Risk Navigator provides the predictive and attested CyberGRX assessment results in addition to mapping this data to industry-accepted frameworks, threat profiles, and MITRE ATT&CK scenarios. It supports your organization in evaluating a company's risk through a "lens" that is meaningful to your business and its needs.
Table of Contents
- Risk Navigator data and changes to the platform
- How to use this feature when mapping to a third party's assessment
- How to use this feature when mapping to your own company's assessment
- How to interpret the framework control score
- How are the framework control scores calculated
- How the finding severity is calculated
- How the maximum impact is calculated & how to use it
Risk Navigator data and changes to the platform
Risk Navigator combined the data found in various features across Company Profile Pages into one table and excel download that can support attested and predictive mappings to the CyberGRX assessment frameworks, Standard Frameworks, Threat Profiles, and Industry frameworks.
To view the equivalent assessment results data that was found in the Coverage/Effectiveness Scores table, map to the 'CyberGRX Assessment_CGRX Grps_Jan24' framework. It includes data at the sub-control level only, since that is the required level of granularity required to perform framework mappings.
Although we provide the validations results for every framework mapping, to hone in on the controls we requested for validation, we recommend mapping to the 'CyberGRX 60 Critical Controls_CGRX Grps_Jan24' framework which only consists of those controls.
This is where you can now find the equivalent data:
Data Point | After Risk Navigator Release | Before Risk Navigator Release |
Assessment Control Scores |
|
|
Findings |
|
|
MITRE ATT&CK Scenarios |
|
|
Validation Status |
|
|
Conflicting Responses (Auto Validations) |
|
|
Assessment results excel download |
|
|
Assessment PDF Results |
|
|
Key Findings |
|
|
How to Use - Mapping to a Third Party's Assessment
- Navigate to a third party's company profile page and select the Risk Profile tab to access the Risk Navigator.
- From the drop-down, select a framework to map to. You may also search by keyword in this space. It is organized by the available mapping groups (ie Frameworks, Industry standards, Threat Profiles, etc.).
Note: By default it will automatically map to the CyberGRX assessment framework organized by the existing groups found in our current assessment model. If interested in viewing the results though the lens of the new CyberGRX assessment questionnaire model expected to be release in Q3 2024, this is the recommended framework, CyberGRX Assessment_Risk Domains.
- How do I choose to map to predictive or attested assessment data?
- By default, if the company does not have a completed and available Tier 1, Tier 2 validated, or Tier 2 assessment, you can only map to their predictive assessment. It will automatically check the 'Predictive Data Only' box.
- If the company does have a completed and available Tier 1, Tier 2 validated, or Tier 2 assessment, then by default, it will map to the available tier.
- If you want to map to predictive data alternatively, select the 'Predictive Data Only' box.
- Risk Navigator is not available if you do not have either a predictive or an attested assessment available to map to.
- Once you have selected a framework, the table will populate with the mapping results.
- You may also download the data:
- Select the 'Download File' button, and it will download an Excel file onto your device containing the mapping contents. The Excel file contains the framework control data, the corresponding mapped CyberGRX controls data, and a list of helpful definitions for the terms and data found throughout.
- Select the 'Export' button, and it will download a CSV file onto your device containing the mapping contents.
- Note: If only a tier 3 attested assessment is available, the data is provided through a file download.
Note: Click through to the MITRE ATT&CK article for more information on utilizing the Framework Mapper tool to review your security controls and gain visibility into gaps.
How to Use - Mapping to your own company's assessment
Upon sharing your CyberGRX assessment in response to a Customer request for a questionnaire, the Risk Navigator allows the recipient to translate the CGRX assessment to several industry frameworks such as GDPR, CCPA, NIST 800/CSF, HIPAA, etc. This means customers are more likely to accept an assessment that conveniently fits their accustomed frameworks. Customers are also able to map to your predictive assessment at any time.
-
Navigate to the Risk Profile tab of your Company Profile Page by selecting your initials in the top right corner of the platform, then selecting 'Manage my company profile'.
Note: You may also navigate to this page from within the Results tab of the Assessment Dashboard through the provided link.
- From the drop-down, select a framework to map to. You may also search by keyword in this space. It is organized by the available mapping groups (ie Frameworks, Industry standards, Threat Profiles, etc.).
