CyberGRX validated assessments features two phases: the self-assessment phase (questionnaire) and the validation phase. Validation is conducted on all Tier 1 assessments and Tier 2 Validated assessments. Customers request validated assessments in order to evaluate the accuracy of their Third Party’s self-assessment answers. This evaluation is referred to as the assessment validation process. This guide will cover the following:
Assessment Validation Process
During the self-assessment (questionnaire), a number of controls from the Third Party’s assessment are selected for validation. The standard method for conducting validation is for the Third Party to upload evidence through the CyberGRX Exchange platform or another secure file sharing platform that the Third Party chooses. CyberGRX will also accept viewing of evidence via teleconference, if this is preferred.
The validation process consists of two phases: the initial and follow-up validation phases. In the initial phase, the Third Party is asked to provide evidence for every control listed in the Validation Tab of the Assessment dashboard on the CyberGRX Exchange. CyberGRX assessors will evaluate the evidence provided by the Third Party to determine the degree to which it supports the Third Party’s assessment answers. If needed, the assessor will provide a follow-up Evidence Request Sheet (ERS) that lists any controls which were not validated by the evidence that was initially provided. The Third Party is then asked to provide additional evidence for these remaining controls.
See How Much Time Does Evidence Validation Take? for more information on the ideal validation timeline and deadlines.
PLEASE NOTE: In order to maintain the efficiency of the CyberGRX assessment process, we must limit evidence collection and validation to the two rounds described above. Third Parties are strongly encouraged to contact their CyberGRX Assessment Coordinator if they have any questions or concerns about the evidence that is required for validation. Assessments are only re-validated on an annual basis.
Please see the "Validation In Platform User flow" article for more detailed instruction on how to provide evidence in the CyberGRX Exchange.
Follow-Up Evidence Request Sheet
The CyberGRX Assessor will develop a follow-up Evidence Request Sheet (ERS) if the initial evidence provided by the Third Party does not adequately support all of the Third Party’s affirmative ('Yes, we do this or have this in our environment') assessment answers. The Assessor will remove any controls that were fully validated so that only controls which require additional evidence are included in the follow up Evidence Request Sheet.
This follow-up Evidence Request Sheet will also include an additional column with comments from the assessor to help guide the Third Party for the final round of evidence upload and review without being prescriptive.
On the “Validation” tab of the Assessment Dashboard, any control that was validated is noted with a ‘V’ icon indicating that this control was validated in the previous review round, like shown below:
If needed, the ERS is available for download from the validation tab of the Assessment Dashboard:
Evidence Preparation & Guidance for Third Parties
Identifying the appropriate evidence artifacts can be difficult, so we’ve developed this guidance to provide some helpful recommendations, tips, and tricks.
- Be sure that the evidence you provide clearly supports the answers chosen in your assessment.
- Example: If you answered that you encrypt data at rest, a screenshot of a valid SSL certificate is not appropriate evidence, even though it addresses the use of encryption. Instead, consider providing a screenshot from a whole disk encryption solution.
- Consider adding a notation or comment for the CyberGRX Assessor if an explanation is needed to clarify the evidence provided. This can significantly reduce the amount of time it takes to complete the validation process.
- Label provided evidence with the number of the corresponding control(s). This too can significantly reduce the amount of time it will take an Assessor to evaluate the evidence and complete the validation process.
- Remember that verbal evidence alone, without the support of documentation or other evidence artifacts, is not sufficient to validate assessment answers. Verbal evidence includes conversations or interviews with CyberGRX Assessors as well as written explanations submitted as evidence.
- Example: Providing a note that says, “We de-activate accounts after 5 unsuccessful login attempts.” would not be sufficient evidence to validate subcontrol 126.96.36.199 Account Lockout. Instead, consider sending a screenshot from a group policy that shows the setting for the account lockout threshold.
- Written policies can provide excellent evidence for assessment answers that focus on the existence, development, update, or execution of policy. Policies generally do not provide clear evidence of the actual implementation or effectiveness of technical security controls (e.g. Server Hardening).
- Whenever possible, ensure that the evidence you provide can be attributed to your organization. An isolated snippet from one paragraph of an SOP may support an assessment answer but will likely result in a follow-up request from the CyberGRX Assessor. Instead, consider sending the entire SOP or SOP section that includes your organization’s branding.
- Ensure that provided evidence is clearly associated with the type of asset (e.g. workstations, servers, mobile devices, etc.) that is the focus of your chosen assessment answer.
