So, What’s the Problem?

            Table 1 and Table 2 show an example of a common yet specific terminology problem. A company wants
            to assess a vendor to ensure that the vendor’s email servers cannot be used for phishing attacks targeting
            the  outsourcing  company.  Specifically,  the  outsourcer  wants  to  know  if  the  vendor  has  enabled  the
            Sender Policy Framework (SPF) on their network. SPF is a Domain Name Service (DNS) configuration
            that  organizations  can  enable  to  help  stop  attackers  from  impersonating  an  organization’s  email
            addresses.

            When  reviewing  Security  Rating  Service  A’s  alert  category,  it  is  easy  to  spot  the  reference  to  SPF
            because SPF is specifically listed. However, in Security Rating Service B’s solution, it is hard to tell if
            either Category 1 or Category 2 matches the outsourcers need for SPF monitoring.
























            A Group of Rivals


            Shared Assessments is a member-driven organization that has developed and promoted standardized
            resources for corporate risk assessment (not just cyber risk assessment) for over a decade. SA members
            — including SRS providers such as 23Advistory, BitSight, Black Kite, Panorays, RiskRecon, and Security
            Scorecard — worked through Shared Assessments to create the common taxonomy with which they
            could  describe  their  varied  offerings.  The  taxonomy  establishes  consistent  language,  practices,  and
            reporting  structures  for  complex  cyber  events  and  vulnerabilities,  and  removes  the  potential  for
            ambiguities. Each of the “rivals” sees advantages for themselves and their clients.


            The  World  Economic  Forum  and  NIST  are  both  considering  leveraging  the  taxonomy  to  ensure
            consistency with their own frameworks and terminology.

            The taxonomy itself takes no stance on the relative importance of any one event over any other. What is
            required is that an event is currently being monitored by someone, in some way, in the real world. The
            events are described in the adverse to avoid duplication. For example, one SRS provider may say “the
            XYZ patch is missing — that’s bad” and provide a lower score while another provider may say “the XYZ
            patch is present — that’s good” and provide a higher score. The taxonomy always describes the XYZ
            patch in its adverse form to avoid describing the condition twice.





                                                                                                              65