To find out more about how Evidence Sharing in the Platform works, check out this article.
Q: Who has access to my documents?
A: Only customers who you authorize will have visibility to your uploaded documents. However, all users of the CyberGRX Exchange can view your Company Profile Page if they add you to their portfolio. Who has added you to their portfolio can be seen from the Recent Connections widget in your My Company Profile Page. Your profile page does provide all users with information about you such as company metadata (size, revenue, address, URL, etc), your RiskRecon score, your Recorded Future Score, and your Inherent Risk Score. If a user places a request and is authorized to view your assessment data, they will then also have visibility to your company’s residual risk scores including maturity scores, controls coverage scores, validation results (when applicable), and controls gaps based on the MITRE ATT&CK Framework. It is only users who have requested an assessment, and have been authorized to receive that assessment who will be able to request access to your documents. Once requested, you will have to authorize access to your documents separately from authorizing access to your assessment data.
Q: In what way can my authorized customers engage with my documents?
A: For those customers you have authorized to access your documents, they are only able to view the documents within the CyberGRX platform. They are not able to download the documents or share them outside of the platform. Access is restricted to 28 days at which point the customer would have to re-request access from your organization. In addition, you are able to edit their authorization response at any time during that 28 day period, allowing you to revoke access to a previously approved customer.
Q: Can I select which documents my customer will have access to?
A: Any documents that you have uploaded or stored within the CyberGRX platform will be available for viewing by customers to which you have authorized viewing. You are able to add or delete any documents in your CyberGRX account at any time, and will impact what documents your customers have access to in real-time.
Q: Where are my documents stored?
A: Documents are stored on the AWS S3 cloud. This object storage service offers industry-leading scalability, data availability, security, and performance. S3 maintains compliance programs, such as PCI-DSS, HIPAA/HITECH, FedRAMP, EU Data Protection Directive, and FISMA, to help meet regulatory requirements. Learn more here about AWS S3 storage.
Q: Am I able to purge my documents from the CyberGRX database?
A: You have control over your documents at all times. That includes removing or adding documents as you choose to.
Q: Can CyberGRX access my documents or share my documents with anyone without my authorization?
A: CyberGRX also makes requests to view your documents. This access is primarily used by our Assessor Operations team in support of our independent validation process (read more about that here). This process reviews the accuracy of critical controls your organization has implemented based on your assessment answers. Once validation is completed, CyberGRX will not share or use your uploaded documents for any purposes.