- Example: If you indicated that you’ve implemented anti-malware tools on desktops and laptops, an isolated screenshot of an anti-malware agent typically will not provide sufficient evidence. This is because there is no way for the Assessor to confirm the type of device on which the anti-malware software has been installed. However, combining the screenshot with a runbook for imaging laptops, for example, can clarify the asset type on which the anti-malware solution has been implemented.
- Previously completed assessment reports or audit reports can be used as evidence, but they must meet the following criteria:
- The assessment must have been conducted by a trusted independent organization
- The assessment must have been conducted within the previous 12 months (or be within its expiry period)
- The scope of the assessment and its relation to the Third Party must be explicitly defined
- The method and results of each tested activity must be clearly documented
- When in doubt, reach out to your CyberGRX Assessment Coordinator. We are here to facilitate the timely and accurate completion of your assessment and are happy to answer your questions or provide clarification as needed.
Examples of Good Evidence
Evidence Validation FAQ
The following questions and answers have been curated from actual CyberGRX Customer interactions.
Q: What if I want more details on the validation process for a specific assessment?
A: This document provides details on many aspects of the evidence validation process. The validation process is further described as part of the “Assessor Statement” that accompanies each assessment. Contact CyberGRX if you require additional information.
Q: How are the controls selected for validation?
A: The controls selected for validation are chosen based on several criteria including the strength of the Third Party’s control answer, the Third Party’s industry risks, inherent risks, and residual risks. Some controls are selected based on current industry vulnerabilities and interests. Additional controls are selected for validation based on corroborating evidence (outside-in scans and automated rules).
Q: Do I (a Third Party) have to provide evidence for validation?
A: Yes and No. Evidence is required in order to validate Third Party assessment answers; however, the assessor does not have to have evidence 'in-hand' if a web conference is the selected method for validation. The type of evidence is dependent on the sub-control, assessment questions, and the Third Party's chosen answers.
Q: Is evidence validation conducted remotely or onsite?
A: The most efficient validation occurs when Third Parties provide evidence artifacts to CyberGRX Assessors for review offline, via evidence in the platform, Box.com, etc. Live, remote validation sessions, or onsite validation sessions can be accommodated depending on the situation and current pandemic threats.
Q: What happens if I (the Third Party) don’t want to share evidence artifacts with CyberGRX?
A: Third Parties may request live, remote validation sessions via teleconference. These sessions allow the Third Party to display evidence for CyberGRX Assessors to review without having to disseminate any documentation. Sessions will not be recorded and screenshots of evidence will not be taken or stored.
Q: How much evidence will I (the Third Party) have to provide?
A: There is no pre-defined list of evidence that is required for each assessment. The number of evidence artifacts will depend on the Third Party’s willingness to share evidence, the sub-controls selected for validation, the number and disparity of answers chosen by the Third Party for each sub-control, and the type of evidence provided (e.g. a screenshot vs a broad compliance report).
The Assessment Operations team of CyberGRX is made up of security and audit professionals. When they review evidence, every assessor approaches the evidence with two questions:
1) Based on what I am looking at (in reference to the control) do I reasonably believe they have the control covered or in place?
2) If another security professional were looking at the same thing I am, would they come to the same conclusion?
If they can say, ‘yes’ to both of these, we validate the control.
Q: How does evidence validation impact assessment results?
A: Remote validation results are available for view in the results tab of the Assessment Dashboard on the CyberGRX Exchange.
Q: What if I (the Third Party) disagree with the validation scores in my assessment report?
A: At the end of every assessment an out-brief meeting is offered to the Third Party by the CyberGRX Assessment Coordinator. Third Parties are encouraged to raise concerns and questions during this meeting or by simply contacting their assigned Assessment Coordinator at any time during the assessment and validation process. Third Parties are also given the opportunity to provide comments that are included for authorized Customers to view in the CyberGRX Exchange Assessment Dashboard.
Q: How much time does evidence validation take?
A: An article on this can be found here.
Q: Can CyberGRX validate evidence if it is submitted in a language other than English?
A: English is the preferred language for validation, but through our global validation partners, we DO have the ability to validate evidence submitted in several other languages (see below list). Please note that non-English validation does not follow our normal SLAs for evidence review (12 days to review initial evidence and 7 days to review follow-up evidence). Moreover, there are rare cases where we cannot in fact support non-English validation due to partner limitations such as conflicts of interest.
- The Third Party can translate evidence to English and re-submit.
- CyberGRX can work with the Customer to downgrade the assessment from a Tier 2 Validated to a regular Tier 2.