We're a third party, too!
That's right...we're a third party to thousands of organizations just like yours and we hold ourselves to the same rigorous security standards that we hold the third parties that have assessments on our Exchange.
We want to provide transparency into the safeguards that have been implemented to protect CyberGRX’s application and our customers’ data. This is a summary, intended to address the most common questions that we receive from external stakeholders who are interested in the maturity and effectiveness of our security program.
Q: Does CyberGRX have a team that is dedicated and responsible for the protection of customer data?
Yes. The CyberGRX Security Operations (SecOps) Team is tasked with the implementation of a comprehensive and effective risk management program that covers both our enterprise corporate environment and the CyberGRX platform environment.
Q: Does CyberGRX have a dedicated security officer?
Yes. CyberGRX has an assigned and dedicated Chief Information Security Officer (CISO) who is responsible for the CyberGRX security program and the management of the SecOps Team.
Q: Is the CyberGRX security program based on industry-standard security best practices and control frameworks?
Yes. The CyberGRX security program leverages concepts and security and privacy controls from a number of global standards such as the NIST Special Publication 800 series, ISO 27001/2, OWASP, GDPR, CCPA, HIPAA, etc.
Q: Has CyberGRX developed a security policy framework?
Yes. CyberGRX has developed, and continually refines, a library of security policies, standards, and plans. These documents are accessible by all CyberGRX staff and cover standard security domains such as identity and access management, configuration and change management, personnel security, and incident response. Policies and plans are approved by the CyberGRX Chief Executive Officer (CEO) and standards are approved by the CISO.
Q: What are the core elements of the CyberGRX security program?
CyberGRX’s security program is based on an understanding of our assets, our assets' criticality to both us and our customers, the internal and external threats to those assets, and the effectiveness of our controls in response to those threats. We utilize a risk-based approach where strategic planning and the prioritization of corrective actions is based on a qualitative and quantitative understanding of risks that impact our organization and our customers.
Q: Has the implementation and effectiveness of CyberGRX’s security program been assessed or audited by an independent third party?
Yes. The CyberGRX platform undergoes penetration testing on an annual basis at a minimum. The tests are conducted by an independent security contractor. In addition, the results of our CyberGRX Tier 1 assessment on the CyberGRX platform are validated by Deloitte.
Q: What type of internal security risk or vulnerability assessments does CyberGRX perform?
CyberGRX uses multiple methods and techniques to evaluate our environments for security weaknesses or vulnerabilities. These methods include, but are not limited to:
- Automated, scheduled vulnerability scanning of operating systems, firmware, middleware, etc.
- Static and dynamic scanning of code repositories
- Security-focused systems testing as part of the CyberGRX platform’s system development lifecycle (SDLC)
- Manual audits/tests of security control implementation and effectiveness
- Security-focused interviews with CyberGRX teams and individual personnel
- Annual, at minimum, independent penetration testing
- Ongoing updates of the CyberGRX Tier 1 assessment, including evidence validation by Deloitte and KPMG