The CyberGRX Assessment is designed to deliver maximum value to our customers and their third parties. Here is an overview of the assessment process.
Customers add third parties to their CyberGRX portfolio with the help of our risk professionals. Immediately, these customers gain insights on potential risk and business exposure through our Predicted Risk Profiles.
A customer requests an assessment from a third party in their portfolio. The request arrives in the form of a registration email inviting the third party to join the CyberGRX Exchange. Upon registering, the third party can immediately begin the questionnaire in the CyberGRX Portal.
The breadth of the CyberGRX Assessment is driven by the level of assurance required by the customer, and this can be broken down into two categories: NON-VALIDATED or VALIDATED. In either case, third parties must formally attest to the accuracy of their answers. The primary third party user can add additional users from their organization to assist with the assessment exercise.
To note, third parties must complete their CyberGRX assessment at the enterprise level - it cannot be scoped to the requesting customer or any individual business unit, product line, system or division.
For VALIDATED ASSESSMENTS, third parties must provide evidence in addition to completing the questionnaire. To do this, they upload artifacts directly to our secure portal where our team will review and verify. Validated controls are selected based on criteria such as answer strength, industry risks, inherent risks and contemporary vulnerabilities. Please see our Evidence Validation Guide for more details.
Third parties have sole ownership over their assessment data. As such, in order for a customer to gain access, they must take the formal step of authorizing access. Once this action has been taken - assuming the questionnaire is fully attested and validation has been completed for that level of assessment - the final report is generated for the customer to view in the CyberGRX Portal.
If additional CyberGRX customers have the same third party in their portfolio, those customers can see that a completed assessment exists - but they would need to send their own authorization request in order to gain access. Third parties can authorize their completed assessment to any and all requesting CyberGRX customers, and they can also freely share it with non-requesting customers of their own. Third parties can also revoke access at any time, to any customer.