Remote validation is an independent review process carried out by CyberGRX teams to evaluate the accuracy of a Third Party's questionnaire answers. Validation provides CyberGRX Customers with confidence in the results of completed assessments, gives Customers an additional data point with which to analyze assessments, and may satisfy certain regulatory requirements.
Validation is conducted on all Tier 1 (T1) assessments and Tier 2 Remote (T2R) assessments. All validation activities are completed by the CyberGRX Assessment Operations Team or a validation partner organization.
The following is a high-level summary of the steps required by users to complete the assessment and validation phase.
Review list of Critical Controls located in the following:
Upload evidence documents to validate Critical Controls implemented
Submit final questionnaire along with all uploaded documents for CyberGRX to review
CyberGRX evaluates this evidence to determine whether or not it adequately substantiates the answers provided in the Assessment
- Receive feedback from CyberGRX on whether additional evidence is needed to validate any outstanding controls
Upload additional documents requested and submit them
Receive CyberGRX findings and final results of validation process
Documents uploaded during the assessment process are securely stored on the CyberGRX Platform. More details on the security of our storage solution can be found here.
Review Critical Controls - Validation Tab
CyberGRX has identified 60 critical controls that describe safeguards to prevent today’s most pervasive and dangerous cyber-attacks. This list of critical controls is reviewed and updated annually by CyberGRX security professionals. Third Parties will not be asked to provide evidence for controls which they indicated that they have not implemented or are not applicable.
Users can review the complete list of Critical Controls by navigating to the Validation Tab on their Assessment Dashboard. Selecting a specific control within this list will present guidance on the types of documents most likely to validate that control, and where you may be able to locate that information.
The toggle provides users better visibility into which critical controls would need documents uploaded for validation.
- Unanswered critical controls will display as white boxes
- Critical controls answered “yes” will display as white boxes.
- Critical controls answered “no”, "N/A" or Skipped (ie. a 'parent' question was answered "no" or "N/A") will be filtered out of the list displayed.
Review Critical Controls - In Questionnaire
Users can access the same details for a specific control by clicking on the "View Validation Information" link at the top of every Q&A page in the questionnaire flow.
Review Critical Controls - Evidence Request Sheet Download
The Evidence Request Sheet can be found immediately above the Document Upload Widget. This Excel downloads provides an off-platform catalogue of the critical controls, as well as example evidence documents for each. This download will update based on the user's progress through the validation work flow:
- Pre Questionnaire Submit: All critical controls will be listed
- Post Questionnaire Submit / Round 1 Review: All critical controls qualified for review will be listed (i.e. all critical controls answered 'yes')
- Round 2 Review: All critical controls qualified for review that were not sufficiently substantiated in Round 1 Review will be listed.
Users can upload documents on the Validation Tab or the Q&A page by clicking on or dragging to the "Upload Validation Documentation" component on that page. Document types accepted include: PDF, PNG, JPEG
Users retain complete control over their documents and what is added, removed or stored on the CyberGRX platform.
Once uploaded, users can see when the document was uploaded, view the document itself, or delete the document from being stored on the CyberGRX platform.
Submit Questionnaire and Documents
Users can submit their questionnaire from the Review page after all questions have been answered. It is not required that all or any documents be uploaded to submit the questionnaire, but this will slow down the validation process and may result in a delay of delivery to your requesting customer.
You will have the ability to continue uploading documents after you have submitted your assessment. Once you are complete with uploading all documents for each requested critical control, select the 'submit documents' button to inform our Assessment Operations team to begin validation. It is required that your assessment be submitted in order to proceed with submitting documents. Once under review, the upload mechanism in your account will be enabled but the 'submit documents' button will be disabled until the validation round is completed. The round number associated with the uploaded documents indicates during which evidence validation round these documents were evaluated.
When the initial review is completed you will receive an email notification informing you of its completion. Feedback from the Assessment Ops team on which controls they were unable to validate based on the documents previously uploaded will be listed in the Evidence Request Sheet, and what else you may need to provide to substantiate those remaining controls. The updated Evidence Request Sheet can be downloaded for review from within the platform. Following the completion of the validation round, the submit documents mechanism in your account will be re-enabled and you can upload any additional documents as appropriate.
After the second round of documents are submitted through the 'submit documents' button, the Assessment Ops team will review and use to validate any remaining controls. At the end of this review round, the findings of the validation process will be released along with the final version of your CyberGRX Report. These findings can be viewed in the "Results" tab in your Assessment Dashboard.
Note: You can continue to upload and store relevant documents in your CyberGRX account after the validation process is completed.