisitions
- Streamline cybersecurity compliance and due diligence using Atlas
- Machine learning enables validation of vendor responses in near real-time
- Peer Benchmarking
- Simple and easy to use interface
- Monitor all your partners and/or vendors from a single platform
- Aids collaboration with vendors to improve their security posture
- Streamline and improve your vendor risk management programme
- Largest database of scored companies provides detailed risk analytics
- Passive, non intrusive and continuous security assessment
- Reduce cyber insurance premiums
£500 to £2000 per licence per year
- Education pricing available
Somerford Associates Limited
+44 1793 698 047
|Software add-on or extension||Yes, but can also be used as a standalone service|
|What software services is the service an extension to||SecurityScorecard have developed a Splunk App which will allow you to extend your existing Splunk service.|
|Cloud deployment model||Public cloud|
|System requirements||None, solution is cloud hosted by SecurityScorecard|
|Email or online ticketing support||Email or online ticketing|
|Support response times||SecurityScorecard provide support 8am-5pm EST Monday-Friday excluding US Federal Holidays.|
|User can manage status and priority of support tickets||No|
|Phone support availability||9 to 5 (UK time), Monday to Friday|
|Web chat support||No|
Our Service Desk provides support for P1 to P4 where a part of the software, appliance or license was previously working and is not working as expected or at all.
If an issue requires a level of Professional Services to engage, a member of the support team will discuss with your Account Manager to discuss this further.
Service Desk offer support through several channels, including telephone, e-mail and remote sessions where appropriate. Any employee of our entitled customers can raise a support desk ticket via telephone or e-mail with their company e-mail address. This will be logged and assigned to an engineer who will respond within 1 business hour.
Somerford resolve 80% of service desk tickets without requiring the involvement of our Partners. Where Partner involvement is required, we will advise you on this the process. Wherever possible, we will manage your service desk case with our Partners.
Our service desk is available between 9am and 5pm Monday to Friday, excluding Bank Holidays. Our service desk will provide support for existing Customers and companies that are engaged in Proof of Concepts.
All our customers have a Technical Account Manager.
|Support available to third parties||Yes|
Onboarding and offboarding
You can request a free assessment of your own company.
Once you have purchased relevant licences SecurityScorecard can be accessed via the browser by logging on with your personal credentials. Online Training can be provided.
|End-of-contract data extraction||No proprietary information is stored. Users can extract Summary, Issues and Detailed reports on the companies they are monitoring|
|End-of-contract process||At the end of the contract access to the platform will cease.|
Using the service
|Web browser interface||Yes|
|Application to install||No|
|Designed for use on mobile devices||No|
|What users can and can't do using the API||
SecurityScorecard collect terabytes of data on 1m+ of entities worldwide. Their forward-based threat intelligence capabilities are powered by a proprietary sensor network that spans the globe.
Their data science and machine learning capabilities transform that telemetry into intelligence that can be used to identify risks and prevent exploits. Through API Connectors, they make this data consumable by technology companies, insurers, rating agencies, security teams, and more.
|API documentation formats||
|API sandbox or test environment||No|
|Independence of resources||SecurityScorecard are continually monitoring and enhancing their platform to provide the highest levels of service to their customers|
|Service usage metrics||No|
|Supplier type||Reseller providing extra support|
|Organisation whose services are being resold||SecurityScorecard|
|Staff security clearance||Conforms to BS7858:2012|
|Government security clearance||Up to Security Clearance (SC)|
|Knowledge of data storage and processing locations||Yes|
|Data storage and processing locations||EU-US Privacy Shield agreement locations|
|User control over data storage and processing locations||No|
|Datacentre security standards||Complies with a recognised standard (for example CSA CCM version 3.0)|
|Penetration testing frequency||At least once a year|
|Penetration testing approach||Another external penetration testing organisation|
|Protecting data at rest||
|Data sanitisation process||No|
|Equipment disposal approach||A third-party destruction service|
Data importing and exporting
|Data export approach||Data can be exported as .csv or .pdf|
|Data export formats||
|Other data export formats|
|Data import formats||CSV|
|Data protection between buyer and supplier networks||TLS (version 1.2 or above)|
|Data protection within supplier network||TLS (version 1.2 or above)|
Availability and resilience
|Guaranteed availability||Service Provider’s goal is to achieve 99.9% Availability of the Services for its customers. If uptime for the Services is less than 98.0% for a given month of the Term, then Service Provider shall issue Customer a service credit (“Service Credit”) in accordance with the schedule below, with the credit being calculated based on the fees for month of the affected Services. “Availability” is defined as the 24/7 access to the web interface to the SecurityScorecard SaaS platform being accessible and users can log-in to the system. Availability excludes issues due to internet and/or connectivity.|
|Approach to resilience||Resilience has been built into the design of SecurityScorecard's cloud based offering with failover and dynamic resource allocation available and utilised|
SecurityScorecard may perform any standard maintenance, upgrades, replacement of hardware or software or any other like activity that may result in unavailability (collectively, “Scheduled Maintenance”). SecurityScorecard shall notify Customer in advance of any anticipated Scheduled Maintenance, and provide the date, time and expected duration. Such notice will be provided by email or web notification. Scheduled Maintenance shall not be included in the Uptime Commitment calculation.
