Welcome to Part II of our CyberGRX Security FAQs!
As we're a third party to our customers, we want you to be confident in the stringent security measures that we have in place to protect your data. This is the second half of a summary intended to address the most common questions that we receive from external stakeholders who are interested in the maturity and effectiveness of our security program. (You can find Part I here)
Q: Are CyberGRX employees subject to a background screening prior to being provided access to any customer data?
Yes. All employees must successfully pass a background check before finalizing the job offer and onboarding process. New hires are not given access to any CyberGRX systems or data until the background screening process is complete.
Q: Has CyberGRX implemented a security awareness and training program?
Yes. CyberGRX leverages an industry-standard tool to plan, develop, execute, and track security-focused training. All new hires are required to complete training within five days of onboarding. All employees are required to complete quarterly security training. In addition, employees may be asked to complete unscheduled training based on the outcome of internal testing (e.g. phishing campaigns) or violations of security policy.
Q: Does CyberGRX process, transmit, or store any customers’ personally identifiable information (PII)?
Yes, but this is limited to business contact information only. Specifically, we collect an individual’s name, along with their business email address and business phone number.
Q: Has CyberGRX implemented multi-factor authentication (MFA) as a means to access the CyberGRX platform?
Yes. All CyberGRX users can enable MFA for access to the platform. Users leverage an authenticator application of their choice to provide a one-time passcode (OTP) combined with their username and password for authentication.
Q: How does CyberGRX encrypt data in transit and at rest?
All customer data (name, business email, business phone, assessment answers, etc.) is encrypted in transit using TLS 1.2 or better. Customer data is encrypted at rest via AES-256 strength encryption.
Q: Does CyberGRX have a policy regarding the use of removable storage media?
Yes. The use of removable media to transmit or store customer data is strictly forbidden by policy. Any exceptions to this policy must be approved by the CISO.
Q: How often does CyberGRX backup customer data, and are data backups ever tested?
CyberGRX performs full, daily backups of the platform’s production database. Backups are tested on a monthly basis, at minimum.
Q: Has CyberGRX defined a recovery time objective (RTO) or recovery point objective (RPO)?
Yes. Our RTO is defined as 48 hours and our RPO is 24 hours.
Q: How does CyberGRX ensure that their application code is free of vulnerabilities or flaws?
CyberGRX’s application follows a defined system development lifecycle (SDLC). All code changes must be approved by a product manager, a peer developer, and a tester before being deployed to the production environment. The SDLC process includes submitting all updated code repositories for code vulnerability scanning. We deploy application code by using a staged deployment process. The changes are applied first in the staging environment, where they are tested before they are applied to the demo environment for additional testing, and finally on to the production environment. In addition, the CyberGRX platform is dynamically scanned by our code vulnerability scanning solution and is pen tested on an annual basis, at minimum.
Q: Does CyberGRX have an incident response program in place?
Yes. Our incident response program is documented in the CyberGRX Incident Response Plan and a library of incident playbooks that are focused on response procedures for specific types of incidents. We utilize a suite of industry-standard tools to assist in the identification, verification, containment, analysis, and removal of threats from our computing environments.
Q: Does CyberGRX have an incident notification process in place?
Yes. Per our legal agreements with customers, we are required to notify any potentially affected customers within 24 hours of verification of a security incident.