The CyberGRX assessment model is built on the concept of an exchange. Our goal is to enable third parties to complete as few assessments as possible to satisfy the needs of their customers. We have found that a single, enterprise-level assessment is sufficient for the vast majority of the organizations we work with.
Organizations consisting of multiple, disparately-secured business units occasionally ask to complete more than one assessment. This comes with some added time and effort on the part of the organization:
- They will need to complete (and annually maintain) an assessment for each business unit.
- Their customers need to identify the correct business unit when placing a request.
- Their customers are charged for each assessment (if they consume services from multiple business units).
To decide if you need to complete multiple assessments, consider this question: Do you implement security controls similarly across your enterprise? (Please note that the use of the word “similar” here is intentional. This allows for business units which, while not 100% similar, have controls that meet the security objectives. A unified solution or centralized deployment/management is not required.)
If the answer is YES, stop here. One assessment should be sufficient.
If the answer is NO, proceed.
- What distinct business units exist within your organization, and how do you refer to these business units? For example, an organization might be organized by geography: “US” “EU”, and “APAC”; or by service: “Insurance”, “Provider Care”, and “Pharmaceutical”.
- Which business units have similar security controls and can be grouped together to reduce the number of assessments required (while being clear to potential customers which assessment they should request)?
The answers to these questions should provide a good start to determining the appropriate organization of your assessment(s) on the CyberGRX exchange. Please contact your Customer Success Manager with questions.