What Data is being collected during Scans?
When performing scans with the Cyrisma platform, the types of data collected depend on the scan type. Below is a detailed breakdown of what data is accessed and collected during each scan, along with assurances regarding data security and privacy:
Written by Tony Scribe
Updated at December 18th, 2024
- User Manual
- Self Onboarding Guide
- Agents
- The Cyber Risk Assessment Process
- PSA Integrations
- General Questions and Troubleshooting
- The Cyber Risk Assessment Process (Video Tutorials)
- Sales and Prospecting Articles
- CYRISMA Partner Portal Access
- Glossary
- API Documents
- CYRISMA Change Log
- Support Ticket SLA
- Billing Questions
Table of Contents
1. Vulnerability Scans
- Purpose: Identify security vulnerabilities based on installed software versions.
-
Data Collected:
- Software version information for every piece of installed software.
- Cross-referenced information with publicly available vulnerability data (e.g., CVEs - Common Vulnerabilities and Exposures).
- Customer Data: No customer data is collected during this process.
2. Secure Baseline Scans
- Purpose: Compare system configurations against a "secure baseline" of known, accepted security standards.
-
Data Collected:
- System configuration details.
- Customer Data: No customer data is collected during this process. Only configuration settings are evaluated.
3. Web Application Scans
- Purpose: Identify web-based security weaknesses such as Cross-Site Scripting (XSS), SQL Injection, etc.
-
Data Collected:
- Publicly facing website data.
- Any publicly exposed data (e.g., credit card numbers, addresses) that may already be visible to anyone accessing the website.
- Customer Data: The scanner is not authenticated, meaning it only evaluates data that is already publicly accessible.
4. Data Scans
- Purpose: Identify sensitive data stored on disk or in the cloud based on selected categories (e.g., passwords, credit card numbers).
-
Data Collected:
- Files are scanned for sensitive data (e.g., passwords, credit card numbers, Social Security numbers).
- Passwords: The actual password is displayed to help identify false positives.
- Credit Card Numbers (CCNs): Masked credit card numbers are collected (e.g., only partial numbers visible) to confirm whether they are valid matches without exposing the full number.
-
Customer Data:
- Authenticated Access Required: The agent only scans files based on the specified configuration.
- Purpose: To help identify, mitigate, or eliminate sensitive data and reduce overall risk.
- Data Handling: Discovered sensitive data is logged as evidence for review by authorized admins. No data is shared outside the platform.
Data Security and Privacy Assurances
- No Data Leakage: All data collection is strictly confined to the scope of the scans initiated by the customer. Cyrisma does not access or retain customer data outside what is logged during the scan process.
- Controlled Access: Only authorized users (e.g., admins) can view scan results and sensitive data.
- Goal: To identify risks and assist in securing or eliminating sensitive data to minimize overall exposure.
If you have further questions about the scanning process or data collection, feel free to contact Cyrisma Support. We’re happy to provide additional details or address any concerns.