Vendor Risk Assessment
The vendor risk assessment platform enables organizations to gain visibility into their own security maturity as well as the maturity of their vendors/suppliers, through analyzing the security configuration of their Internet facing properties, and breach history.
A broad assessment.
The Security Colony Vendor Risk platform uses a range of free, open source and commercial tools to complete over 20 distinct checks against a company’s online footprint, packaging this analysis up in an easy to use interface detailing the identified risks and providing an overall risk score and grade for the assessed organization.
Available to all.
Free users can see their own organisation’s maturity score.
Premium users can see their own organisation’s maturity score, and can also add their vendors/suppliers to track their scores too. 10 suppliers are included in the standard Premium subscription, and additional packs of suppliers can be added by either credit card or invoice.
The platform performs a range of checks which are then used
to display a final analysis in an easy to use interface.
There are four broad assessment categories which these checks fall into:
Assessing the organization for historic (or current) malicious activity
- Whether an organization has had their domain blacklisted for spam
- Whether an organization has been identified as hosting malware on their domains
- Whether an organization has been identified as a source of phishing attacks
- Whether an organization has been identified as a source of botnet attacks
Assessing security misconfigurations and vulnerabilities related to server configuration
- Whether an organisation has a strong process for correctly configuring all their encryption (SSL/TLS) certificates
- Whether an organisation has insecure (ie. unencrypted) ports open to the Internet
- DNS server configuration
Assessing security misconfigurations and vulnerabilities related to e-mail system configuration
- Whether an organisation uses strong email security technology (SPF and DMARC)
- Whether employees of an organisation have used their corporate email addresses on external accounts, and whether they have then been the subject of a data breach
Assessing security misconfigurations and vulnerabilities related to critical web applications
- A range of security header checks including HSTS, XSS Protection, Framing Protection, Content Security Policy and HPKP.