Q: Has CyberGRX implemented a security awareness and training program?
Yes. CyberGRX leverages an industry-standard tool to plan, develop, execute, and track security-focused training. All new hires are required to complete training within five days of onboarding. All employees are required to complete quarterly security training. In addition, employees may be asked to complete unscheduled training based on the outcome of internal testing (e.g. phishing campaigns) or violations of security policy.
Q: Does CyberGRX process, transmit, or store any customers’ personally identifiable information (PII)?
Yes, but this is limited to business contact information only. Specifically, we collect an individual’s name, along with their business email address and business phone number.
Q: What physical security controls has CyberGRX put in place to protect customer data?
The CyberGRX Exchange platform is hosted by Amazon Web Services (AWS) in U.S. datacenters. All physical security controls directly associated with the platform are inherited from AWS. For more information about AWS’s physical security program please visit: https://aws.amazon.com/compliance/data-center/controls/. CyberGRX headquarters is located in Denver, Colorado. This facility is protected by safeguards that include electronic locks, badge readers, CCTV surveillance at all ingress and egress points, access logging and audits, and a centralized fire detection and suppression system.
Q: Has CyberGRX implemented multi-factor authentication (MFA) as a means to access the CyberGRX platform?
Yes. All CyberGRX users can enable MFA for access to the platform. Users leverage an authenticator application of their choice to provide a one-time passcode (OTP) combined with their username and password for authentication.
Q: How does CyberGRX encrypt data in transit and at rest?
All customer data (name, business email, business phone, assessment answers, etc.) is encrypted in transit using TLS 1.2 or better. Customer data is encrypted at rest via AES-256 strength encryption.
Q: Does CyberGRX have a policy regarding the use of removable storage media?
Yes. The use of removable media to transmit or store customer data is strictly forbidden by policy. Any exceptions to this policy must be approved by the CISO.
Q: How often does CyberGRX backup customer data, and are data backups ever tested?
CyberGRX performs full, daily backups of the platform’s production database. Backups are tested on a monthly basis, at minimum.
Q: Has CyberGRX defined a recovery time objective (RTO) or recovery point objective (RPO)?
Yes. Our RTO is defined as 48 hours and our RPO is 24 hours.
Q: How does CyberGRX ensure that their application code is free of vulnerabilities or flaws?
CyberGRX’s application follows a defined system development lifecycle (SDLC). All code changes must be approved by a product manager, a peer developer, and a tester before being deployed to the production environment. The SDLC process includes submitting all updated code repositories for code vulnerability scanning. We deploy application code by using a staged deployment process. The changes are applied first in the staging environment, where they are tested, before they are applied to the demo environment for additional testing, and finally on to the production environment. In addition, the CyberGRX platform is dynamically scanned by our code vulnerability scanning solution and is pen tested on an annual basis, at minimum.
Q: Does CyberGRX have an incident response program in place?
Yes. Our incident response program is documented in the CyberGRX Incident Response Plan and a library of incident playbooks that are focused on response procedures for specific types of incidents. We utilize a suite of industry- standard tools to assist in the identification, verification, containment, analysis, and removal of threats from our computing environments.
Q: Does CyberGRX have an incident notification process in place?
Yes. Per our legal agreements with customers we are required to notify any potentially affected customers within 24 hours of verification of a security incident.