CyberGRX Security FAQs

Created with Sketch.
mark

The purpose of this page is to provide transparency into the safeguards that have been implemented to protect CyberGRX’s application and our customers’ data. This is a summary, intended to address the most common questions that we receive from external stakeholders who are interested in the maturity and effectiveness of our security program. For more detailed information you may wish to request a copy of our completed, validated assessment via the CyberGRX platform.

Q: Does CyberGRX have a team that is dedicated and responsible for the protection of customer data?
Yes. The CyberGRX Security Operations (SecOps) Team is tasked with the implementation of a comprehensive and effective risk management program that covers both our enterprise corporate environment and the CyberGRX platform environment.

Q: Does CyberGRX have a dedicated security officer?
Yes. CyberGRX has an assigned and dedicated Chief Information Security Officer (CISO) who is responsible for the CyberGRX security program and the management of the SecOps Team.

Q: Is the CyberGRX security program based on industry-standard security best practices and control frameworks?
Yes. The CyberGRX security program leverages concepts and security and privacy controls from a number of global standards such as the NIST Special Publication 800 series, ISO 27001/2, OWASP, GDPR, CCPA, etc.

Q: Has CyberGRX developed a security policy framework?
Yes. CyberGRX has developed, and continually refines, a library of security policies, standards, and plans. These documents are accessible by all CyberGRX staff and cover standard security domains such as: identity and access management, configuration and change management, personnel security, and incident response. Policies and plans are approved by the CyberGRX Chief Executive Officer (CEO) and standards are approved by the CISO.

Q: What are the core elements of the CyberGRX security program?
CyberGRX’s security program is based on an understanding of our assets, their criticality to both CyberGRX and our customers, the internal and external threats to those assets, and the effectiveness of our controls in response to those threats. We utilize a risk-based approach where strategic planning and the prioritization of corrective actions is based on a qualitative and quantitative understanding of risks that impact our organization and our customers.

Q: Has the implementation and effectiveness of CyberGRX’s security program been assessed or audited by an independent third party?
Yes. The CyberGRX platform undergoes penetration testing on an annual basis at minimum. The tests are conducted by an independent security contractor. In addition, the results of our CyberGRX Tier 1 assessment on the CyberGRX platform are validated by Deloitte.

Q: What type of internal security risk or vulnerability assessments does CyberGRX perform?
CyberGRX uses multiple methods and techniques to evaluate our environments for security weaknesses or vulnerabilities. These methods include, but are not limited to:

  • automated, scheduled vulnerability scanning of operating systems, firmware, middleware, etc.,
  • static and dynamic scanning of code repositories,
  • security-focused systems testing as part of the CyberGRX platform’s system development lifecycle (SDLC),
  • manual audits/tests of security control implementation and effectiveness,
  • security-focused interviews with CyberGRX teams and individual personnel,
  • annual, at minimum, independent penetration testing, and
  • ongoing updates of the CyberGRX Tier 1 assessment, including evidence validation by Deloitte.

Q: Are CyberGRX employees subject to a background screening prior to being provided access to any customer data?
Yes. All employees must successfully pass a background check before finalizing the job offer and onboarding process. New hires are not given access to any CyberGRX systems or data until the background screening process is complete.

Q: Has CyberGRX implemented a security awareness and training program?
Yes. CyberGRX leverages an industry-standard tool to plan, develop, execute, and track security-focused training. All new hires are required to complete training within five days of onboarding. All employees are required to complete quarterly security training. In addition, employees may be asked to complete unscheduled training based on the outcome of internal testing (e.g. phishing campaigns) or violations of security policy.

Q: Does CyberGRX process, transmit, or store any customers’ personally identifiable information (PII)?
Yes, but this is limited to business contact information only. Specifically, we collect an individual’s name, along with their business email address and business phone number.

Q: What physical security controls has CyberGRX put in place to protect customer data?
The CyberGRX Exchange platform is hosted by Amazon Web Services (AWS) in U.S. datacenters. All physical security controls directly associated with the platform are inherited from AWS. For more information about AWS’s physical security program please visit: https://aws.amazon.com/compliance/data-center/controls/. CyberGRX headquarters is located in Denver, Colorado. This facility is protected by safeguards that include electronic locks, badge readers, CCTV surveillance at all ingress and egress points, access logging and audits, and a centralized fire detection and suppression system.

Q: Has CyberGRX implemented multi-factor authentication (MFA) as a means to access the CyberGRX platform?
Yes. All CyberGRX users can enable MFA for access to the platform. Users leverage an authenticator application of their choice to provide a one-time passcode (OTP) combined with their username and password for authentication.

Q: How does CyberGRX encrypt data in transit and at rest?
All customer data (name, business email, business phone, assessment answers, etc.) is encrypted in transit using TLS 1.2 or better. Customer data is encrypted at rest via AES-256 strength encryption.

Q: Does CyberGRX have a policy regarding the use of removable storage media?
Yes. The use of removable media to transmit or store customer data is strictly forbidden by policy. Any exceptions to this policy must be approved by the CISO.

Q: How often does CyberGRX backup customer data, and are data backups ever tested?
CyberGRX performs full, daily backups of the platform’s production database. Backups are tested on a monthly basis, at minimum.

Q: Has CyberGRX defined a recovery time objective (RTO) or recovery point objective (RPO)?
Yes. Our RTO is defined as 48 hours and our RPO is 24 hours.

Q: How does CyberGRX ensure that their application code is free of vulnerabilities or flaws?
CyberGRX’s application follows a defined system development lifecycle (SDLC). All code changes must be approved by a product manager, a peer developer, and a tester before being deployed to the production environment. The SDLC process includes submitting all updated code repositories for code vulnerability scanning. We deploy application code by using a staged deployment process. The changes are applied first in the staging environment, where they are tested, before they are applied to the demo environment for additional testing, and finally on to the production environment. In addition, the CyberGRX platform is dynamically scanned by our code vulnerability scanning solution and is pen tested on an annual basis, at minimum.

Q: Does CyberGRX have an incident response program in place?
Yes. Our incident response program is documented in the CyberGRX Incident Response Plan and a library of incident playbooks that are focused on response procedures for specific types of incidents. We utilize a suite of industry- standard tools to assist in the identification, verification, containment, analysis, and removal of threats from our computing environments.

Q: Does CyberGRX have an incident notification process in place?
Yes. Per our legal agreements with customers we are required to notify any potentially affected customers within 24 hours of verification of a security incident.