Product Security Assessments

Narrow the gap between vendor, asset, and product security management disciplines

Inherent product risk evaluates the potential for harm to products across the risk categories such as data/systems access, cloud, mobile, offshore, safety, grid reliability, security, compliance, and supply chain. The risk score for this section limits the potential for vulnerability and controls assessment scores to contribute to the overall risk score.

The Product Security Controls section evaluates 59 individual security controls in 10 different categories. The level of risk for each product security control is ranked based on potential impact in an IT/OT environment. Each control is mapped to control frameworks such as NERC CIP, NIST SP 800-53, NATF, and CIS. Each category is then given a score which is calculated based on each individual control score.

All of the categories are then averaged to provide an overall score for all Product Security Controls. Furthermore, the section can raise 5 different results for every control questions such as Default, Configurable, Not Present, Not Applicable, and Unknown. Configurable results are given further details based on product documentation on how to specifically configure a section to apply a security control. Not Present results are given a definition where impact for the lack of a specific control in the environment are detailed. The Vulnerability Risk Profile evaluates the product for known vulnerability and third-party vulnerabilities that may affect the product. The vulnerabilities are then analyzed to create a trend; whether the count is increasing, decreasing, or stable, and to create a timeline based on the vendor’s ability to respond to known vulnerabilities. The vendor is evaluated on its ability to notify, disclose, and remediate vulnerabilities found for the product.