SecurityScorecard may also perform any maintenance reasonably necessary to fix critical Service functionality, security or other vulnerabilities or material defects that may substantially impair the usability or performance of the Services, to the extent such maintenance cannot reasonable be performed during the Scheduled Maintenance window (“Emergency Maintenance”). SecurityScorecard shall notify Customer at least 24 hours’ notice (or at least as much notice as is reasonably possible, where 24 hours is not commercially reasonable) of any Emergency Maintenance, including its date, time and expected duration. Such notice will be provided by email or web notification.
Identity and authentication
|User authentication needed||Yes|
|Other user authentication||SAML|
|Access restrictions in management interfaces and support channels||Users are assigned access levels within SecurityScorecard. A user can either be Read Only, User or Admin|
|Access restriction testing frequency||At least once a year|
|Management access authentication||
|Description of management access authentication||SAML|
Audit information for users
|Access to user activity audit information||Users contact the support team to get audit information|
|How long user audit data is stored for||At least 12 months|
|Access to supplier activity audit information||Users contact the support team to get audit information|
|How long supplier audit data is stored for||At least 12 months|
|How long system logs are stored for||At least 12 months|
Standards and certifications
|ISO/IEC 27001 certification||No|
|ISO 28000:2007 certification||No|
|CSA STAR certification||No|
|Other security certifications||Yes|
|Any other security certifications||
|Named board-level person responsible for service security||Yes|
|Security governance certified||Yes|
|Security governance standards||ISO/IEC 27001|
|Information security policies and processes||
ISO 27001 certification
|Configuration and change management standard||Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402|
|Configuration and change management approach||SecurityScorecard adhere to industry good practise in terms of configuration and change management processes.|
|Vulnerability management type||Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402|
|Vulnerability management approach||
SecurityScorecard not only provide security posture monitoring of thousands of companies worldwide but also use their own technology to monitor their own security posture.
Regular internal vulnerability scanning is run and endpoint protection deployed
|Protective monitoring type||Undisclosed|
|Protective monitoring approach||
An automated or manually reported alert is sent. Once the incident has been acknowledged the first responder is responsible to triage the issue.
For product related issues, there is a reference chart of team owners.
For infrastructure related issues the incident will be escalated to either Infrastructure Services Team or the Site Reliability Engineering Team
For security related incidents a conference bridge is opened and all members of the SecOps team attend.
The IRT engineer continues to provide the high level updates to stakeholders.
Once the incident is closed, the various parties work together to author the post mortem document.
|Incident management type||Undisclosed|
|Incident management approach||Industry standard incident management processes are in place|
|Approach to secure software development best practice||Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)|
Public sector networks
|Connection to public sector networks||No|
|Price||£500 to £2000 per licence per year|
|Discount for educational organisations||Yes|
|Free trial available||Yes|
|Description of free trial||Instant SecurityScorecard provides a free limited summary view into the security posture of your organisation that can be accessed every 30 days.|
|Link to free trial||https://instant.securityscorecard.com/?custom_source=ssc_fp_free_score_button|