Note: By default it will automatically map to the CyberGRX assessment framework organized by the existing groups found in our current assessment model. If interested in viewing the results though the lens of the new CyberGRX assessment questionnaire model expected to be release in Q3 2024, this is the recommended framework, CyberGRX Assessment_Risk Domains.
- How do I choose to map to predictive or attested assessment data?
- By default, if the company does not have a completed and available Tier 1, Tier 2 validated, or Tier 2 assessment, you can only map to their predictive assessment. It will automatically check the 'Predictive Data Only' box.
- If the company does have a completed and available Tier 1, Tier 2 validated, or Tier 2 assessment, then by default, it will map to the available tier.
- If you want to map to predictive data alternatively, select the 'Predictive Data Only' box.
- Risk Navigator is not available if you do not have either a predictive or an attested assessment available to map to.
- Once you have selected a framework, the table will populate with the mapping results.
- You may also download the data:
- Select the 'Download File' button, and it will download an Excel file onto your device containing the mapping contents. The Excel file contains the framework control data, the corresponding mapped CyberGRX controls data, and a list of helpful definitions for the terms and data found throughout.
- Select the 'Export' button, and it will download a CSV file onto your device containing the mapping contents.
- Note: If only a tier 3 attested assessment is available, the data is provided through a file download.
Note: Click through to the MITRE ATT&CK article for more information on utilizing the Framework Mapper tool to review your security controls and gain visibility into gaps.
How do I interpret a framework control score?
A ranking system is applied to all framework control scores found in Risk Navigator for the purposes of contextualizing this score. The score ranking system is as follows:
Score Interpretation | Table Icon | Framework Control Score Ranges | Description of Framework Control Score Rating |
Very Poor | 0 to 49 | Very Poor indicates minimal coverage and substantial risk. | |
Poor | 50 to 69 | Poor indicates some coverage and significant risk. | |
Fair | 70 to 79 | Fair indicates moderate coverage and risk. | |
Good | 80 to 89 | Good indicates significant coverage and limited risk. | |
Very Good | 90 to 100 | Very Good indicates maximum coverage and minimal risk. |
How is the Framework Control Score calculated?
The framework control score is a weighted average of mapped control scores. Primary controls are weighted more heavily than supporting controls in the calculation. Depending on the mapping, there may be zero, one, or many CyberGRX controls for every Framework control. The score returns a value between 0% - 100% (high risk to low risk.)
The source (attested or predicted) and the answer are the contributing control score factors. The chart below shows the possible scores our analytics algorithm may assign a given control based on the response provided or predicted.
How is the finding severity calculated?
A finding severity is calculated differently based on whether the control is a MITRE control or CyberGRX Critical Control, whereas if they are neither of these. More information on specific Finding calculation logic can be found here.
Note: ISO is a mapping made available on a case-by-case basis by CyberGRX. To access ISO mapping, you must produce a license or provide an image of "proof of purchase" to your Assessment Coordinator. Once this has been received, we will load the ISO Mapping into your portfolio. If you do not have the certification or accreditation, CyberGRX cannot legally share our mapping.
How is the maximum impact data calculated? How do I use it?
Maximum impact conveys the maximum impact per control, derived using your company's responses to that particular third party's Impact Questionnaire. Each control is mapped to at least one impact question. Based on the mapped impact question(s) response(s), the maximum impact derived using those responses indicates what the highest degree of impact on your organization could be if the given control were lacking appropriate risk mitigation measures. The possible maximum impact values are:
- Significant: The third party manages or provides a critical service, function, or regulated duty for one or more business assets
- Moderate: The third party has routine access to sensitive resources, maintains infrastructure, or provides customized services for one or more business assets
- Minimal: The third party has only limited, ad hoc, or tightly controlled access to one or more business assets
- Least: The third party has little or no access, engagement, or involvement in any business asset
This can be leveraged to gain insights into which control findings are relevant through the lens of your business relationship with a given company. To best isolate which control findings are most relevant, it is recommended that you leverage filters in the Risk Navigator feature to filter on those findings that have 'Significant' and 'Moderate' maximum impact. It will result in the displayed data set only including those control findings that your company has significant or moderate engagement with the third party.
Here is more information on the Impact Questionnaire and how to answer it.
Comments
0 comments
Please sign in to leave a comment.