CyberGRX Risk Assessment Methodology

A dynamic assessment approach that supports enterprises and third parties

 

CyberGRX assessments were designed with practitioners to modernize and streamline redundant and inefficient processes that come with shared and static spreadsheets – for both third parties and their upstream partners. Two of the biggest advantages of the CyberGRX third-party risk assessments:

1. CyberGRX assessments collect data in a structured format

2. CyberGRX provides that data dynamically via an information exchange. The structured format enables organizations to run analytics across collected data so they can derive actionable insights. And dynamic data ensures ordering customers always have up-to-date visibility into their ecosystem while enabling third parties to spend less time manually completing disparate spreadsheets and instead move towards completing one assessment that can be shared with many.

CyberGRX assessments are built on NIST 800-53 v4 and ISO 27001 cybersecurity frameworks and map to many other industry standards. CyberGRX assessments are provided in three tiers, covering low, medium, and high-risk third parties and include corresponding levels of validation – from self-attestation toon-site evidence review–conducted in collaboration with Deloitte.

The assessment features skip-level logic and delegation features, so third parties are only asked relevant questions and can delegate questions to the appropriate departments for greater accuracy. Meanwhile, customers awaiting the completion of a third-party assessment can easily track progress on the CyberGRX dashboard.

Highlights

 

  • Structured & dynamic data for analytics
  • Ongoing & up-to-date visibility via the Exchange
  • Tiered assessment & validation levels
  • Skip-level logic & delegation features
  • Built on NIST, ISO & other common industry frameworks

CyberGRX Assessment Approach

CyberGRX risk assessment data sheet risk assessment methodology

The CyberGRX assessment methodology identifies both inherent and residual risk and uses real-time threat analysis and independent evidence validation to provide customers with a holistic view of third-party cyber risk posture.

Inherent risks are those that exist prior to evaluating the implementation and effectiveness of cybersecurity controls. Inherent risks are often based on the industry most closely related to the party being assessed. Residual risks describe the cyber risks that persist after taking into consideration the controls that an organization implements to address inherent risks. It is important to consider both inherent and residual risk so that organizations know how to tailor their cybersecurity program and how best to monitor and improve its effectiveness.

What A CyberGRX Assessment Includes

 

CyberGRX assessments apply a dynamic and comprehensive approach to risk assessment analysis, replacing outdated static spreadsheets as well as the need to repetitively complete or request assessments each year.

Our assessments integrate advanced analytics, threat intelligence and sophisticated risk models, based on known breach kill chains, with the vendor's responses, to provide an in-depth view of how a vendor’s security controls will protect against potential threats.

The assessments feature five control groups (Strategic, Operations, Core, Management and GDPR), that include controls and sub-controls based on the following frameworks: FFIEC, ISO 27001, NIST 800-53, NIST 800- 171, NY-DFS, PCI DSS, SOC, etc. Since the assessment data lives on the CyberGRX Exchange, third parties only have to complete it once and simply update the information as they implement new security measures or practices.

How Are CyberGRX Assessments Different?

 

How A CyberGRX Risk Assessment Is Different

Assessment Tiers & Validation Levels

Tier 1:

Tier 1 assessments are typically ordered on your riskiest vendors that create significant business exposure from both a high likelihood and high impact perspective.

You may wish to categorize a vendor as high-risk if they have access to Personally Identifiable Information (PII) or if they provide mission-critical products or services.

Tier 2:

Tier 2 assessments are generally ordered on vendors that pose a significant amount of risk but are not your riskiest. Significant risk may apply to vendors who have access to your internal networks or customer data.

Tier 2 assessments are a great place to start. They provide an in-depth analysis of vendor controls while introducing a human into the loop for remote validation or rules-based validation.

Tier 3:

Tier 3 assessments are ordered on those vendors which pose the lowest risk to your organization.

A vendor may be categorized as low risk if there is no interconnection between their network and yours or if they have no access to sensitive data.

 

How The CyberGRX Assessment Process Works

 

The CyberGRX assessment process was designed to help both ordering enterprises and their third parties. Our global risk exchange and dynamic data approach ensures that ordering customers have an up to date view of their third-party portfolio and third parties spend less time filling in redundant spreadsheets.

The following workflow summarizes the CyberGRX third-party risk assessment process.

1. Onboard

Step 1: Customer adds third parties to the CyberGRX platform

Step 2: Customer completes third-party profiles

Step 3: Customer receives immediate insights on potential risk and business exposure

Step 4: Customer orders appropriate assessment levels on their third parties

Step 5: If the third-party is already on the Exchange, they authorize access within a few hours. Otherwise, CyberGRX onboards the third-party to the Exchange

2. Assess

Step 1: Third-party answers questions related to their business structure and previous cyber incidents

Step 2: Third-party assigns delegates to help answer cybersecurity control questions

Step 3: Third-party answers assessment questions and submits the completed assessment

3. Validate

Step 1: CyberGRX conducts remote validation and works with Deloitte to conduct on-site evidence validation as requested

Step 2: CyberGRX finalizes validation analysis and produces a draft assessment

4. Comment

Step 1: Third-party and CyberGRX review the draft assessment results

Step 2: Third-party adds comments, if necessary

Step 3: Cyber risk assessment results are finalized

5. Share

Step 1: Customers request access to third-party assessment results

Step 2: Third-party authorizes requests and shares with as many upstream partners as they choose

 

Download Now

Read our Pinnacol Assurance case study to see how CyberGRX transformed their third-party program