What Is the Impact Questionnaire?
When editing a company profile or reviewing the Auto Inherent Risk tab under Portfolio Management, eight impact questions are asked to assess the relationship with each third party in a user’s portfolio. Accurate answers to these questions are necessary to adequately determine the inherent risk each company poses and provide feedback on which ones are most likely to need assessments.
After the third party completes their assessment, the answers to their cybersecurity controls are mapped back to each of the eight impact questions to determine the residual risk that remains after those companies have mitigated the threats that may be passed on to their customers. The improvement shown in the difference between inherent and residual risk is a general overview of a third-party’s cybersecurity posture. Companies that fail to mitigate risk, especially if they started out high due to significant engagement, deserve scrutiny.
How Do I Answer the Impact Questionnaire?
The impact questionnaire models the topic areas listed below, and are broadly worded to better enable customers to capture third party relationships from their own unique perspectives which can vary significantly across industries.
Each of the eight impact questions captures four degrees of engagement: Least, Minimal, Moderate, and Significant. CyberGRX recommends that customers interpret these questions in a way that makes sense according to their own needs and institutional experience. Furthermore, no single wording is ideally suited for diverse organizations possessing a variety of priorities such as Finance, Energy, Transportation, Engineering, and Software. When considering how to answer the eight impact questions, use the following examples as a lens with which to explore your own third-party relationship:
- Downtime: How important is continuous access to the company’s application(s)? Would several hours of nonavailability be a nuisance or a major disruption?
- Integration: Do the company’s applications require sophisticated coupling with custom APIs or legacy interfaces that would be difficult to simplify or modernize?
- History and Expertise: Does the third party have a long-running relationship resulting in many custom requirements or business rules being built into the applications?
- Customization: Have applications been customized to a degree that other off-the-shelf replacements would not be suitable?
- Deployment: Is application versioning and distribution across company resources (laptops, desktops, mobile devices) a major consideration? If web-based, is legacy support of older browsers, plugins, or web services an ongoing issue?
- Administration: Does the third party’s applications require elevated privileges to function or be maintained? Can the third party remotely affect the operation of the application at any time?
- Development: Is the software development process a joint venture with shared code repositories, collaborative teaming arrangements, etc., or is it completely separate from your own development process?
- Support: Does the third party provide a core function that is aligned with the overall goal of the business itself?
- Significance: What role and importance does the third party play?
- Operational processes with day-to-day influence on profitability and execution?
- Management roles that oversee operations, people, or processes with short- to mid-term goals impacting efficiency or quality?
- Governance rules that help ensure compliance or regulatory goals over longer terms?
- Disruption: What happens if the third-party involvement is impacted in some serious fashion? Are they easily replaceable or uniquely qualified?
- Supply Chain: Is the third party integral to the supply chain in ways not easily tied to other scoped asset questions such as energy or transportation?
- Sensitivity: Does the third party handle sensitive data that would negatively affect the business if destroyed or compromised? Consider Personally Identifiable Information (PII), data covered by regulatory frameworks, proprietary information, effects on reputation, costs to redress (e.g., fines, credit monitoring), denial-of-service (DoS), etc.
- Access: To what degree does the third party have visibility of affected data? Consider:
- Is data encrypted leaving the third party only with hosting responsibilities?
- Do they also provide backup services for the affected data?
- How high up the value chain is the data service? Is it a platform, a database hosting capability, a completely managed service offering with administration?
- Availability: Does the type of data create limitations regarding timeliness, redundancy, the amount of material or items passing through a system or process (throughput), -delays (latency), or other availability criteria that deserve special consideration?
- Coverage: What is the coverage footprint in how many devices the company manages or accesses? Is it limited to a single class of hardware (e.g., printers) or something broader (all employees’ laptops and mobile phones)?
- Administration: Does the third party have elevated day-to-day rights and privileges to devices, or do they have limited access once deployed? Could a malicious actor exploit the third party’s access to compromise devices, install malware, gather information, or move laterally within an organization?
- Criticality: Do the devices supported by the third party provide critical medical or industrial functions with catastrophic failure modes?
- Disruption: Would disruption or denial-of-service via this third party’s devices cause significant impact to business operations?
- Coverage: How broadly does the third party issue, manage, or maintain digital credentials, directory services, logins, Public Key Infrastructure (PKI) materials, certificates, allow-lists, deny-lists, revocation lists, etc.? Consider credentials issued to users, servers, and any other device that must authenticate across corporate and/or cloud infrastructure.
- Disruption: How significant could business operations be affected if digital identities and/or authentication processes were negatively affected:
- Loss of access to company portals by partners, clients, users, buyers, etc.? Consider Single Sign-On (SSO) providers.
- General loss of access across all company employees?
- Limited loss of access among specific departments such as procurement, HR, or helpdesk?
- Privacy: Does the company utilize biometrics, document vetting, or other identity services that, if compromised, could cause additional disruption?
- Access: Does the third party require access to sensitive, private, or controlled areas in the company where any kind of access disruption (e.g., lack of approval, clearances, escort availability, supervision) would have an impact on business operations?
- Frequency: Is it necessary for the third party to frequently access company facilities or is it uncommon and/or scheduled in advance?
- On-Prem/In-House deployments: Does the third party host some capability on your own premises that requires special consideration?
- Reciprocity/Sharing: Is access to the third party’s facilities just as important as their access to yours? Would disruption of access to their facilities, buildings, sites or co-located operations negatively affect operations as well?
- Access and Control: Determine if the third party merely requires access to networking infrastructure or is actively managing or providing some fundamental networking capability. Companies that provide data or application services are invariably going to have network dependencies and may be best assessed through those two lenses. But companies that provide VPN services, general Internet connectivity, cloud hosting, or Storage Area Networks (SANs) will need to factor in a more significant Network dependency. Any company performing Deep Packet Inspection of traffic, intrusion detection, etc., should probably receive a Significant rating.
- Disruption: If the company provides (or is highly dependent upon) connectivity with employees, users, partners, suppliers, data centers, or other remote resources, consider what would happen if throughput or latency issues were to surface due to equipment failure or connectivity problems.
- Distributed Workforce: Does the third party enable Work-From-Home or other remote engagements that grew in importance during COVID-19? Consider scalability, connectivity, and security when networking.
- Specialized Training: Consider any specialized skills, training, education, experience, clearances, and history that a third party’s staff brings to the organization and the difficulty in finding alternatives.
- Engagement: Does the relationship require close and continuing contact with your own organization’s staff? Include sharing of applications, physical access to hardware, helpdesk and human resources functions. Consider inadvertent sharing of information or even social engineering attack vectors that can only occur between people.
- On-site availability disruption: Is this third party used in a manner that can be impacted by airline or hotel availability, travel restrictions, COVID testing, or other impediments? Consider situations where sensitive information or systems are involved and remote activities are not permitted.