Control Dependency Analysis
Cybersecurity assessments often produce large amounts of data related to multiple, and often quite disparate, security domains. It is easy for risk analysts to overlook interdependencies between security controls when evaluating such large datasets. CyberGRX has developed a set of dependency analytics rules that are run against all Tier 2 and Tier 1 assessments. The purpose of this form of analysis is to identify when the effectiveness or existence of one control is likely to negatively impact the effectiveness of another.
The image below illustrates this concept using a simple example:
In the first row of the image, we see that a Third Party has implemented asset management, which significantly supports an effective patching program.
The lower row of the image illustrates a more concerning situation where the Third Party has indicated that they have a patch management program, but not an asset management program. This is concerning because, how can you know you have effectively patched all of your systems if you don’t know what or where they all are?
The CyberGRX platform performs this analysis automatically, using over 90 analytics rules covering a wide variety of control dependencies. This analytics function allows your risk analysts to spend their valuable time focusing on how to use these insights to make risk-based decisions.