In this article:
Use hierarchies to help you visualize how organizations you monitor are related within a parent business entity and to show how your own corporate relationships are structured.
Hierarchies can provide useful context for assessing third-party risk, such as how security policies are inherited across related organizations.
If you are an administrator for a Scorecard in a hierarchy, you can view evidence for findings in the Scorecard of a subsidiary Scorecard. Learn about using Subsidiary Management.
Understand how hierarchies are structured
A hierarchy is a tree-structured visualization of a parent entity and its holdings, represented by their Scorecards. A hierarchy can also include published Custom Scorecards.
A hierarchy includes up to three levels:
- Parent (top level)--The holding company is the entity at the top of the hierarchy. In a multinational corporate structure, it is the global holding company.
- Child (second level)--A direct subsidiary of a parent. A child can only have one parent. Also, when a domain is added to a hierarchy as a child to a parent, that parent inherits any subsidiaries (infants) of the child.
- Infant (third level)--An direct subsidiary of a child.
View a hierarchy for a Scorecard
To see how an organization fits into a hierarchy, go to that Scorecard, and click Hierarchy in the left navigation.
Note: A hierarchy is not an automated Scorecard feature. An organization initiates the creation of their hierarchy by working with our Support team. If you do not see a hierarchy for a given Scorecard, the organization has not posted one.
The hierarchy shows the selected organization in a shaded box to indicate its position in the corporate structure. The following screenshot shows the hierarchy for a parent.
The following screenshot shows the same hierarchy for an infant organization.
Filter and sort a hierarchy
Use the filtering and sorting tools in the panel on the right to modify your view of the hierarchy or highlight specific organizations:
- To find a specific organization in the hierarchy, start typing its name in the text box at the top of the panel.
- To see organizations in a specific industry, start typing the industry name.
- To see organizations with certain grades, select those grades. Parents or children of the filtered organizations that have different grades appear greyed out.
- To sort the display of organizations by alphabetical order, reverse-alphabetical order, or highest to lowest grades, or lowest to highest grades, select the option you want. Regardless of the selected order, the parent remains on top.
Display a hierarchy for your own organization
To have SecurityScorecard build a hierarchy for your organization, send our Support team a .csv file or spreadsheet that shows the hierarchy structure.
The Support team performs an exhaustive validation process to ensure accuracy and then displays the hierarchy in the platform.
Format for .csv file
For a .csv file, use the following format:
parent,child
,domain.com,
domain.com,child-domain-01.com
domain.com,child-domain-02.com
domain.com,child-domain-03.com
child-domain-01.com,infant-domain-01.com
child-domain-01.com,infant-domain-02.com
child-domain-01.com,infant-domain-03.com
The top row includes the parent and child columns.
The second row includes a blank column and then the column for the domain name and suffix.
The next set of rows include all the parent/child pairings.
The final set of rows include the all the child/infant pairings, if applicable.
Format for spreadsheet
If you are using a spreadsheet, format it like the following screenshot:
Tips for specifying hierarchy structures
- You can ask Support to send you a template file to help you set up the structure.
-
For large hierarchies, create multiple CSV files, each containing no more than 100 domains.
- If you make a mistake, upload the original .csv file.
-
You can ask Support to modify versions of the structure at any time.
- You cannot add subdomains to a hierarchy.
- To include a Custom Scorecard in the hierarchy, enter the Scorecard's UUID, which you can find in the navigation bar of that Scorecard's page.
Submit your hierarchy structure to Support
To submit your hierarchy structure, submit a Support request. with a .csv file or spreadsheet attachment formatted as shown in the preceding examples.
How hierarchies, Scorecards, and Custom Scorecards are related
Keep the following in mind when you work with hierarchies, Scorecards, and Custom Scorecards:
- Scorecards within a hierarchy do not affect each others' scores. Their Digital Footprints are isolated from each other.
- Hierarchies are based on Scorecards. An existing Scorecard is required for inclusion in a hierarchy. If a Scorecard does not exist, you can create a Custom Scorecard, which represents a subset of its source Scorecard's Digital Footprint.
- You can divide a source Scorecard into multiple Custom Scorecards, representing different departments, and then link them to the parent Scorecard in a hierarchy.
- A Custom Scorecard is independent of a hierarchy, even if it is sourced from a Scorecard in the hierarchy.
- A hierarchy feature does not provide any insight into the domains on a Scorecard's Digital Footprint.
- If a Scorecard redirects to another Scorecard, the redirect destination Scorecard appears in the hierarchy. To illustrate: Three regional Scorecards example.fr, example.uk, and example.pt all redirect to example.com, so only example.com appears in the hierarchy.
Enable and use Subsidiary Management
If you are an administrator for a Scorecard in a hierarchy, you can use the Subsidiary management feature to view all evidence for issue findings for subsidiary Scorecards in your hierarchy.
This enhances your ability to manage risk for organizations that have a close corporate relationship with yours, such as those with a shared IT infrastructure.
To use Subsidiary Management, confirm that your Scorecard is in a hierarchy. Then, submit a Support request for enabling this feature.
Understand what "finding evidence" is
When we show findings for issue types on a Scorecard, we provide evidence, which depends on the specific issue type. For example, in the case of the Leaked email issue type, the evidence includes the compromised email addresses. Evidence on a given Scorecard is only visible to:
- An administrator for that Scorecard
- An administrator for the Scorecard of the parent organization in a Scorecard hierarchy.
An administrator for a child Scorecard in a hierarchy can only view evidence for their own infant subsidiaries. They cannot view evidence for infants of a peer child.
For example, as seen in the following screenshot, Example Child Corp. 1 and Example Child Corp. 2 are peer children of Example Parent Corp. The Scorecard administrator for Example Child Corp. 1 can view finding evidence for their own infant subsidiaries but not the infant subsidiaries of Example Child Corp. 1.
View evidence for findings for a subsidiary
- In the Hierarchy tab, select an organization that you want to view evidence for.
Tip: If you already know that you are in a hierarchy that includes a given organization, you can just go to the Scorecard for that organization.
- Select the Issues tab for that Scorecard and then select an issue type that you want to investigate.
Or
To investigate issues by specific factor, select the Factors tab. Expand the factor that concerns you and then select an issue type in that factor. - On the issue details page, scroll down to the Findings table.
- Note any findings that concerns you and then use the bar above the table to scroll to the right.
- Review the values in the Evidence column.
In the example of the Email exposed issue type, evidence consists of compromised emails.
Take action on issue findings for subsidiaries
After investigating evidence for findings that concern you, take the following actions to help your subsidiary resolve them:
- Send them an Action Plan targeted at issue resolution.
- Contact them to discuss the issues and how they affect your organization and possibly others in the hierarchy.
- Send them a questionnaire to vet the security controls they have in place to address the issues.