With organizations always working to improve their enterprise's cybersecurity posture, the information captured in ProcessUnity GRX reports, regardless of tier, is at risk of falling behind in relevance over time. This introduces the potential for a Third Party's GRX report to be outdated. To address this, GRX initiates opportunities for Third Parties to refresh the data in their ProcessUnity GRX assessments. These updates are referred to as a "refresh".
Timeline
On a regular cadence, ProcessUnity GRX reaches out to Third Parties asking them to refresh their data. For non-validated assessments, this cadence is 11 months after they attest their questionnaire. For validated assessments, the cadence is 11 months after they complete validation.
- Opening your assessment for updates before 11 months may affect the timing of the next refresh.
- Several factors come into play such as age of validation, questionnaire content version, and time until the next scheduled refresh. Typically, the closer to the refresh date the questionnaire is opened, the more likely it is for the refresh date to be postponed or advanced.
- A GRX Customer may request to advance the refresh date from 11 months up to as soon as 9 months.
- Postponing your refresh is possible but not advised, and will involve notifying your authorized customers.
Kickoff
In the month the refresh is scheduled to begin, we will reach out to the Account Administrator for the Third Party who has logged in most recently with information about the process and refresh completion timeline.
Questionnaire
The refresh questionnaire will be mostly pre-populated with the responses from the previous assessment. Review the previous responses, make updates where applicable, and complete any new content.
- New content can be located by following this guide: How to Locate New and Unanswered Questions
Once finished working on the questionnaire, please submit it via the Submit button on the "Review and Submit" section.
Validation
Validated assessments (Tier 1 and Tier 2 Validated) are fully re-validated during refresh. A maximum of 60 controls will be selected for validation, possibly including controls that were validated by ProcessUnity GRX prior.
- Full annual validations are the industry standard, which is why there may be overlap with controls being re-validated.
- Please note that past validation results will be unavailable while a GRX Third Party is undergoing refresh validation.
For detailed information about the timeline, process, and recommended evidences for validation, please view our ProcessUnity GRX Evidence Validation Guide.
Completion
For non-validated assessments, once the Third Party submits their refresh questionnaire, the next refresh will be schedule for 11 months after that date. For validated assessments, the third party must first complete validation, and once the assessor attests, the next refresh will be scheduled for 11 months after that date.
Communications
Due to confidentiality, Customers are not CC'd on core refresh communications between ProcessUnity GRX and the Third Party.
Often, one or more customers will have requested that the Third Party completes the refresh. The GRX will designate in our communications which customers are specifically requesting the refresh to be completed, and which Customers will also receive the updated report, but are not specifically requesting the refresh to be completed.
Customers may be contacted about refreshes in select situations. These communications are done on private emails with the Customer to maintain confidentiality.
Customers may be contacted about refreshes if:
- The Third Party is unresponsive to the GRX's outreach regarding the refresh.
- The Third Party requests to postpone the scheduled refresh.
- The Third Party had declined to complete the refresh or is questioning why the refresh needs to be completed.
- The Third Party's progress on the refresh has stalled.
Comments
0 comments
Article is closed for comments.